the PKI token generated by v3 api is too long

Bug #1186177 reported by Rui Chen on 2013-05-31
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
python-keystoneclient
Medium
Adam Young

Bug Description

with keystone v3 api only

I generated a PKI token by v3 api, token length is 17160 chars, then I describe server from nova with the long token in http head, nova response is "400 Header Line Too Long", I check nova eventlet module source code, eventlet wsgi.py will check http head length, default value is MAX_HEADER_LINE = 8192, eventlet will raise a http 400 when head length is too long.

token generated by v2 api is ok in same case, v2 token length is 4108

Dolph Mathews (dolph) wrote :
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Kai Qiang Wu(Kennan) (wkqwu) wrote :

Same the issue still exist, not resolved

Dolph Mathews (dolph) wrote :

The API is now available to resolve this, however it's not being used anywhere, yet. Instead of generating a scoped v3 token using:

  POST /v3/auth/tokens

Clients can now instead call:

  POST /v3/auth/tokens?nocatalog

... which will produce a much smaller PKI token (the catalog represents the bulk of the current token's size).

information type: Public → Public Security
information type: Public Security → Public
Raphael.G (raphael-g) wrote :

Concerns the v2 as well

Hua Zhang (zhhuabj) wrote :

This is output of my following test program, so this issue can be indirectly resolved by using v3/auth/tokens?nocatalog to instead of v3/auth/tokens as Dolph said, pls mark it as "Won't Fix", thanks.

TOKEN_LEN: 1196 when using http://pubnode:5000/v3/auth/tokens?nocatalog
TOKEN_LEN: 10220 when using http://pubnode:5000/v3/auth/tokens

import urllib2
import json

user = 'admin'
password = 'password'
project = 'demo'

def token_v3(auth_url = 'http://pubnode:5000/v3/auth/tokens?nocatalog'):
    auth_request = urllib2.Request(auth_url)
    auth_request.add_header('Content-Type', 'application/json;charset-utf8')
    auth_request.add_header('Accept', 'application/json')
    auth_request.add_header('User-Agent', 'python-client')
    auth_data = {
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "name": user,
                    "password": password,
                    "domain": {
                       "name": "default"
                    }
                }
            }
        },
        "scope": {
            "project": {
                "domain": {
                    "name": "default"
                },
                "name": project
            }
        }
    }
}
    auth_request.add_data(json.dumps(auth_data))
    auth_response = urllib2.urlopen(auth_request)
    token = auth_response.info().getheader('X-Subject-Token')
    return token

if __name__ == '__main__':
    url = 'http://pubnode:5000/v3/auth/tokens?nocatalog'
    token = token_v3(url)
    print "TOKEN_LEN: ", len(token), " when using ", url
    url = 'http://pubnode:5000/v3/auth/tokens'
    token = token_v3(url)
    print "TOKEN_LEN: ", len(token), " when using ", url

Rui Chen (kiwik-chenrui) on 2013-11-19
Changed in keystone:
assignee: nobody → ruichen (kiwik-chenrui)
status: Triaged → Confirmed
Rui Chen (kiwik-chenrui) wrote :

using v3/auth/tokens?nocatalog instead of v3/auth/tokens

Changed in keystone:
status: Confirmed → Fix Released

Using v3/auth/tokens?nocatalog instead of v3/auth/tokens doesn't solve the bug and raises a ServiceCatalogNotFound exception.

2014-03-07 17:03:45.629 18821 DEBUG keystoneclient.middleware.auth_token [-] Returning cached token 858ff29d89fbcfbc09f2a48f6f0486db _cache_get /opt/stack/python-keystoneclient/keystoneclient/middleware/auth_token.py:1046
2014-03-07 17:03:45.629 18821 DEBUG keystoneclient.middleware.auth_token [-] Received request from user: e530c076051043a495a74ba41f83f472 with project_id : 9864755dfaa140a9a3663c33bffe082d and roles: _member_,admin _build_user_headers /opt/stack/python-keystoneclient/keystoneclient/middleware/auth_token.py:946
2014-03-07 17:03:45.630 18821 DEBUG climate.api.utils [-] Rest.route.decorator.handler, kwargs={} handler /opt/stack/climate/climate/api/utils.py:63
2014-03-07 17:03:45.630 18821 ERROR climate.api [-] Exception on /v1/leases [GET]
2014-03-07 17:03:45.630 18821 TRACE climate.api Traceback (most recent call last):
2014-03-07 17:03:45.630 18821 TRACE climate.api File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app
2014-03-07 17:03:45.630 18821 TRACE climate.api response = self.full_dispatch_request()
2014-03-07 17:03:45.630 18821 TRACE climate.api File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request
2014-03-07 17:03:45.630 18821 TRACE climate.api rv = self.handle_user_exception(e)
2014-03-07 17:03:45.630 18821 TRACE climate.api File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception
2014-03-07 17:03:45.630 18821 TRACE climate.api reraise(exc_type, exc_value, tb)
2014-03-07 17:03:45.630 18821 TRACE climate.api File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1475, in full_dispatch_request
2014-03-07 17:03:45.630 18821 TRACE climate.api rv = self.dispatch_request()
2014-03-07 17:03:45.630 18821 TRACE climate.api File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1461, in dispatch_request
2014-03-07 17:03:45.630 18821 TRACE climate.api return self.view_functions[rule.endpoint](**req.view_args)
2014-03-07 17:03:45.630 18821 TRACE climate.api File "/opt/stack/climate/climate/api/utils.py", line 74, in handler
2014-03-07 17:03:45.630 18821 TRACE climate.api with context.ctx_from_headers(flask.request.headers):
2014-03-07 17:03:45.630 18821 TRACE climate.api File "/opt/stack/climate/climate/api/context.py", line 26, in ctx_from_headers
2014-03-07 17:03:45.630 18821 TRACE climate.api raise exceptions.ServiceCatalogNotFound()
2014-03-07 17:03:45.630 18821 TRACE climate.api ServiceCatalogNotFound: Could not find service catalog
2014-03-07 17:03:45.630 18821 TRACE climate.api
10.0.0.1 - - [07/Mar/2014 17:03:45] "GET /v1/leases HTTP/1.1" 500 216 0.006667

Dolph Mathews (dolph) on 2014-03-07
Changed in keystone:
assignee: Rui Chen (kiwik-chenrui) → Adam Young (ayoung)
affects: keystone → python-keystoneclient
Changed in python-keystoneclient:
status: Fix Released → In Progress
Atsuko Ito (yottatsa) wrote :

I have another approach to this issue, removing service catalog ONLY from signed payload https://blueprints.launchpad.net/keystone/+spec/compact-pki-token

Steve Martinelli (stevemar) wrote :

we are no longer pursuing any PKI related work, as it has been deprecated in mitaka.

Changed in python-keystoneclient:
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers