Bug 918159

Summary: PKI tokens too long for memcached keys
Product: Red Hat OpenStack Reporter: Adam Young <ayoung>
Component: openstack-keystoneAssignee: Adam Young <ayoung>
Status: CLOSED ERRATA QA Contact: Pavel Sedlák <psedlak>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.0 (Folsom)CC: ajeain, apevec, ayoung, jhenner
Target Milestone: snapshot5Keywords: Triaged
Target Release: 2.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-keystone-2012.2.3-5.el6ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-04 20:23:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Young 2013-03-05 15:43:07 UTC 
Description of problem:

PKI tokens are currently keyed on the whole token string. This is too long to fit into a cookie. Instead, we will key on the hash, and this can be stored in the cookie instead.

Solution is to key them on a hash of the token.  Solution has been released upstream:

https://review.openstack.org/#/c/15116/

Needs to be backported to Folsom Stable.
Comment 3 Adam Young 2013-03-11 20:36:28 UTC 
    To fix requires these patches suggest for backport to folsom stable:


    key all backends off of hash of pki token.
    https://review.openstack.org/#/c/24079/


    Use the right subprocess based on os monkeypatch
    https://review.openstack.org/#/c/23996/


    as well as 

    Backport of fix for 24-hour failure of pki.	 	 
    https://review.openstack.org/#/c/23334/

    Which has already merged:
Comment 8 Pavel Sedlák 2013-04-04 13:31:27 UTC 
Verified with openstack-keystone-2012.2.3-7.el6ost.

For verification it was required to workaround bug 927929 and bug 948270 to get to the state with PKI and memcached working.

With version 2012.2.3-7:
----
$ memcached-tool localhost
  #  Item_Size  Max_age   Pages   Count   Full?  Evicted Evict_Time OOM
  3     152B         0s       1       0      no        0        0    0
  5     240B         0s       1       0      no        0        0    0
 17     3.5K    494019s       1       1      no        0        0    0
----

With version 2012.2.3-3 it ends with (for example cinder):
----
$ memcached-tool localhost
  #  Item_Size  Max_age   Pages   Count   Full?  Evicted Evict_Time OOM
----

And in cinder/api.log there is:
----
2013-04-04 14:30:11 3922 ERROR cinder.api.openstack [-] Caught error: Key length is > 250
...
2013-04-04 14:30:11 3922 TRACE cinder.api.openstack   File "/usr/lib/python2.6/site-packages/memcache.py", line 632, in _set
2013-04-04 14:30:11 3922 TRACE cinder.api.openstack     check_key(key)
2013-04-04 14:30:11 3922 TRACE cinder.api.openstack   File "/usr/lib/python2.6/site-packages/memcache.py", line 945, in check_key
2013-04-04 14:30:11 3922 TRACE cinder.api.openstack     % SERVER_MAX_KEY_LENGTH)
2013-04-04 14:30:11 3922 TRACE cinder.api.openstack MemcachedKeyLengthError: Key length is > 250
----
Comment 10 errata-xmlrpc 2013-04-04 20:23:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0708.html