Reviewed: https://review.opendev.org/c/openstack/keystone/+/789417 Committed: https://opendev.org/openstack/keystone/commit/68bfb685d12937dde11d1a335bd992203ec7c293 Submitter: "Zuul (22348)" Branch: master
commit 68bfb685d12937dde11d1a335bd992203ec7c293 Author: Lance Bragstad <[email protected]> Date: Mon May 3 20:37:35 2021 +0000 Only log warnings about token length when length exceeds max_token_size Previously, the fernet token provider would log warnings when a fernet token exceeded 255 characters, which is common for LDAP-backed deployments. The warning is always issued, even when operators configure keystone's max_token_size to a higher value, causing confusion because it appears the configuration value is silently ignored. This commit fixes that issue by using the max_token_size configuration parameter consistently in the fernet token provider. Closes-Bug: 1926483 Change-Id: I4bb54aac9b950d59082a4468203a3249790839d7 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1926483 Title: Keystone logs a warning about token size regardless of max_token_size Status in OpenStack Identity (keystone): Fix Released Bug description: Keystone has a configuration option to control the maximum size of a token `keystone.conf [DEFAULT] max_token_size` [0]. With Fernet tokens, the ideal token should be less than 255 characters. This was due to initial design targets when developing non-persistent tokens and to be mindful of potential storage issues. When integrating keystone with LDAP, fernet tokens are likely to exceed 255 characters because the strings can't be converted to bytes, making them smaller. If you deploy keystone with LDAP and then set the max_token_size = 300, you'll still see an informative warning in keystone.log saying: Fernet token created with length of 268 characters, which exceeds 255 characters This is because of a hard-coded check in keystone's fernet token provider that doesn't use the max_token_size option [1]. We should consider reusing that configuration option there instead of a hard-coded check because it's misleading to operators why they still see the log message after they've adjusted max_token_size. [0] https://docs.openstack.org/keystone/latest/configuration/config-options.html#DEFAULT.max_token_size [1] https://opendev.org/openstack/keystone/src/commit/10057702ac361213e74472ec1d0d4e4c4a041f09/keystone/conf/default.py To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1926483/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
