yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1926483] Re: Keystone logs a warning about token size regardless of max_token_size

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1926483@xxxxxxxxxxxxxxxxxx>
Date: Mon, 25 Jul 2022 23:37:39 -0000
Reply-to: Bug 1926483 <1926483@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/keystone/+/789417
Committed: https://opendev.org/openstack/keystone/commit/68bfb685d12937dde11d1a335bd992203ec7c293
Submitter: "Zuul (22348)"
Branch:    master

commit 68bfb685d12937dde11d1a335bd992203ec7c293
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Mon May 3 20:37:35 2021 +0000

    Only log warnings about token length when length exceeds max_token_size
    
    Previously, the fernet token provider would log warnings when a fernet
    token exceeded 255 characters, which is common for LDAP-backed
    deployments. The warning is always issued, even when operators configure
    keystone's max_token_size to a higher value, causing confusion because
    it appears the configuration value is silently ignored.
    
    This commit fixes that issue by using the max_token_size configuration
    parameter consistently in the fernet token provider.
    
    Closes-Bug: 1926483
    
    Change-Id: I4bb54aac9b950d59082a4468203a3249790839d7


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1926483

Title:
  Keystone logs a warning about token size regardless of max_token_size

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Keystone has a configuration option to control the maximum size of a
  token `keystone.conf [DEFAULT] max_token_size` [0].

  With Fernet tokens, the ideal token should be less than 255
  characters. This was due to initial design targets when developing
  non-persistent tokens and to be mindful of potential storage issues.

  When integrating keystone with LDAP, fernet tokens are likely to
  exceed 255 characters because the strings can't be converted to bytes,
  making them smaller.

  If you deploy keystone with LDAP and then set the max_token_size =
  300, you'll still see an informative warning in keystone.log saying:

    Fernet token created with length of 268 characters, which exceeds
  255 characters

  This is because of a hard-coded check in keystone's fernet token
  provider that doesn't use the max_token_size option [1].

  We should consider reusing that configuration option there instead of
  a hard-coded check because it's misleading to operators why they still
  see the log message after they've adjusted max_token_size.

  [0] https://docs.openstack.org/keystone/latest/configuration/config-options.html#DEFAULT.max_token_size
  [1] https://opendev.org/openstack/keystone/src/commit/10057702ac361213e74472ec1d0d4e4c4a041f09/keystone/conf/default.py

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1926483/+subscriptions

References

[Bug 1926483] [NEW] Keystone logs a warning about token size regardless of max_token_size
From: Lance Bragstad, 2021-04-28