yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2061922] [NEW] max_password_length config and logs inconsistent

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sam Morrison <2061922@xxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Apr 2024 23:05:29 -0000
Reply-to: Bug 2061922 <2061922@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

We recently rolled out a config change to update the max_password_length
to avoid all the log messages. We set this to 54 as mentioned in the
release notes which we discovered was a BIG mistake as this broke
everyone authenticating using existing application credentials.

There is a bit of confusion as to what to do here and the code and the
release notes are inconsistent.


Upgrading to zed we got a lot of these in the logs [1]:

"Truncating password to algorithm specific maximum length 72
characters."

In the config help [2] for "max_password_length" it says:

"The bcrypt max_password_length is 72 bytes."

In the release notes [1] it say:

"Currently only bcrypt has fixed allowed lengths defined which is 54
characters."


[1] https://github.com/openstack/keystone/blob/9b0b414e3eb915c89c9786abeb1307ba734f5901/keystone/common/password_hashing.py#L89
[2] https://github.com/openstack/keystone/blob/9b0b414e3eb915c89c9786abeb1307ba734f5901/keystone/conf/identity.py#L106
[3] https://docs.openstack.org/releasenotes/keystone/zed.html

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2061922

Title:
  max_password_length config and logs inconsistent

Status in OpenStack Identity (keystone):
  New

Bug description:
  We recently rolled out a config change to update the
  max_password_length to avoid all the log messages. We set this to 54
  as mentioned in the release notes which we discovered was a BIG
  mistake as this broke everyone authenticating using existing
  application credentials.

  There is a bit of confusion as to what to do here and the code and the
  release notes are inconsistent.

  
  Upgrading to zed we got a lot of these in the logs [1]:

  "Truncating password to algorithm specific maximum length 72
  characters."

  In the config help [2] for "max_password_length" it says:

  "The bcrypt max_password_length is 72 bytes."

  In the release notes [1] it say:

  "Currently only bcrypt has fixed allowed lengths defined which is 54
  characters."

  
  [1] https://github.com/openstack/keystone/blob/9b0b414e3eb915c89c9786abeb1307ba734f5901/keystone/common/password_hashing.py#L89
  [2] https://github.com/openstack/keystone/blob/9b0b414e3eb915c89c9786abeb1307ba734f5901/keystone/conf/identity.py#L106
  [3] https://docs.openstack.org/releasenotes/keystone/zed.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2061922/+subscriptions