Non PKI Tokens longer than 32 characters can never be valid
Bug #1060389 reported by
Adam Young
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Dan Radez | ||
Folsom |
Fix Released
|
High
|
Joseph Heck | ||
keystone (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The current check is based on length, but 32 characters is insufficient. Devstack makes tokens of length 80.
These fail validation by triggering the PKI code path.
A better approach is to prepend a hint to non-uuid token schemes like PKI.
Related branches
lp://staging/~gandelman-a/ubuntu/quantal/keystone/2012.2.1
- Openstack Ubuntu Testers: Pending requested
-
Diff: 60 lines (+37/-2)1 file modifieddebian/changelog (+37/-2)
Changed in keystone: | |
status: | New → Confirmed |
importance: | Undecided → High |
tags: | added: folsom-backport |
Changed in keystone: | |
milestone: | none → grizzly-1 |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone (Ubuntu): | |
status: | New → Fix Released |
Changed in keystone (Ubuntu Quantal): | |
status: | New → Confirmed |
tags: | removed: folsom-backport in-stable-folsom |
Changed in keystone: | |
milestone: | grizzly-1 → 2013.1 |
To post a comment you must log in.
however, hardcoded admin_token values could be anything
put in a check
if admin_token[:4] == 'PKI-' throw a warning, or if we can't do base64 decode, then we can try the uuid route