[Openstack-security] [openstack/keystone] SecurityImpact review request change I03b9c5c64f4bd8bca78dfc83199ef17d9a7ea5b7

gerrit2 at review.openstack.org gerrit2 at review.openstack.org
Fri May 8 13:06:37 UTC 2015


Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/177686

Log:
commit 0e7f63c13c4d326709ccd3912d7037c675a16ad2
Author: abhishekkekane <abhishek.kekane at nttdata.com>
Date:   Tue Oct 21 04:10:57 2014 -0700

    Eventlet green threads not released back to pool
    
    Presently, the wsgi server allows persist connections hence even after
    the response is sent to the client, it doesn't close the client socket
    connection.
    Because of this problem, the green thread is not released back to the pool.
    
    In order to close the client socket connection explicitly after the
    response is sent and read successfully by the client, you simply have to
    set keepalive to False when you create a wsgi server.
    
    Add a parameter to take advantage of the new(ish) eventlet socket timeout
    behaviour. Allows closing idle client connections after a period of
    time, eg:
    
    $ time nc localhost 8776
    real    1m0.063s
    
    Setting 'client_socket_timeout = 0' means do not timeout.
    
    DocImpact:
    Added wsgi_keep_alive option (default=True).
    Added client_socket_timeout option (default=900).
    
    SecurityImpact
    
    Conflicts:
            keystone/common/config.py
            keystone/common/environment/eventlet_server.py
    
    NOTE: This is not 1:1 cherry-pick because 'eventlet_server' config
    group is not present in juno.
    
    Closes-Bug: #1361360
    Change-Id: I03b9c5c64f4bd8bca78dfc83199ef17d9a7ea5b7
    (cherry picked from commit 3b08644eb9cf4c5aca51a36250ae93105c17f6c4)





More information about the Openstack-security mailing list