Project

General

Profile

Bug #12761

Keystone Fernet tokens break auth

Added by Ian Unruh over 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
High
Assignee:
Abhishek Lekshmanan
Target version:
-
% Done:

0%

Source:
other
Tags:
Backport:
hammer
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
Ceph - v0.94.2
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

When using Fernet tokens in Keystone (as opposed to UUID or PKI), RGW does not handle them correctly due to the timestamp being presented from the API in a slightly different way.

Here is the logs from RGW: https://gist.github.com/ianunruh/427489668620e3fbeae1

If I switch to UUID or PKIZ, then the request works just fine. I'm using the latest release from the Hammer Apt repository for Ubuntu Trusty.

Related issues

Copied to rgw - Backport #13226: Keystone Fernet tokens break auth Resolved 08/24/2015

Associated revisions

Revision 136242b5 (diff)
Added by Abhishek Lekshmanan over 4 years ago

rgw: be more flexible with iso8601 timestamps

make parsing 8601 more flexible by not restricting the length of seconds
to 5, this allows timestamp to be specified both as ms or us. Newer
keystone backends such as fernet token backend default to microseconds
when publishing iso8601 timestamps, so this allows these timestamps to
be allowed when specifying the token expiry time.

Fixes: #12761
Reported-by: Ian Unruh <>
Signed-off-by: Abhishek Lekshmanan <>

Revision 6119b152 (diff)
Added by Abhishek Lekshmanan about 4 years ago

rgw: be more flexible with iso8601 timestamps

make parsing 8601 more flexible by not restricting the length of seconds
to 5, this allows timestamp to be specified both as ms or us. Newer
keystone backends such as fernet token backend default to microseconds
when publishing iso8601 timestamps, so this allows these timestamps to
be allowed when specifying the token expiry time.

Fixes: #12761
Reported-by: Ian Unruh <>
Signed-off-by: Abhishek Lekshmanan <>
(cherry picked from commit 136242b5612b8bbf260910b1678389361e86d22a)

History

#1 Updated by Abhishek Lekshmanan over 4 years ago

Looks like rgw's parser expects milliseconds precision only and fails when seconds tells microseconds as well

#2 Updated by Abhishek Lekshmanan over 4 years ago

  • Status changed from New to In Progress
  • Assignee set to Abhishek Lekshmanan

#3 Updated by Abhishek Lekshmanan over 4 years ago

  • Status changed from In Progress to Fix Under Review

#4 Updated by Abhishek Lekshmanan about 4 years ago

  • Status changed from Fix Under Review to Pending Backport
  • Target version set to v0.94.4
  • Backport set to hammer

Since affected version is hammer, I'm marking this for hammer backport. It is upto the leads to decide if the backport is necessary or not.

#5 Updated by Loic Dachary about 4 years ago

  • Target version deleted (v0.94.4)

#6 Updated by Stephen Jahl about 4 years ago

Hi, I wanted to note that I am also seeing this on my firefly (.80.10) cluster after trying to enable fernet tokens on my openstack install.

2015-10-09 13:12:36.551481 7f7a9dfd3700  0 Keystone token parse error: access: token: Failed to parse ISO8601 expiration date from Keystone response.

Any chance we could see a backport to firefly on this fix as well?

#7 Updated by Loic Dachary about 4 years ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF