yahoo-eng-team team mailing list archive

[Dolph Mathews <1299130@xxxxxxxxxxxxxxxxxx>]

PKI token ID's are either the base64 encoded token itself (for the
purposes of X-Auth-Token / X-Subject-Token), or an MD5 hash of the
base64 encoded token (for the purposes of HTTP resources) (the hash
method likely becoming configurable in Juno or rendered unnecessary by
token compression).

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1299130

Title:
  Encode PKI token (back port changes to Havana)

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  Authenticating a user based on pre-existing PKI token is not supported
  in Havana. PKI tokens are much longer and different from its id (id
  column from token table). When PKI tokens are passed as token_id to
  POST …/auth/tokens, it does not encode PKI token to generate its ID
  which is happening in IceHouse.

  Havana is missing this if statement:

  if isinstance(token_id, six.text_type):
              token_id = token_id.encode('utf-8')

  https://github.com/openstack/keystone/blob/stable/havana/keystone/common/cms.py

  if is_ans1_token(token_id):
          hasher = hashlib.md5()
          hasher.update(token_id)
          return hasher.hexdigest()

  IceHouse version:

  if is_ans1_token(token_id):
          hasher = hashlib.md5()
          if isinstance(token_id, six.text_type):
              token_id = token_id.encode('utf-8')
          hasher.update(token_id)
          return hasher.hexdigest()

  Is it possible to backport these changes into Havana?

  
  More info: 
  https://ask.openstack.org/en/question/25971/is-there-a-rest-api-to-retrieve-token-id-id-column-from-token-table-of-an-pki-token/

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1299130/+subscriptions