Public bug reported: The fernet token provider has sub-second format, but it is currently truncated to .000000Z. This is because the library (pyca/cryptography [0]) that keystone relies on for generating fernet tokens uses integer timestamps instead of floats, which loses sub-second accuracy. We should find a way to support sub-second accuracy in Fernet's creation timestamp so that we don't hit token revocation edge cases, like the ones documented here - https://review.openstack.org/#/c/227995/ .
This will likely have to be a coordinated effort between the cryptography development community and the maintainers of the Fernet specification [1]. This bug is to track that we include the corresponding fix (via version bump of cryptography) for keystone. [0] https://github.com/pyca/cryptography [1] https://github.com/fernet/spec ** Affects: keystone Importance: Undecided Status: New ** Tags: fernet ** Tags added: fernet -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1513541 Title: Support sub-second accuracy in Fernet's creation timestamp Status in OpenStack Identity (keystone): New Bug description: The fernet token provider has sub-second format, but it is currently truncated to .000000Z. This is because the library (pyca/cryptography [0]) that keystone relies on for generating fernet tokens uses integer timestamps instead of floats, which loses sub-second accuracy. We should find a way to support sub-second accuracy in Fernet's creation timestamp so that we don't hit token revocation edge cases, like the ones documented here - https://review.openstack.org/#/c/227995/ . This will likely have to be a coordinated effort between the cryptography development community and the maintainers of the Fernet specification [1]. This bug is to track that we include the corresponding fix (via version bump of cryptography) for keystone. [0] https://github.com/pyca/cryptography [1] https://github.com/fernet/spec To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1513541/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
