Public bug reported: We recently rolled out a config change to update the max_password_length to avoid all the log messages. We set this to 54 as mentioned in the release notes which we discovered was a BIG mistake as this broke everyone authenticating using existing application credentials.
There is a bit of confusion as to what to do here and the code and the release notes are inconsistent. Upgrading to zed we got a lot of these in the logs [1]: "Truncating password to algorithm specific maximum length 72 characters." In the config help [2] for "max_password_length" it says: "The bcrypt max_password_length is 72 bytes." In the release notes [1] it say: "Currently only bcrypt has fixed allowed lengths defined which is 54 characters." [1] https://github.com/openstack/keystone/blob/9b0b414e3eb915c89c9786abeb1307ba734f5901/keystone/common/password_hashing.py#L89 [2] https://github.com/openstack/keystone/blob/9b0b414e3eb915c89c9786abeb1307ba734f5901/keystone/conf/identity.py#L106 [3] https://docs.openstack.org/releasenotes/keystone/zed.html ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/2061922 Title: max_password_length config and logs inconsistent Status in OpenStack Identity (keystone): New Bug description: We recently rolled out a config change to update the max_password_length to avoid all the log messages. We set this to 54 as mentioned in the release notes which we discovered was a BIG mistake as this broke everyone authenticating using existing application credentials. There is a bit of confusion as to what to do here and the code and the release notes are inconsistent. Upgrading to zed we got a lot of these in the logs [1]: "Truncating password to algorithm specific maximum length 72 characters." In the config help [2] for "max_password_length" it says: "The bcrypt max_password_length is 72 bytes." In the release notes [1] it say: "Currently only bcrypt has fixed allowed lengths defined which is 54 characters." [1] https://github.com/openstack/keystone/blob/9b0b414e3eb915c89c9786abeb1307ba734f5901/keystone/common/password_hashing.py#L89 [2] https://github.com/openstack/keystone/blob/9b0b414e3eb915c89c9786abeb1307ba734f5901/keystone/conf/identity.py#L106 [3] https://docs.openstack.org/releasenotes/keystone/zed.html To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/2061922/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
