Public bug reported: It is possible for Keystone to fail to issue tokens when using an external identity backend, like LDAP, if the user IDs of a different format than UUID. This is because the Fernet token formatter attempts to convert the UUID to bytes before packing the payload. This is done to save space and results in a shorter token.
When using an LDAP backend that doesn't use UUID format for the user IDs, we get a ValueError because UUID can't convert whenever the ID is to UUID.bytes [0]. We have to do something similar with the default domain in the case that it's not a uuid, same with federated user IDs [1], which we should probably do in this case. Related stacktrace [2]. [0] https://github.com/openstack/keystone/blob/e5f2d88e471ac3595c4ea0e28f27493687a87588/keystone/token/providers/fernet/token_formatters.py#L415 [1] https://github.com/openstack/keystone/blob/e5f2d88e471ac3595c4ea0e28f27493687a87588/keystone/token/providers/fernet/token_formatters.py#L509 [2] http://lists.openstack.org/pipermail/openstack/2015-May/012885.html ** Affects: keystone Importance: High Assignee: Lance Bragstad (lbragstad) Status: In Progress ** Tags: fernet ** Tags added: fernet ** Changed in: keystone Importance: Undecided => Medium -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1459382 Title: Fernet tokens can fail with LDAP identity backends Status in OpenStack Identity (Keystone): In Progress Bug description: It is possible for Keystone to fail to issue tokens when using an external identity backend, like LDAP, if the user IDs of a different format than UUID. This is because the Fernet token formatter attempts to convert the UUID to bytes before packing the payload. This is done to save space and results in a shorter token. When using an LDAP backend that doesn't use UUID format for the user IDs, we get a ValueError because UUID can't convert whenever the ID is to UUID.bytes [0]. We have to do something similar with the default domain in the case that it's not a uuid, same with federated user IDs [1], which we should probably do in this case. Related stacktrace [2]. [0] https://github.com/openstack/keystone/blob/e5f2d88e471ac3595c4ea0e28f27493687a87588/keystone/token/providers/fernet/token_formatters.py#L415 [1] https://github.com/openstack/keystone/blob/e5f2d88e471ac3595c4ea0e28f27493687a87588/keystone/token/providers/fernet/token_formatters.py#L509 [2] http://lists.openstack.org/pipermail/openstack/2015-May/012885.html To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1459382/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
