python-memcache (and therefore) token memcache persistence driver does not support ipv6
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Wishlist
|
Unassigned | ||
openstack-manuals |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
(morganfainberg):
OpenStack Manuals (for both Master and Kilo) need to be updated to eliminate the recommendation to use the memcache token persistence backend. The memcache token persistence backend is a poor choice due to performance concerns of the code itself, the fact that it is assumed that the token backend is stable storage (memcached is not) and can expose security concerns if restarted in some scenarios (PKI tokens and revoked tokens becoming valid again), and finally that the python-memcache library is all around poor (it will not work with IPv6 and is not Python3 compatible, among other poor design choices).
=======
The memcache backend driver that utilizes "python-memcache" does not support IPv6.
I have included three scenarios (A, B and C) that will reproduce the bug and a control test that succeeds with same configuration using IPv4-resolving hostname.
To reproduce scenario A: Bare IPv6 address in config
1) Configure keystone according to http://
2) In section [memcache] in /etc/keystone/
servers = 2001:db8:
3) Restart keystone/apache
4) Attempt to issue token:
openstack --os-auth-url http://
ERROR: openstack An unexpected error prevented the server from fulfilling your request: Unable to parse connection string: "2001:db8:
To reproduce scenario B: IPv6 address enclosed in brackets
1) Configure keystone according to http://
2) In section [memcache] in /etc/keystone/
servers = [2001:db8:
3) Restart keystone/apache
4) Attempt to issue token:
openstack --os-auth-url http://
ERROR: openstack An unexpected error prevented the server from fulfilling your request: Unable to parse connection string: "[2001:
To reproduce scenario C: hostname that resolves to IPv6-only address
1) Configure keystone according to http://
2) In section [memcache] in /etc/keystone/
servers = keystone-
3) Edit /etc/hosts:
2001:db8:
2001:db8:
2001:db8:
3) Restart keystone/apache
4) Attempt to issue token:
openstack --os-auth-url http://
Password:
ERROR: openstack Maximum lock attempts on _lockusertokens
Control test:
1) Configure keystone according to http://
2) In section [memcache] in /etc/keystone/
servers = keystone-
3) Edit /etc/hosts:
192.168.0.15 keystone-1
192.168.0.14 keystone-2
192.168.0.16 keystone-3
3) Restart keystone/apache
4) Attempt to issue token:
openstack --os-auth-url http://
Password:
+------
| Field | Value |
+------
| expires | 2015-06-
| id | 2a188e9950f44de
| project_id | 91bb6f536fca40a
| user_id | 30dbbe8174b2417
+------
A workaround is to change to a more capable memcached library for the token persistence backend, for example pylibmc.
I will propose a patch that at least makes this configurable.