<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New","serif";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:729887556;
mso-list-template-ids:-154136592;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1466391247;
mso-list-template-ids:-41747530;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:"&\#61623";
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New","serif";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:"&\#61607";
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:"&\#61607";
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:"&\#61607";
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:"&\#61607";
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:"&\#61607";
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:"&\#61607";
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:"&\#61607";
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I wish it was that easy. The Apache headers that you can adjust are not the ones creating the problem. The problem is with the response header size which you
cannot adjust. Following is a comment from Graham Dumpleton:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in">On 17/01/2014, at 5:36 PM, "Miller, Mark M (EB SW Cloud - R&D - Corvallis)" <<a href="mailto:mark.m.miller@hp.com"><span style="color:purple">mark.m.miller@hp.com</span></a>> wrote:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Hello Graham,</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I have run across a response header size limitation that I don’t know how to get around. I am using mod_wsgi with Apache2, SSL, and OpenStack Keystone.
The problem I am running into is that the tokens returned by Keystone can be > 8190 bytes in length. When they are greater than 8190 I get the following error:</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">[Thu Jan 16 22:27:47 2014] [info] Initial (No.1) HTTPS request received for child 231 (server<span class="apple-converted-space"> </span><a href="http://d00-50-56-8e-75-82.cloudos.org"><span style="color:purple">d00-50-56-8e-75-82.cloudos.org</span></a>:5000)</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">[Thu Jan 16 22:27:47 2014] [info] [client 192.168.124.2] mod_wsgi (pid=24676, process='keystone', application='<a href="http://d00-50-56-8e-75-82.cloudos.org"><span style="color:purple">d00-50-56-8e-75-82.cloudos.org</span></a>:5000|'):
Loading WSGI script '/etc/apache2/wsgi/keystone/main'.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">[Thu Jan 16 22:27:48 2014] [error] [client 192.168.124.2] malformed header from script. Bad header=mVmOTdhMmUzIn0sIHsidXJsIjogImh: main</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">[Thu Jan 16 22:27:48 2014] [debug] mod_deflate.c(615): [client 192.168.124.2] Zlib: Compressed 592 to 377 : URL /v3/auth/tokens</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">[Thu Jan 16 22:27:48 2014] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation finished successfully</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">[Thu Jan 16 22:27:48 2014] [info] [client 192.168.124.2] Connection closed to child 231 with standard shutdown (server<span class="apple-converted-space"> </span><a href="http://d00-50-56-8e-75-82.cloudos.org"><span style="color:purple">d00-50-56-8e-75-82.cloudos.org</span></a>:5000)</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Is there some way to increase the response header size limit?</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">This is a hardwired limitation within the Apache function used by mod_wsgi to parse the response headers returned from a WSGI application running in daemon mode.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> if (!(l = strchr(w, ':'))) {<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> if (!buffer) {<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> /* Soak up all the script output - may save an outright kill */<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> while ((*getsfunc)(w, MAX_STRING_LEN - 1, getsfunc_data) > 0) {<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> continue;<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> }<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> }<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> ap_log_rerror(SCRIPT_LOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r,<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> "malformed header from script '%s': Bad header: %.30s",<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> apr_filepath_name_get(r->filename), w);<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> return HTTP_INTERNAL_SERVER_ERROR;<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> }<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Besides copying the function from Apache into mod_wsgi and modifying it, which has been on the cards for a while for other reasons, the only thing I can suggest is to used embedded mode, which in general I wouldn't
recommend.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">What is the nature of the token?<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Graham<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Adam Young [mailto:ayoung@redhat.com]
<br>
<b>Sent:</b> Monday, February 03, 2014 10:23 AM<br>
<b>To:</b> openstack@lists.openstack.org<br>
<b>Subject:</b> Re: [Openstack] [Barbican] Keystone PKI token too much long<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 01/31/2014 11:24 AM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hello,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">We ran into a problem when using Apache2 and WSGi as the web front end for Keystone. Keystone v2.0 returns the token in the response body but v3 returns the
token in the response header. Apache has an internal limit of 8190 bytes for the response header which means that you will get an error when you request a token with includes an endpoint catalog that has more than about 12 endpoints in it. We had to turn the
catalog off.</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
Setting the header size is a config option;<br>
<br>
I believe it is <br>
<code><span style="font-size:10.0pt">LimitRequestFieldSize </span></code><span style="font-size:10.0pt;font-family:"Courier New","serif""><br>
<br>
<code><a href="http://httpd.apache.org/docs/2.2/mod/core.html#LimitRequestFieldSize">http://httpd.apache.org/docs/2.2/mod/core.html#LimitRequestFieldSize</a></code><br>
<br>
<code>So set that larger. 10K should be acceptable, based on the reports I've heard.</code><br>
