yahoo-eng-team team mailing list archive

[Steve Martinelli <1279750@xxxxxxxxxxxxxxxxxx>]

There's nothing to fix here. max_param_size if for any HTTP parameter,
we set this to 64 to prevent a DOS attack.

UserIDs should not be greater than 64, IDs are not usually in the
request payload but part of the URL, regardless any userID in keystone
is 32 (if stored in SQL) or 64 (if we're shadowing an LDAP user).

Now, Username is set to 255 since these values may come from LDAP and be
rather large, thus we set it to 255.

Additionally, we added validation for user create in this patch:
https://review.openstack.org/#/c/348531/7 but as you can see from the
comments in the schema for "_identity_name" we do not validate that it
must be a specific size, since it could come from an LDAP backend, where
we don't have any control over the length of the name.

WONTFIX

** Changed in: keystone
       Status: In Progress => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1279750

Title:
  username validation 64 chars but can be 255 in database

Status in OpenStack Identity (keystone):
  Won't Fix

Bug description:
  Currently, username/password authentication mechanism has input length
  validation checker in keystone/token/controllers.py

  def _authenticate_local(self, context, auth):

        ...

       if user_id and len(user_id) > CONF.max_param_size:
       ...

       if len(username) > CONF.max_param_size:

  where by default, keystone.conf set max_param_size to 64
  whereas in user db  schema, user_id is 64 and username is 255.

  DB and frontend validation should be consistent in size.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1279750/+subscriptions