Bug #12761
closedKeystone Fernet tokens break auth
0%
Description
When using Fernet tokens in Keystone (as opposed to UUID or PKI), RGW does not handle them correctly due to the timestamp being presented from the API in a slightly different way.
Here is the logs from RGW: https://gist.github.com/ianunruh/427489668620e3fbeae1
If I switch to UUID or PKIZ, then the request works just fine. I'm using the latest release from the Hammer Apt repository for Ubuntu Trusty.
Updated by Abhishek Lekshmanan over 8 years ago
Looks like rgw's parser expects milliseconds precision only and fails when seconds tells microseconds as well
Updated by Abhishek Lekshmanan over 8 years ago
- Status changed from New to In Progress
- Assignee set to Abhishek Lekshmanan
master pr: https://github.com/ceph/ceph/pull/5651
Updated by Abhishek Lekshmanan over 8 years ago
- Status changed from In Progress to Fix Under Review
Updated by Abhishek Lekshmanan over 8 years ago
- Status changed from Fix Under Review to Pending Backport
- Target version set to v0.94.4
- Backport set to hammer
Since affected version is hammer, I'm marking this for hammer backport. It is upto the leads to decide if the backport is necessary or not.
Updated by Stephen Jahl over 8 years ago
Hi, I wanted to note that I am also seeing this on my firefly (.80.10) cluster after trying to enable fernet tokens on my openstack install.
2015-10-09 13:12:36.551481 7f7a9dfd3700 0 Keystone token parse error: access: token: Failed to parse ISO8601 expiration date from Keystone response.
Any chance we could see a backport to firefly on this fix as well?
Updated by Loïc Dachary over 8 years ago
- Status changed from Pending Backport to Resolved