yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1926483] [NEW] Keystone logs a warning about token size regardless of max_token_size

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <1926483@xxxxxxxxxxxxxxxxxx>
Date: Wed, 28 Apr 2021 16:51:23 -0000
Reply-to: Bug 1926483 <1926483@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Keystone has a configuration option to control the maximum size of a
token `keystone.conf [DEFAULT] max_token_size` [0].

With Fernet tokens, the ideal token should be less than 255 characters.
This was due to initial design targets when developing non-persistent
tokens and to be mindful of potential storage issues.

When integrating keystone with LDAP, fernet tokens are likely to exceed
255 characters because the strings can't be converted to bytes, making
them smaller.

If you deploy keystone with LDAP and then set the max_token_size = 300,
you'll still see an informative warning in keystone.log saying:

  Fernet token created with length of 268 characters, which exceeds 255
characters

This is because of a hard-coded check in keystone's fernet token
provider that doesn't use the max_token_size option [1].

We should consider reusing that configuration option there instead of a
hard-coded check because it's misleading to operators why they still see
the log message after they've adjusted max_token_size.

[0] https://docs.openstack.org/keystone/latest/configuration/config-options.html#DEFAULT.max_token_size
[1] https://opendev.org/openstack/keystone/src/commit/10057702ac361213e74472ec1d0d4e4c4a041f09/keystone/conf/default.py

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1926483

Title:
  Keystone logs a warning about token size regardless of max_token_size

Status in OpenStack Identity (keystone):
  New

Bug description:
  Keystone has a configuration option to control the maximum size of a
  token `keystone.conf [DEFAULT] max_token_size` [0].

  With Fernet tokens, the ideal token should be less than 255
  characters. This was due to initial design targets when developing
  non-persistent tokens and to be mindful of potential storage issues.

  When integrating keystone with LDAP, fernet tokens are likely to
  exceed 255 characters because the strings can't be converted to bytes,
  making them smaller.

  If you deploy keystone with LDAP and then set the max_token_size =
  300, you'll still see an informative warning in keystone.log saying:

    Fernet token created with length of 268 characters, which exceeds
  255 characters

  This is because of a hard-coded check in keystone's fernet token
  provider that doesn't use the max_token_size option [1].

  We should consider reusing that configuration option there instead of
  a hard-coded check because it's misleading to operators why they still
  see the log message after they've adjusted max_token_size.

  [0] https://docs.openstack.org/keystone/latest/configuration/config-options.html#DEFAULT.max_token_size
  [1] https://opendev.org/openstack/keystone/src/commit/10057702ac361213e74472ec1d0d4e4c4a041f09/keystone/conf/default.py

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1926483/+subscriptions

Follow ups

[Bug 1926483] Re: Keystone logs a warning about token size regardless of max_token_size
From: OpenStack Infra, 2022-07-25