← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1513541] [NEW] Support sub-second accuracy in Fernet's creation timestamp

 

Public bug reported:

The fernet token provider has sub-second format, but it is currently
truncated to .000000Z. This is because the library (pyca/cryptography
[0]) that keystone relies on for generating fernet tokens uses integer
timestamps instead of floats, which loses sub-second accuracy. We should
find a way to support sub-second accuracy in Fernet's creation timestamp
so that we don't hit token revocation edge cases, like the ones
documented here - https://review.openstack.org/#/c/227995/ .

This will likely have to be a coordinated effort between the
cryptography development community and the maintainers of the Fernet
specification [1].

This bug is to track that we include the corresponding fix (via version
bump of cryptography) for keystone.


[0] https://github.com/pyca/cryptography
[1] https://github.com/fernet/spec

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: fernet

** Tags added: fernet

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1513541

Title:
  Support sub-second accuracy in Fernet's creation timestamp

Status in OpenStack Identity (keystone):
  New

Bug description:
  The fernet token provider has sub-second format, but it is currently
  truncated to .000000Z. This is because the library (pyca/cryptography
  [0]) that keystone relies on for generating fernet tokens uses integer
  timestamps instead of floats, which loses sub-second accuracy. We
  should find a way to support sub-second accuracy in Fernet's creation
  timestamp so that we don't hit token revocation edge cases, like the
  ones documented here - https://review.openstack.org/#/c/227995/ .

  This will likely have to be a coordinated effort between the
  cryptography development community and the maintainers of the Fernet
  specification [1].

  This bug is to track that we include the corresponding fix (via
  version bump of cryptography) for keystone.

  
  [0] https://github.com/pyca/cryptography
  [1] https://github.com/fernet/spec

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1513541/+subscriptions


Follow ups