Bug 918159 - PKI tokens too long for memcached keys
Summary: PKI tokens too long for memcached keys
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 2.0 (Folsom)
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: snapshot5
: 2.1
Assignee: Adam Young
QA Contact: Pavel Sedlák
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-03-05 15:43 UTC by Adam Young
Modified: 2022-07-09 06:03 UTC (History)
4 users (show)

Fixed In Version: openstack-keystone-2012.2.3-5.el6ost
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-04 20:23:03 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1073343 0 None None None Never
OpenStack gerrit 23564 0 None None None Never
Red Hat Product Errata RHSA-2013:0708 0 normal SHIPPED_LIVE Moderate: openstack-keystone security and bug fix update 2013-04-05 00:19:06 UTC

Description Adam Young 2013-03-05 15:43:07 UTC 
Description of problem:

PKI tokens are currently keyed on the whole token string. This is too long to fit into a cookie. Instead, we will key on the hash, and this can be stored in the cookie instead.

Solution is to key them on a hash of the token.  Solution has been released upstream:

https://review.openstack.org/#/c/15116/

Needs to be backported to Folsom Stable.
Comment 3 Adam Young 2013-03-11 20:36:28 UTC 
    To fix requires these patches suggest for backport to folsom stable:


    key all backends off of hash of pki token.
    https://review.openstack.org/#/c/24079/


    Use the right subprocess based on os monkeypatch
    https://review.openstack.org/#/c/23996/


    as well as 

    Backport of fix for 24-hour failure of pki.	 	 
    https://review.openstack.org/#/c/23334/

    Which has already merged:
Comment 8 Pavel Sedlák 2013-04-04 13:31:27 UTC 
Verified with openstack-keystone-2012.2.3-7.el6ost.

For verification it was required to workaround bug 927929 and bug 948270 to get to the state with PKI and memcached working.

With version 2012.2.3-7:
----
$ memcached-tool localhost
  #  Item_Size  Max_age   Pages   Count   Full?  Evicted Evict_Time OOM
  3     152B         0s       1       0      no        0        0    0
  5     240B         0s       1       0      no        0        0    0
 17     3.5K    494019s       1       1      no        0        0    0
----

With version 2012.2.3-3 it ends with (for example cinder):
----
$ memcached-tool localhost
  #  Item_Size  Max_age   Pages   Count   Full?  Evicted Evict_Time OOM
----

And in cinder/api.log there is:
----
2013-04-04 14:30:11 3922 ERROR cinder.api.openstack [-] Caught error: Key length is > 250
...
2013-04-04 14:30:11 3922 TRACE cinder.api.openstack   File "/usr/lib/python2.6/site-packages/memcache.py", line 632, in _set
2013-04-04 14:30:11 3922 TRACE cinder.api.openstack     check_key(key)
2013-04-04 14:30:11 3922 TRACE cinder.api.openstack   File "/usr/lib/python2.6/site-packages/memcache.py", line 945, in check_key
2013-04-04 14:30:11 3922 TRACE cinder.api.openstack     % SERVER_MAX_KEY_LENGTH)
2013-04-04 14:30:11 3922 TRACE cinder.api.openstack MemcachedKeyLengthError: Key length is > 250
----
Comment 10 errata-xmlrpc 2013-04-04 20:23:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0708.html
Note You need to log in before you can comment on or make changes to this bug.