yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1473567] Re: Fernet tokens fail tempest runs

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1473567@xxxxxxxxxxxxxxxxxx>
Date: Wed, 18 Nov 2015 23:17:17 -0000
Reply-to: Bug 1473567 <1473567@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/231191
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=a2c4ebc4fac75c0889489e4bed5a0aa89f8193f1
Submitter: Jenkins
Branch:    master

commit a2c4ebc4fac75c0889489e4bed5a0aa89f8193f1
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Mon Oct 5 20:34:39 2015 +0000

    Fix race condition when changing passwords
    
    This patch makes it so that there is a one second wait when changing a password
    with Keystone. This is done because when we lose sub-second precision with
    Fernet tokens there is the possibility of a token being issued and revoked
    within the same second. Keystone will err on the side of security and return a
    404 NotFound when validating a token that was issued in the same second as a
    revocation event.
    
    For example, it is possible for a revocation event to happen at .000001, but it
    will be stored in MySQL as .000000 because of sub-second truncation. A token can
    be created at .000002, but the creation time of that token, according to
    Fernet, will be .000000, because Fernet tokens don't have sub-second precision.
    When that token is validated, it will appear invalid even though it was created
    *after* the revocation event.
    
    Change-Id: Ied83448de8af1b0da9afdfe6ce9431438215bfe0
    Closes-Bug: 1473567


** Changed in: tempest
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1473567

Title:
  Fernet tokens fail tempest runs

Status in OpenStack Identity (keystone):
  In Progress
Status in tempest:
  Fix Released

Bug description:
  It seems testing an OpenStack instance that was deployed with Fernet tokens fails on some of the tempest tests.  In my case these tests failed:
  http://paste.openstack.org/show/363017/

  bknudson also found similar in a test patch:
     https://review.openstack.org/#/c/195780

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1473567/+subscriptions

References

[Bug 1473567] [NEW] Fernet tokens fail tempest runs
From: Eric Brown, 2015-07-10