Browse Source

Fix Error 400 Header Line Too Long

Fix Error 400 Header Line Too Long when using Identity v3 PKI Tokens

Uses swift.conf max_header_size option to set wsgi.MAX_HEADER_LINE,
allowing the operator to customize this parameter.

The default value has been let to 8192 to avoid unexpected
configuration change on deployed platforms. The max_header_size option
has to be increased (for example to 16384), to accomodate for large
Identity v3 PKI tokens, including more than 7 catalog entries.

The default max header line size of 8192 is exceeded in the following
scenario:
- Auth tokens generated by Keystone v3 API include the catalog.
- Keystone's catalog contains more than 7 services.

Similar fixes have been merged in other projects.

Change-Id: Ia838b18331f57dfd02b9f71d4523d4059f38e600
Closes-Bug: 1190149
Florent Flament 5 years ago
parent
commit
865243c167
3 changed files with 29 additions and 5 deletions
  1. 20
    0
      doc/source/deployment_guide.rst
  2. 5
    4
      etc/swift.conf-sample
  3. 4
    1
      swift/common/wsgi.py

+ 20
- 0
doc/source/deployment_guide.rst View File

@@ -304,7 +304,27 @@ The main rule to remember when working with Swift configuration files is:
304 304
     using the ``set`` syntax or you'll probably mess up your non-paste.deploy
305 305
     configuration files.
306 306
 
307
+--------------------
308
+Common configuration
309
+--------------------
307 310
 
311
+An example of common configuration file can be found at etc/swift.conf-sample
312
+
313
+The following configuration options are available:
314
+
315
+===================  ==========  =============================================
316
+Option               Default     Description
317
+-------------------  ----------  ---------------------------------------------
318
+max_header_size      8192        max_header_size is the max number of bytes in
319
+                                 the utf8 encoding of each header. Using 8192
320
+                                 as default because eventlet use 8192 as max
321
+                                 size of header line. This value may need to
322
+                                 be increased when using identity v3 API
323
+                                 tokens including more than 7 catalog entries.
324
+                                 See also include_service_catalog in
325
+                                 proxy-server.conf-sample (documented in
326
+                                 overview_auth.rst)
327
+===================  ==========  =============================================
308 328
 
309 329
 ---------------------------
310 330
 Object Server Configuration

+ 5
- 4
etc/swift.conf-sample View File

@@ -47,11 +47,12 @@ swift_hash_path_prefix = changeme
47 47
 
48 48
 #max_meta_overall_size = 4096
49 49
 
50
-
51 50
 # max_header_size is the max number of bytes in the utf8 encoding of each
52
-# header. Using 8192 as default becasue eventlet use 8192 as max size of
53
-# header line and the longest header passed from Keystone(PKI token) uses
54
-# 8192 as default too.
51
+# header. Using 8192 as default because eventlet use 8192 as max size of
52
+# header line. This value may need to be increased when using identity
53
+# v3 API tokens including more than 7 catalog entries.
54
+# See also include_service_catalog in proxy-server.conf-sample
55
+# (documented in overview_auth.rst)
55 56
 
56 57
 #max_header_size = 8192
57 58
 

+ 4
- 1
swift/common/wsgi.py View File

@@ -31,13 +31,16 @@ from paste.deploy import loadwsgi
31 31
 from eventlet.green import socket, ssl
32 32
 from urllib import unquote
33 33
 
34
-from swift.common import utils
34
+from swift.common import utils, constraints
35 35
 from swift.common.swob import Request
36 36
 from swift.common.utils import capture_stdio, disable_fallocate, \
37 37
     drop_privileges, get_logger, NullLogger, config_true_value, \
38 38
     validate_configuration, get_hub, config_auto_int_value, \
39 39
     CloseableChain
40 40
 
41
+# Set maximum line size of message headers to be accepted.
42
+wsgi.MAX_HEADER_LINE = constraints.MAX_HEADER_SIZE
43
+
41 44
 try:
42 45
     import multiprocessing
43 46
     CPU_COUNT = multiprocessing.cpu_count() or 1

Loading…
Cancel
Save