← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #41555

[Bug 1240163] Re: Can't store a PKI token with a large catalog

  Thread PreviousDate PreviousThread Next 
Due to a security issue with PKI tokens, we are going to stop supporting
PKI and we will move people on to Fernet as a replacement.  Thus, no new
features will be implemented for PKI tokens

** Changed in: keystone
   Importance: High => Wishlist

** Changed in: keystone
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1240163

Title:
  Can't store a PKI token with a large catalog

Status in OpenStack Identity (keystone):
  Won't Fix
Status in python-keystoneclient:
  In Progress

Bug description:
  It seems that when you have a sufficiently large catalog, hashing of
  the v3 token ID fails, so the token cannot be stored to the DB:

  Basically when the catalog gets sufficiently large, the assumption
  here about impractically large tokens proves bad:

  https://github.com/openstack/keystone/blob/master/keystone/common/cms.py#L108

  So token[:3] != PKI_ANS1_PREFIX, which means we don't hash the ID and
  just return the unhashed token ID, in my case I'm seeingtoken[:3] ==
  MIJ, not MII which is assumed to be prefix the token.

  https://github.com/openstack/keystone/blob/master/keystone/common/cms.py#L174

  This results in an error like this, and a failure to store the token,
  even though it was created OK.

  2013-10-15 18:24:45.671 29796 WARNING keystone.common.wsgi [-] String
  length exceeded.The length of string '<unhashed token ID>' exceeded
  the limit of column id(CHAR(64)).

  From:
  https://github.com/openstack/keystone/blob/master/keystone/common/sql/core.py#L87

  I hit this issue because I had some duplicate endpoints in my
  environment, but it seems to be a more general problem, which could
  happen anytime you have a sufficiently large number of catalog
  entries.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1240163/+subscriptions
  Thread PreviousDate PreviousThread Next