Fix Error 400 Header Line Too Long

Fix Error 400 Header Line Too Long when using Identity v3 PKI Tokens Uses swift.conf max_header_size option to set wsgi.MAX_HEADER_LINE, allowing the operator to customize this parameter. The default value has been let to 8192 to avoid unexpected configuration change on deployed platforms. The max_header_size option has to be increased (for example to 16384), to accomodate for large Identity v3 PKI tokens, including more than 7 catalog entries. The default max header line size of 8192 is exceeded in the following scenario: - Auth tokens generated by Keystone v3 API include the catalog. - Keystone's catalog contains more than 7 services. Similar fixes have been merged in other projects. Change-Id: Ia838b18331f57dfd02b9f71d4523d4059f38e600 Closes-Bug: 1190149
2014-01-14 15:58:38 +00:00 · 2014-01-14 15:58:38 +00:00 · 865243c167
parent d698c21ab3
commit 865243c167
3 changed files with 29 additions and 5 deletions
--- a/doc/source/deployment_guide.rst
+++ b/doc/source/deployment_guide.rst
@ -304,7 +304,27 @@ The main rule to remember when working with Swift configuration files is:
    using the ``set`` syntax or you'll probably mess up your non-paste.deploy
    configuration files.

+--------------------
+Common configuration
+--------------------

+An example of common configuration file can be found at etc/swift.conf-sample
+
+The following configuration options are available:
+
+===================  ==========  =============================================
+Option               Default     Description
+-------------------  ----------  ---------------------------------------------
+max_header_size      8192        max_header_size is the max number of bytes in
+                                 the utf8 encoding of each header. Using 8192
+                                 as default because eventlet use 8192 as max
+                                 size of header line. This value may need to
+                                 be increased when using identity v3 API
+                                 tokens including more than 7 catalog entries.
+                                 See also include_service_catalog in
+                                 proxy-server.conf-sample (documented in
+                                 overview_auth.rst)
+===================  ==========  =============================================

 ---------------------------
 Object Server Configuration
--- a/etc/swift.conf-sample
+++ b/etc/swift.conf-sample
@ -47,11 +47,12 @@ swift_hash_path_prefix = changeme

 #max_meta_overall_size = 4096

-
 # max_header_size is the max number of bytes in the utf8 encoding of each
-# header. Using 8192 as default becasue eventlet use 8192 as max size of
-# header line and the longest header passed from Keystone(PKI token) uses
-# 8192 as default too.
+# header. Using 8192 as default because eventlet use 8192 as max size of
+# header line. This value may need to be increased when using identity
+# v3 API tokens including more than 7 catalog entries.
+# See also include_service_catalog in proxy-server.conf-sample
+# (documented in overview_auth.rst)

 #max_header_size = 8192

--- a/swift/common/wsgi.py
+++ b/swift/common/wsgi.py
@ -31,13 +31,16 @@ from paste.deploy import loadwsgi
 from eventlet.green import socket, ssl
 from urllib import unquote

-from swift.common import utils
+from swift.common import utils, constraints
 from swift.common.swob import Request
 from swift.common.utils import capture_stdio, disable_fallocate, \
    drop_privileges, get_logger, NullLogger, config_true_value, \
    validate_configuration, get_hub, config_auto_int_value, \
    CloseableChain

+# Set maximum line size of message headers to be accepted.
+wsgi.MAX_HEADER_LINE = constraints.MAX_HEADER_SIZE
+
 try:
    import multiprocessing
    CPU_COUNT = multiprocessing.cpu_count() or 1