Public bug reported: Keystone has a configuration option to control the maximum size of a token `keystone.conf [DEFAULT] max_token_size` [0].
With Fernet tokens, the ideal token should be less than 255 characters. This was due to initial design targets when developing non-persistent tokens and to be mindful of potential storage issues. When integrating keystone with LDAP, fernet tokens are likely to exceed 255 characters because the strings can't be converted to bytes, making them smaller. If you deploy keystone with LDAP and then set the max_token_size = 300, you'll still see an informative warning in keystone.log saying: Fernet token created with length of 268 characters, which exceeds 255 characters This is because of a hard-coded check in keystone's fernet token provider that doesn't use the max_token_size option [1]. We should consider reusing that configuration option there instead of a hard-coded check because it's misleading to operators why they still see the log message after they've adjusted max_token_size. [0] https://docs.openstack.org/keystone/latest/configuration/config-options.html#DEFAULT.max_token_size [1] https://opendev.org/openstack/keystone/src/commit/10057702ac361213e74472ec1d0d4e4c4a041f09/keystone/conf/default.py ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1926483 Title: Keystone logs a warning about token size regardless of max_token_size Status in OpenStack Identity (keystone): New Bug description: Keystone has a configuration option to control the maximum size of a token `keystone.conf [DEFAULT] max_token_size` [0]. With Fernet tokens, the ideal token should be less than 255 characters. This was due to initial design targets when developing non-persistent tokens and to be mindful of potential storage issues. When integrating keystone with LDAP, fernet tokens are likely to exceed 255 characters because the strings can't be converted to bytes, making them smaller. If you deploy keystone with LDAP and then set the max_token_size = 300, you'll still see an informative warning in keystone.log saying: Fernet token created with length of 268 characters, which exceeds 255 characters This is because of a hard-coded check in keystone's fernet token provider that doesn't use the max_token_size option [1]. We should consider reusing that configuration option there instead of a hard-coded check because it's misleading to operators why they still see the log message after they've adjusted max_token_size. [0] https://docs.openstack.org/keystone/latest/configuration/config-options.html#DEFAULT.max_token_size [1] https://opendev.org/openstack/keystone/src/commit/10057702ac361213e74472ec1d0d4e4c4a041f09/keystone/conf/default.py To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1926483/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
