← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1459382] [NEW] Fernet tokens can fail with LDAP identity backends

 

Public bug reported:

It is possible for Keystone to fail to issue tokens when using an
external identity backend, like LDAP, if the user IDs of a different
format than UUID. This is because the Fernet token formatter attempts to
convert the UUID to bytes before packing the payload. This is done to
save space and results in a shorter token.

When using an LDAP backend that doesn't use UUID format for the user
IDs, we get a ValueError because UUID can't convert whenever the ID is
to UUID.bytes [0]. We have to do something similar with the default
domain in the case that it's not a uuid, same with federated user IDs
[1], which we should probably do in this case.

Related stacktrace [2].


[0] https://github.com/openstack/keystone/blob/e5f2d88e471ac3595c4ea0e28f27493687a87588/keystone/token/providers/fernet/token_formatters.py#L415
[1] https://github.com/openstack/keystone/blob/e5f2d88e471ac3595c4ea0e28f27493687a87588/keystone/token/providers/fernet/token_formatters.py#L509
[2] http://lists.openstack.org/pipermail/openstack/2015-May/012885.html

** Affects: keystone
     Importance: High
     Assignee: Lance Bragstad (lbragstad)
         Status: In Progress


** Tags: fernet

** Tags added: fernet

** Changed in: keystone
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1459382

Title:
  Fernet tokens can fail with LDAP identity backends

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  It is possible for Keystone to fail to issue tokens when using an
  external identity backend, like LDAP, if the user IDs of a different
  format than UUID. This is because the Fernet token formatter attempts
  to convert the UUID to bytes before packing the payload. This is done
  to save space and results in a shorter token.

  When using an LDAP backend that doesn't use UUID format for the user
  IDs, we get a ValueError because UUID can't convert whenever the ID is
  to UUID.bytes [0]. We have to do something similar with the default
  domain in the case that it's not a uuid, same with federated user IDs
  [1], which we should probably do in this case.

  Related stacktrace [2].

  
  [0] https://github.com/openstack/keystone/blob/e5f2d88e471ac3595c4ea0e28f27493687a87588/keystone/token/providers/fernet/token_formatters.py#L415
  [1] https://github.com/openstack/keystone/blob/e5f2d88e471ac3595c4ea0e28f27493687a87588/keystone/token/providers/fernet/token_formatters.py#L509
  [2] http://lists.openstack.org/pipermail/openstack/2015-May/012885.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1459382/+subscriptions


Follow ups

References