yahoo-eng-team team mailing list archive

[OpenStack Infra <1758121@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/555339
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=93838575c1c866df114b595921720d72ebb1c1e8
Submitter: Zuul
Branch:    master

commit 93838575c1c866df114b595921720d72ebb1c1e8
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Thu Mar 22 18:13:24 2018 +0000

    Fix integer -> method conversion for python3
    
    We have a method that takes an integer and re-inflates it into a list
    of authentication methods. This is because it's more efficient to
    pass around an integer in a token's payload than a list of strings.
    During the token validation process, we take this integer and run it
    through a little process to reinflate it's value to a list of auth
    methods that were used to obtain the original token.
    
    The re-inflation process doesn't actually work in python3 because it
    is coded to expect integers when dividing numbers, which is accurate
    for python2. Python3 returns floats when dividing two integers, which
    doesn't work with the logic to re-inflate the auth methods. For
    example, in python 3::
    
      >>> result = 5 / 4
      >>> result
      1.25
      >>> type(result)
      <class 'float'>
    
    In python2:
    
      >>> result = 5 / 4
      >>> result
      1
      >>> type(result)
      <type 'int'>
    
    This commit introduces unit tests to prevent regression and includes
    a fix so that the conversion works properly on python3.
    
    Closes-Bug: 1758121
    Change-Id: I627c2b353da0c35bb23bb40542a880fc6bacc4aa


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1758121

Title:
  Rebuilding authentication methods is broken with python3

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Keystone uses several techniques to make fernet tokens as small as
  possible. One of these techniques is to take the token's
  authentication methods and convert them to an integer before
  msgpack'ing the payload and encrypting it.

  The conversion from a list of unique strings to an integer is
  relatively simple. Each authentication methods has its own unique
  value and a sum of the methods is packed into the token. On
  validation, keystone does some math to "re-inflate" the integer into
  it's original list [0].

  The problem is that in python2, division operations between two
  integers results in an integer. In python3, they result in a float.
  For example, the following is with python3:

    >>> result = 5 / 4
    >>> result
    1.25
    >>> type(result)
    <class 'float'>

  The sample example in python2:

    >>> result = 5 / 4
    >>> result
    1
    >>> type(result)
    <type 'int'>

  The logic to re-inflate a list of methods from an integer expects
  integers [1]. As a result, if cache_on_issue is disabled and keystone
  is running with python3, a token's method list at authentication time
  will be different from the list at validation time.

  
  [0] https://github.com/openstack/keystone/blob/d4f3160334838c592cc8616bba85c13f308468f6/keystone/auth/plugins/core.py#L63-L95
  [1] https://github.com/openstack/keystone/blob/d4f3160334838c592cc8616bba85c13f308468f6/keystone/auth/plugins/core.py#L89

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1758121/+subscriptions