Bug #12761
Keystone Fernet tokens break auth
0%
Description
When using Fernet tokens in Keystone (as opposed to UUID or PKI), RGW does not handle them correctly due to the timestamp being presented from the API in a slightly different way.
Here is the logs from RGW: https://gist.github.com/ianunruh/427489668620e3fbeae1
If I switch to UUID or PKIZ, then the request works just fine. I'm using the latest release from the Hammer Apt repository for Ubuntu Trusty.
Related issues
Associated revisions
rgw: be more flexible with iso8601 timestamps
make parsing 8601 more flexible by not restricting the length of seconds
to 5, this allows timestamp to be specified both as ms or us. Newer
keystone backends such as fernet token backend default to microseconds
when publishing iso8601 timestamps, so this allows these timestamps to
be allowed when specifying the token expiry time.
Fixes: #12761
Reported-by: Ian Unruh <ianunruh@gmail.com>
Signed-off-by: Abhishek Lekshmanan <abhishek.lekshmanan@ril.com>
rgw: be more flexible with iso8601 timestamps
make parsing 8601 more flexible by not restricting the length of seconds
to 5, this allows timestamp to be specified both as ms or us. Newer
keystone backends such as fernet token backend default to microseconds
when publishing iso8601 timestamps, so this allows these timestamps to
be allowed when specifying the token expiry time.
Fixes: #12761
Reported-by: Ian Unruh <ianunruh@gmail.com>
Signed-off-by: Abhishek Lekshmanan <abhishek.lekshmanan@ril.com>
(cherry picked from commit 136242b5612b8bbf260910b1678389361e86d22a)
History
#1 Updated by Abhishek Lekshmanan about 5 years ago
Looks like rgw's parser expects milliseconds precision only and fails when seconds tells microseconds as well
#2 Updated by Abhishek Lekshmanan about 5 years ago
- Status changed from New to In Progress
- Assignee set to Abhishek Lekshmanan
master pr: https://github.com/ceph/ceph/pull/5651
#3 Updated by Abhishek Lekshmanan about 5 years ago
- Status changed from In Progress to Fix Under Review
#4 Updated by Abhishek Lekshmanan about 5 years ago
- Status changed from Fix Under Review to Pending Backport
- Target version set to v0.94.4
- Backport set to hammer
Since affected version is hammer, I'm marking this for hammer backport. It is upto the leads to decide if the backport is necessary or not.
#5 Updated by Loic Dachary about 5 years ago
- Target version deleted (
v0.94.4)
#6 Updated by Stephen Jahl about 5 years ago
Hi, I wanted to note that I am also seeing this on my firefly (.80.10) cluster after trying to enable fernet tokens on my openstack install.
2015-10-09 13:12:36.551481 7f7a9dfd3700 0 Keystone token parse error: access: token: Failed to parse ISO8601 expiration date from Keystone response.
Any chance we could see a backport to firefly on this fix as well?
#7 Updated by Loic Dachary about 5 years ago
- Status changed from Pending Backport to Resolved