[Openstack] [Barbican] Keystone PKI token too much long
Adam Young
ayoung at redhat.com
Mon Feb 3 18:23:12 UTC 2014
On 01/31/2014 11:24 AM, Miller, Mark M (EB SW Cloud - R&D - Corvallis)
wrote:
>
> Hello,
>
> We ran into a problem when using Apache2 and WSGi as the web front end
> for Keystone. Keystone v2.0 returns the token in the response body but
> v3 returns the token in the response header. Apache has an internal
> limit of 8190 bytes for the response header which means that you will
> get an error when you request a token with includes an endpoint
> catalog that has more than about 12 endpoints in it. We had to turn
> the catalog off.
>
Setting the header size is a config option;
I believe it is
|LimitRequestFieldSize
http://httpd.apache.org/docs/2.2/mod/core.html#LimitRequestFieldSize
So set that larger. 10K should be acceptable, based on the reports I've
heard.
|
>
> Mark
>
> *From:*Remo Mattei [mailto:remo at italy1.com]
> *Sent:* Friday, January 31, 2014 5:41 AM
> *To:* Ferreira, Rafael
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] [Barbican] Keystone PKI token too much long
>
> Hi Rafael
>
> Do you have the info on how that has been implemented.
>
> Thanks
>
> Remo
>
> Inviato da iPhone (?)
>
>
> Il giorno Jan 31, 2014, alle ore 8:27, "Ferreira, Rafael" <raf at io.com
> <mailto:raf at io.com>> ha scritto:
>
> By the way, you can achieve the same benefits of uuid tokens
> (shorter tokens) with PKI by simply using a md5 hash of the PKI
> token for your X-Auth headers. This is poorly documented but it
> seems to work just fine.
>
> *From: *Adam Young <ayoung at redhat.com <mailto:ayoung at redhat.com>>
> *Date: *Tuesday, January 28, 2014 at 1:41 PM
> *To: *"openstack at lists.openstack.org
> <mailto:openstack at lists.openstack.org>"
> <openstack at lists.openstack.org <mailto:openstack at lists.openstack.org>>
> *Subject: *Re: [Openstack] [Barbican] Keystone PKI token too much long
>
> On 01/22/2014 12:21 PM, John Wood wrote:
>
> (Adding another member of our team Douglas)
>
> Hello Giuseppe,
>
> For questions about news or patches for Keystone's PKI vs UUID
> modes, you might reach out to the
> openstack-dev at lists.openstack.org
> <mailto:openstack-dev at lists.openstack.org> mailing list, with
> the subject line prefixed with [openstack-dev] [keystone]
>
> Our observation has been that the PKI mode can generate large
> text blocks for tokens (esp. for large service catalogs) that
> cause http header errors.
>
> Regarding the specific barbican scripts you are running, we
> haven't run those in a while, so I'll investigate as we might
> need to update them. Please email back your
> /etc/barbican/barbican-api-paste.ini paste config file when
> you have a chance as well.
>
> Thanks,
>
> John
>
> ------------------------------------------------------------------------
>
> *From:*Giuseppe Galeota [giuseppegaleota at gmail.com
> <mailto:giuseppegaleota at gmail.com>]
> *Sent:* Wednesday, January 22, 2014 7:36 AM
> *To:* openstack at lists.openstack.org
> <mailto:openstack at lists.openstack.org>
> *Cc:* John Wood
> *Subject:* [Openstack] [Barbican] Keystone PKI token too much long
>
> Dear all,
>
> I have configured Keystone for Barbican using this guide
> <https://github.com/cloudkeep/barbican/wiki/Developer-Guide-for-Keystone>.
>
> Is there any news or patch about the need to use a shorter
> token? I would not use a modified token.
>
> Its a known problem. You can request a token without the service
> catalog using an extension.
>
> One possible future enhancement is to compress the key.
>
>
>
> Following you can find an extract of the linked guide:
>
> * (Optional) Typical keystone setup creates PKI tokens that are
> long, do not fit easily into curl requests without splitting
> into components. For testing purposes suggest updating the
> keystone database with a shorter token-id. (An alternative is
> to set up keystone to generate uuid tokens.) From the above
> output grad the token expiry value, referred to as "x-y-z"
>
> mysql*-*u rootuse keystone;update token set id*=*"foo" where expires*=*"x-y-z" ;
>
> Thank you,
>
> Giuseppe
>
>
>
>
> _______________________________________________
>
> Mailing list:http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
> Post to :openstack at lists.openstack.org <mailto:openstack at lists.openstack.org>
>
> Unsubscribe :http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
> The communication contained in this e-mail is confidential and is
> intended only for the named recipient(s) and may contain
> information that is privileged, proprietary, attorney work product
> or exempt from disclosure under applicable law. If you have
> received this message in error, or are not the named recipient(s),
> please note that any form of distribution, copying or use of this
> communication or the information in it is strictly prohibited and
> may be unlawful. Please immediately notify the sender of the
> error, and delete this communication including any attached files
> from your system. Thank you for your cooperation.
> !DSPAM:1,52eba57b226891577754402!
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> <mailto:openstack at lists.openstack.org>
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> !DSPAM:1,52eba57b226891577754402!
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140203/159572c2/attachment.html>
More information about the Openstack
mailing list