On 01/31/2014 11:24 AM, Miller, Mark M (EB SW Cloud - R&D - Corvallis)
wrote:
Hello,
We ran into a problem when using Apache2 and WSGi as the web front end
for Keystone. Keystone v2.0 returns the token in the response body but
v3 returns the token in the response header. Apache has an internal
limit of 8190 bytes for the response header which means that you will
get an error when you request a token with includes an endpoint
catalog that has more than about 12 endpoints in it. We had to turn
the catalog off.
Setting the header size is a config option;
I believe it is
|LimitRequestFieldSize
http://httpd.apache.org/docs/2.2/mod/core.html#LimitRequestFieldSize
So set that larger. 10K should be acceptable, based on the reports I've
heard.
|
Mark
*From:*Remo Mattei [mailto:r...@italy1.com]
*Sent:* Friday, January 31, 2014 5:41 AM
*To:* Ferreira, Rafael
*Cc:* openstack@lists.openstack.org
*Subject:* Re: [Openstack] [Barbican] Keystone PKI token too much long
Hi Rafael
Do you have the info on how that has been implemented.
Thanks
Remo
Inviato da iPhone (?)
Il giorno Jan 31, 2014, alle ore 8:27, "Ferreira, Rafael" <r...@io.com
<mailto:r...@io.com>> ha scritto:
By the way, you can achieve the same benefits of uuid tokens
(shorter tokens) with PKI by simply using a md5 hash of the PKI
token for your X-Auth headers. This is poorly documented but it
seems to work just fine.
*From: *Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>>
*Date: *Tuesday, January 28, 2014 at 1:41 PM
*To: *"openstack@lists.openstack.org
<mailto:openstack@lists.openstack.org>"
<openstack@lists.openstack.org <mailto:openstack@lists.openstack.org>>
*Subject: *Re: [Openstack] [Barbican] Keystone PKI token too much long
On 01/22/2014 12:21 PM, John Wood wrote:
(Adding another member of our team Douglas)
Hello Giuseppe,
For questions about news or patches for Keystone's PKI vs UUID
modes, you might reach out to the
openstack-...@lists.openstack.org
<mailto:openstack-...@lists.openstack.org> mailing list, with
the subject line prefixed with [openstack-dev] [keystone]
Our observation has been that the PKI mode can generate large
text blocks for tokens (esp. for large service catalogs) that
cause http header errors.
Regarding the specific barbican scripts you are running, we
haven't run those in a while, so I'll investigate as we might
need to update them. Please email back your
/etc/barbican/barbican-api-paste.ini paste config file when
you have a chance as well.
Thanks,
John
------------------------------------------------------------------------
*From:*Giuseppe Galeota [giuseppegale...@gmail.com
<mailto:giuseppegale...@gmail.com>]
*Sent:* Wednesday, January 22, 2014 7:36 AM
*To:* openstack@lists.openstack.org
<mailto:openstack@lists.openstack.org>
*Cc:* John Wood
*Subject:* [Openstack] [Barbican] Keystone PKI token too much long
Dear all,
I have configured Keystone for Barbican using this guide
<https://github.com/cloudkeep/barbican/wiki/Developer-Guide-for-Keystone>.
Is there any news or patch about the need to use a shorter
token? I would not use a modified token.
Its a known problem. You can request a token without the service
catalog using an extension.
One possible future enhancement is to compress the key.
Following you can find an extract of the linked guide:
* (Optional) Typical keystone setup creates PKI tokens that are
long, do not fit easily into curl requests without splitting
into components. For testing purposes suggest updating the
keystone database with a shorter token-id. (An alternative is
to set up keystone to generate uuid tokens.) From the above
output grad the token expiry value, referred to as "x-y-z"
mysql*-*u rootuse keystone;update token set id*=*"foo" where
expires*=*"x-y-z" ;
Thank you,
Giuseppe
_______________________________________________
Mailing list:http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to :openstack@lists.openstack.org
<mailto:openstack@lists.openstack.org>
Unsubscribe :http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
The communication contained in this e-mail is confidential and is
intended only for the named recipient(s) and may contain
information that is privileged, proprietary, attorney work product
or exempt from disclosure under applicable law. If you have
received this message in error, or are not the named recipient(s),
please note that any form of distribution, copying or use of this
communication or the information in it is strictly prohibited and
may be unlawful. Please immediately notify the sender of the
error, and delete this communication including any attached files
from your system. Thank you for your cooperation.
!DSPAM:1,52eba57b226891577754402!
_______________________________________________
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
<mailto:openstack@lists.openstack.org>
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
!DSPAM:1,52eba57b226891577754402!
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