<br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Mark</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Remo Mattei [<a href="mailto:remo@italy1.com">mailto:remo@italy1.com</a>]
<br>
<b>Sent:</b> Friday, January 31, 2014 5:41 AM<br>
<b>To:</b> Ferreira, Rafael<br>
<b>Cc:</b> <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
<b>Subject:</b> Re: [Openstack] [Barbican] Keystone PKI token too much long</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">Hi Rafael<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Do you have the info on how that has been implemented. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Remo<o:p></o:p></p>
<div>
<p class="MsoNormal">Inviato da iPhone ()<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Il giorno Jan 31, 2014, alle ore 8:27, "Ferreira, Rafael" <<a href="mailto:raf@io.com">raf@io.com</a>> ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">By the way, you can achieve the same benefits of uuid tokens (shorter tokens) with PKI by simply using a md5 hash of the PKI token for your X-Auth headers. This is poorly documented but it seems to work just fine. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:
</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Adam Young <<a href="mailto:ayoung@redhat.com">ayoung@redhat.com</a>><br>
<b>Date: </b>Tuesday, January 28, 2014 at 1:41 PM<br>
<b>To: </b>"<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
<b>Subject: </b>Re: [Openstack] [Barbican] Keystone PKI token too much long</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">On 01/22/2014 12:21 PM, John Wood wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">(Adding another member of our team Douglas)
</span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Hello Giuseppe,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">For questions about news or patches for Keystone's PKI vs UUID modes, you might reach out to the
<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a> mailing list, with the subject line prefixed with [openstack-dev] [keystone] </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Our observation has been that the PKI mode can generate large text blocks for tokens (esp. for large service catalogs) that cause http header errors. </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Regarding the specific barbican scripts you are running, we haven't run those in a while, so I'll investigate as we might need to update them. Please email back your /etc/barbican/barbican-api-paste.ini
paste config file when you have a chance as well. </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Thanks,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">John</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span><o:p></o:p></p>
<div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<div id="divRpF494683">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Giuseppe Galeota [<a href="mailto:giuseppegaleota@gmail.com">giuseppegaleota@gmail.com</a>]<br>
<b>Sent:</b> Wednesday, January 22, 2014 7:36 AM<br>
<b>To:</b> <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
<b>Cc:</b> John Wood<br>
<b>Subject:</b> [Openstack] [Barbican] Keystone PKI token too much long</span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">Dear all, <o:p></o:p></p>
<div>
<p class="MsoNormal">I have configured Keystone for Barbican using this <a href="https://github.com/cloudkeep/barbican/wiki/Developer-Guide-for-Keystone" target="_blank">
guide</a>.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Is there any news or patch about the need to use a shorter token? I would not use a modified token.<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<p class="MsoNormal">Its a known problem. You can request a token without the service catalog using an extension.<br>
<br>
One possible future enhancement is to compress the key.<br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Following you can find an extract of the linked guide:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 lfo3">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.5pt;font-family:"Helvetica","sans-serif";color:#333333">(Optional) Typical keystone setup creates PKI tokens that are long, do not fit easily into curl requests without splitting into components. For
testing purposes suggest updating the keystone database with a shorter token-id. (An alternative is to set up keystone to generate uuid tokens.) From the above output grad the token expiry value, referred to as "x-y-z"</span><o:p></o:p></p>
<div>
<div style="border:solid #DDDDDD 1.0pt;padding:5.0pt 8.0pt 5.0pt 8.0pt">
<pre style="mso-margin-top-alt:11.25pt;margin-right:0in;margin-bottom:11.25pt;margin-left:0in;line-height:14.25pt;background:#F8F8F8;word-wrap:normal;overflow:auto"><span style="font-family:Consolas;color:#333333">mysql <b>-</b>u rootuse keystone;update token set id<b>=</b></span><span style="font-family:Consolas;color:#DD1144">"foo"</span><span style="font-family:Consolas;color:#333333"> where expires<b>=</b></span><span style="font-family:Consolas;color:#DD1144">"x-y-z"</span><span style="font-family:Consolas;color:#333333"> ;</span><o:p></o:p></pre>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Thank you,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Giuseppe<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><o:p></o:p></pre>
<pre>Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><o:p></o:p></pre>
<pre>Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><o:p></o:p></pre>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">The communication contained in this e-mail is confidential and is intended only for the named recipient(s) and may contain information that is privileged, proprietary, attorney work product or exempt from disclosure under applicable law.
If you have received this message in error, or are not the named recipient(s), please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. Please immediately notify the
sender of the error, and delete this communication including any attached files from your system. Thank you for your cooperation. !DSPAM:1,52eba57b226891577754402!
<o:p></o:p></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
<br>
!DSPAM:1,52eba57b226891577754402!<o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><o:p></o:p></pre>
<pre>Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><o:p></o:p></pre>
<pre>Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><o:p></o:p></pre>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>