Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 918159 - PKI tokens too long for memcached keys
PKI tokens too long for memcached keys
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone (Show other bugs)
2.0 (Folsom)
Unspecified Unspecified
unspecified Severity unspecified
: snapshot5
: 2.1
Assigned To: Adam Young
Pavel Sedlák
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-05 10:43 EST by Adam Young
Modified: 2016-04-26 09:28 EDT (History)
4 users (show)

See Also:
Fixed In Version: openstack-keystone-2012.2.3-5.el6ost
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-04 16:23:03 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1073343 None None None Never
OpenStack gerrit 23564 None None None Never
Red Hat Product Errata RHSA-2013:0708 normal SHIPPED_LIVE Moderate: openstack-keystone security and bug fix update 2013-04-04 20:19:06 EDT

  None (edit)
Description Adam Young 2013-03-05 10:43:07 EST 
Description of problem:

PKI tokens are currently keyed on the whole token string. This is too long to fit into a cookie. Instead, we will key on the hash, and this can be stored in the cookie instead.

Solution is to key them on a hash of the token.  Solution has been released upstream:

https://review.openstack.org/#/c/15116/

Needs to be backported to Folsom Stable.
Comment 3 Adam Young 2013-03-11 16:36:28 EDT 
    To fix requires these patches suggest for backport to folsom stable:


    key all backends off of hash of pki token.
    https://review.openstack.org/#/c/24079/


    Use the right subprocess based on os monkeypatch
    https://review.openstack.org/#/c/23996/


    as well as 

    Backport of fix for 24-hour failure of pki.	 	 
    https://review.openstack.org/#/c/23334/

    Which has already merged:
Comment 8 Pavel Sedlák 2013-04-04 09:31:27 EDT 
Verified with openstack-keystone-2012.2.3-7.el6ost.

For verification it was required to workaround bug 927929 and bug 948270 to get to the state with PKI and memcached working.

With version 2012.2.3-7:
----
$ memcached-tool localhost
  #  Item_Size  Max_age   Pages   Count   Full?  Evicted Evict_Time OOM
  3     152B         0s       1       0      no        0        0    0
  5     240B         0s       1       0      no        0        0    0
 17     3.5K    494019s       1       1      no        0        0    0
----

With version 2012.2.3-3 it ends with (for example cinder):
----
$ memcached-tool localhost
  #  Item_Size  Max_age   Pages   Count   Full?  Evicted Evict_Time OOM
----

And in cinder/api.log there is:
----
2013-04-04 14:30:11 3922 ERROR cinder.api.openstack [-] Caught error: Key length is > 250
...
2013-04-04 14:30:11 3922 TRACE cinder.api.openstack   File "/usr/lib/python2.6/site-packages/memcache.py", line 632, in _set
2013-04-04 14:30:11 3922 TRACE cinder.api.openstack     check_key(key)
2013-04-04 14:30:11 3922 TRACE cinder.api.openstack   File "/usr/lib/python2.6/site-packages/memcache.py", line 945, in check_key
2013-04-04 14:30:11 3922 TRACE cinder.api.openstack     % SERVER_MAX_KEY_LENGTH)
2013-04-04 14:30:11 3922 TRACE cinder.api.openstack MemcachedKeyLengthError: Key length is > 250
----
Comment 10 errata-xmlrpc 2013-04-04 16:23:03 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0708.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.