[Openstack] [Barbican] Keystone PKI token too much long
    Miller, Mark M (EB SW Cloud - R&D - Corvallis) 
    mark.m.miller at hp.com
       
    Fri Jan 31 16:24:41 UTC 2014
    
    
  
Hello,
We ran into a problem when using Apache2 and WSGi as the web front end for Keystone. Keystone v2.0 returns the token in the response body but v3 returns the token in the response header. Apache has an internal limit of 8190 bytes for the response header which means that you will get an error when you request a token with includes an endpoint catalog that has more than about 12 endpoints in it. We had to turn the catalog off.
Mark
From: Remo Mattei [mailto:remo at italy1.com]
Sent: Friday, January 31, 2014 5:41 AM
To: Ferreira, Rafael
Cc: openstack at lists.openstack.org
Subject: Re: [Openstack] [Barbican] Keystone PKI token too much long
Hi Rafael
Do you have the info on how that has been implemented.
Thanks
Remo
Inviato da iPhone ()
Il giorno Jan 31, 2014, alle ore 8:27, "Ferreira, Rafael" <raf at io.com<mailto:raf at io.com>> ha scritto:
By the way, you can achieve the same benefits of uuid tokens (shorter tokens) with PKI by simply using a md5 hash of the PKI token for your X-Auth headers. This is poorly documented but it seems to work just fine.
From: Adam Young <ayoung at redhat.com<mailto:ayoung at redhat.com>>
Date: Tuesday, January 28, 2014 at 1:41 PM
To: "openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>" <openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>>
Subject: Re: [Openstack] [Barbican] Keystone PKI token too much long
On 01/22/2014 12:21 PM, John Wood wrote:
(Adding another member of our team Douglas)
Hello Giuseppe,
For questions about news or patches for Keystone's PKI vs UUID modes, you might reach out to the openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org> mailing list, with the subject line prefixed with [openstack-dev] [keystone]
Our observation has been that the PKI mode can generate large text blocks for tokens (esp. for large service catalogs) that cause http header errors.
Regarding the specific barbican scripts you are running, we haven't run those in a while, so I'll investigate as we might need to update them. Please email back your /etc/barbican/barbican-api-paste.ini paste config file when you have a chance as well.
Thanks,
John
________________________________
From: Giuseppe Galeota [giuseppegaleota at gmail.com<mailto:giuseppegaleota at gmail.com>]
Sent: Wednesday, January 22, 2014 7:36 AM
To: openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Cc: John Wood
Subject: [Openstack] [Barbican] Keystone PKI token too much long
Dear all,
I have configured Keystone for Barbican using this guide<https://github.com/cloudkeep/barbican/wiki/Developer-Guide-for-Keystone>.
Is there any news or patch about the need to use a shorter token? I would not use a modified token.
Its a known problem.  You can request a token without the service catalog using an extension.
One possible future enhancement is to compress the key.
Following you can find an extract of the linked guide:
  *   (Optional) Typical keystone setup creates PKI tokens that are long, do not fit easily into curl requests without splitting into components. For testing purposes suggest updating the keystone database with a shorter token-id. (An alternative is to set up keystone to generate uuid tokens.) From the above output grad the token expiry value, referred to as "x-y-z"
mysql -u rootuse keystone;update token set id="foo" where expires="x-y-z" ;
Thank you,
Giuseppe
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
The communication contained in this e-mail is confidential and is intended only for the named recipient(s) and may contain information that is privileged, proprietary, attorney work product or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. Please immediately notify the sender of the error, and delete this communication including any attached files from your system. Thank you for your cooperation. !DSPAM:1,52eba57b226891577754402!
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
!DSPAM:1,52eba57b226891577754402!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140131/623af6e2/attachment.html>
    
    
More information about the Openstack
mailing list