the PKI token generated by v3 api is too long

Bug #1186177 reported by Rui Chen on 2013-05-31
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
python-keystoneclient
Medium
Adam Young

Bug Description

with keystone v3 api only

I generated a PKI token by v3 api, token length is 17160 chars, then I describe server from nova with the long token in http head, nova response is "400 Header Line Too Long", I check nova eventlet module source code, eventlet wsgi.py will check http head length, default value is MAX_HEADER_LINE = 8192, eventlet will raise a http 400 when head length is too long.

token generated by v2 api is ok in same case, v2 token length is 4108

Revision history for this message
Dolph Mathews (dolph) wrote :
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Kai Qiang Wu(Kennan) (wkqwu) wrote :

Same the issue still exist, not resolved

Revision history for this message
Dolph Mathews (dolph) wrote :

The API is now available to resolve this, however it's not being used anywhere, yet. Instead of generating a scoped v3 token using:

  POST /v3/auth/tokens

Clients can now instead call:

  POST /v3/auth/tokens?nocatalog

... which will produce a much smaller PKI token (the catalog represents the bulk of the current token's size).

information type: Public → Public Security
information type: Public Security → Public
Revision history for this message
Raphael.G (raphael-g) wrote :

Concerns the v2 as well

Revision history for this message
Hua Zhang (zhhuabj) wrote :

This is output of my following test program, so this issue can be indirectly resolved by using v3/auth/tokens?nocatalog to instead of v3/auth/tokens as Dolph said, pls mark it as "Won't Fix", thanks.

TOKEN_LEN: 1196 when using http://pubnode:5000/v3/auth/tokens?nocatalog
TOKEN_LEN: 10220 when using http://pubnode:5000/v3/auth/tokens

import urllib2
import json

user = 'admin'
password = 'password'
project = 'demo'

def token_v3(auth_url = 'http://pubnode:5000/v3/auth/tokens?nocatalog'):
    auth_request = urllib2.Request(auth_url)
    auth_request.add_header('Content-Type', 'application/json;charset-utf8')
    auth_request.add_header('Accept', 'application/json')
    auth_request.add_header('User-Agent', 'python-client')
    auth_data = {
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "name": user,
                    "password": password,
                    "domain": {
                       "name": "default"
                    }
                }
            }
        },
        "scope": {
            "project": {
                "domain": {
                    "name": "default"
                },
                "name": project
            }
        }
    }
}
    auth_request.add_data(json.dumps(auth_data))
    auth_response = urllib2.urlopen(auth_request)
    token = auth_response.info().getheader('X-Subject-Token')
    return token

if __name__ == '__main__':
    url = 'http://pubnode:5000/v3/auth/tokens?nocatalog'
    token = token_v3(url)
    print "TOKEN_LEN: ", len(token), " when using ", url
    url = 'http://pubnode:5000/v3/auth/tokens'
    token = token_v3(url)
    print "TOKEN_LEN: ", len(token), " when using ", url

Rui Chen (kiwik-chenrui) on 2013-11-19
Changed in keystone:
assignee: nobody → ruichen (kiwik-chenrui)
status: Triaged → Confirmed
Revision history for this message
Rui Chen (kiwik-chenrui) wrote :

using v3/auth/tokens?nocatalog instead of v3/auth/tokens

Changed in keystone:
status: Confirmed → Fix Released
Revision history for this message
François Rossigneux (frossigneux) wrote :

Using v3/auth/tokens?nocatalog instead of v3/auth/tokens doesn't solve the bug and raises a ServiceCatalogNotFound exception.

2014-03-07 17:03:45.629 18821 DEBUG keystoneclient.middleware.auth_token [-] Returning cached token 858ff29d89fbcfbc09f2a48f6f0486db _cache_get /opt/stack/python-keystoneclient/keystoneclient/middleware/auth_token.py:1046
2014-03-07 17:03:45.629 18821 DEBUG keystoneclient.middleware.auth_token [-] Received request from user: e530c076051043a495a74ba41f83f472 with project_id : 9864755dfaa140a9a3663c33bffe082d and roles: _member_,admin _build_user_headers /opt/stack/python-keystoneclient/keystoneclient/middleware/auth_token.py:946
2014-03-07 17:03:45.630 18821 DEBUG climate.api.utils [-] Rest.route.decorator.handler, kwargs={} handler /opt/stack/climate/climate/api/utils.py:63
2014-03-07 17:03:45.630 18821 ERROR climate.api [-] Exception on /v1/leases [GET]
2014-03-07 17:03:45.630 18821 TRACE climate.api Traceback (most recent call last):
2014-03-07 17:03:45.630 18821 TRACE climate.api File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app
2014-03-07 17:03:45.630 18821 TRACE climate.api response = self.full_dispatch_request()
2014-03-07 17:03:45.630 18821 TRACE climate.api File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request
2014-03-07 17:03:45.630 18821 TRACE climate.api rv = self.handle_user_exception(e)
2014-03-07 17:03:45.630 18821 TRACE climate.api File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception
2014-03-07 17:03:45.630 18821 TRACE climate.api reraise(exc_type, exc_value, tb)
2014-03-07 17:03:45.630 18821 TRACE climate.api File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1475, in full_dispatch_request
2014-03-07 17:03:45.630 18821 TRACE climate.api rv = self.dispatch_request()
2014-03-07 17:03:45.630 18821 TRACE climate.api File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1461, in dispatch_request
2014-03-07 17:03:45.630 18821 TRACE climate.api return self.view_functions[rule.endpoint](**req.view_args)
2014-03-07 17:03:45.630 18821 TRACE climate.api File "/opt/stack/climate/climate/api/utils.py", line 74, in handler
2014-03-07 17:03:45.630 18821 TRACE climate.api with context.ctx_from_headers(flask.request.headers):
2014-03-07 17:03:45.630 18821 TRACE climate.api File "/opt/stack/climate/climate/api/context.py", line 26, in ctx_from_headers
2014-03-07 17:03:45.630 18821 TRACE climate.api raise exceptions.ServiceCatalogNotFound()
2014-03-07 17:03:45.630 18821 TRACE climate.api ServiceCatalogNotFound: Could not find service catalog
2014-03-07 17:03:45.630 18821 TRACE climate.api
10.0.0.1 - - [07/Mar/2014 17:03:45] "GET /v1/leases HTTP/1.1" 500 216 0.006667

Dolph Mathews (dolph) on 2014-03-07
Changed in keystone:
assignee: Rui Chen (kiwik-chenrui) → Adam Young (ayoung)
affects: keystone → python-keystoneclient
Changed in python-keystoneclient:
status: Fix Released → In Progress
Revision history for this message
Atsuko Ito (yottatsa) wrote :

I have another approach to this issue, removing service catalog ONLY from signed payload https://blueprints.launchpad.net/keystone/+spec/compact-pki-token

Revision history for this message
Steve Martinelli (stevemar) wrote :

we are no longer pursuing any PKI related work, as it has been deprecated in mitaka.

Changed in python-keystoneclient:
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers