TL;DR
Wanna share my joy, i always want to finish _debugging_ with awesome oneline fix...this is it.
We'r doing multi-regional OpenStack across at least 7 datacenters. PKI tokens are really good for such kind of deployments.
- No token storage required. (except non-critical token hashes)
- Token verification without keystone
Unfortunately cons of this approach that token are pretty big ~8Kbytes. At least full catalog packed into token. Finally we'r using PKIZ (compressed PKI) to decrease the size (Backported to Icehouse from Juno).
All works like a charm...before today after adding one more region. We've noticed that Horizon stopped to show "Project" tab nor any additional tenants for user. From CLI all works perfectly.
Error: Request attribute token must be less than or equal to 8192.
Finally found that we'r affected by this bug. Horizon while getting project list tries to send _full_ token instead of id (md5 hash) that's why token not fits into 8K.
The simplest workaround (not the solution) was to increase keystone "max_token_size". My challenge was to not finish on this easy workaround and continue to dig deeper.
P.S.: My uncompressed token was 8.5K (88 endpoints)
P.S.S.: Large OpenStack community has it's benefits: in 80% cases someone already plunged into your issue and filled a bug .
Wanna share my joy, i always want to finish _debugging_ with awesome oneline fix...this is it.
We'r doing multi-regional OpenStack across at least 7 datacenters. PKI tokens are really good for such kind of deployments.
- No token storage required. (except non-critical token hashes)
- Token verification without keystone
Unfortunately cons of this approach that token are pretty big ~8Kbytes. At least full catalog packed into token. Finally we'r using PKIZ (compressed PKI) to decrease the size (Backported to Icehouse from Juno).
All works like a charm...before today after adding one more region. We've noticed that Horizon stopped to show "Project" tab nor any additional tenants for user. From CLI all works perfectly.
Error: Request attribute token must be less than or equal to 8192.
Finally found that we'r affected by this bug. Horizon while getting project list tries to send _full_ token instead of id (md5 hash) that's why token not fits into 8K.
The simplest workaround (not the solution) was to increase keystone "max_token_size". My challenge was to not finish on this easy workaround and continue to dig deeper.
P.S.: My uncompressed token was 8.5K (88 endpoints)
P.S.S.: Large OpenStack community has it's benefits: in 80% cases someone already plunged into your issue and filled a bug .
Комментариев нет:
Отправить комментарий