← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #71921

[Bug 1758121] [NEW] Rebuilding authentication methods is broken with python3

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Keystone uses several techniques to make fernet tokens as small as
possible. One of these techniques is to take the token's authentication
methods and convert them to an integer before msgpack'ing the payload
and encrypting it.

The conversion from a list of unique strings to an integer is relatively
simple. Each authentication methods has its own unique value and a sum
of the methods is packed into the token. On validation, keystone does
some math to "re-inflate" the integer into it's original list [0].

The problem is that in python2, division operations between two integers
results in an integer. In python3, they result in a float. For example,
the following is with python3:

  >>> result = 5 / 4
  >>> result
  1.25
  >>> type(result)
  <class 'float'>

The sample example in python2:

  >>> result = 5 / 4
  >>> result
  1
  >>> type(result)
  <type 'int'>

The logic to re-inflate a list of methods from an integer expects
integers [1]. As a result, if cache_on_issue is disabled and keystone is
running with python3, a token's method list at authentication time will
be different from the list at validation time.


[0] https://github.com/openstack/keystone/blob/d4f3160334838c592cc8616bba85c13f308468f6/keystone/auth/plugins/core.py#L63-L95
[1] https://github.com/openstack/keystone/blob/d4f3160334838c592cc8616bba85c13f308468f6/keystone/auth/plugins/core.py#L89

** Affects: keystone
     Importance: Medium
         Status: Triaged

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1758121

Title:
  Rebuilding authentication methods is broken with python3

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  Keystone uses several techniques to make fernet tokens as small as
  possible. One of these techniques is to take the token's
  authentication methods and convert them to an integer before
  msgpack'ing the payload and encrypting it.

  The conversion from a list of unique strings to an integer is
  relatively simple. Each authentication methods has its own unique
  value and a sum of the methods is packed into the token. On
  validation, keystone does some math to "re-inflate" the integer into
  it's original list [0].

  The problem is that in python2, division operations between two
  integers results in an integer. In python3, they result in a float.
  For example, the following is with python3:

    >>> result = 5 / 4
    >>> result
    1.25
    >>> type(result)
    <class 'float'>

  The sample example in python2:

    >>> result = 5 / 4
    >>> result
    1
    >>> type(result)
    <type 'int'>

  The logic to re-inflate a list of methods from an integer expects
  integers [1]. As a result, if cache_on_issue is disabled and keystone
  is running with python3, a token's method list at authentication time
  will be different from the list at validation time.

  
  [0] https://github.com/openstack/keystone/blob/d4f3160334838c592cc8616bba85c13f308468f6/keystone/auth/plugins/core.py#L63-L95
  [1] https://github.com/openstack/keystone/blob/d4f3160334838c592cc8616bba85c13f308468f6/keystone/auth/plugins/core.py#L89

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1758121/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next