Description of problem: PKI tokens are currently keyed on the whole token string. This is too long to fit into a cookie. Instead, we will key on the hash, and this can be stored in the cookie instead. Solution is to key them on a hash of the token. Solution has been released upstream: https://review.openstack.org/#/c/15116/ Needs to be backported to Folsom Stable.
To fix requires these patches suggest for backport to folsom stable: key all backends off of hash of pki token. https://review.openstack.org/#/c/24079/ Use the right subprocess based on os monkeypatch https://review.openstack.org/#/c/23996/ as well as Backport of fix for 24-hour failure of pki. https://review.openstack.org/#/c/23334/ Which has already merged:
Verified with openstack-keystone-2012.2.3-7.el6ost. For verification it was required to workaround bug 927929 and bug 948270 to get to the state with PKI and memcached working. With version 2012.2.3-7: ---- $ memcached-tool localhost # Item_Size Max_age Pages Count Full? Evicted Evict_Time OOM 3 152B 0s 1 0 no 0 0 0 5 240B 0s 1 0 no 0 0 0 17 3.5K 494019s 1 1 no 0 0 0 ---- With version 2012.2.3-3 it ends with (for example cinder): ---- $ memcached-tool localhost # Item_Size Max_age Pages Count Full? Evicted Evict_Time OOM ---- And in cinder/api.log there is: ---- 2013-04-04 14:30:11 3922 ERROR cinder.api.openstack [-] Caught error: Key length is > 250 ... 2013-04-04 14:30:11 3922 TRACE cinder.api.openstack File "/usr/lib/python2.6/site-packages/memcache.py", line 632, in _set 2013-04-04 14:30:11 3922 TRACE cinder.api.openstack check_key(key) 2013-04-04 14:30:11 3922 TRACE cinder.api.openstack File "/usr/lib/python2.6/site-packages/memcache.py", line 945, in check_key 2013-04-04 14:30:11 3922 TRACE cinder.api.openstack % SERVER_MAX_KEY_LENGTH) 2013-04-04 14:30:11 3922 TRACE cinder.api.openstack MemcachedKeyLengthError: Key length is > 250 ----
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0708.html