7 files changed, 181 insertions, 13 deletions
diff --git a/.zuul.yaml b/.zuul.yaml
index 1ccf8741c..ef9782f4c 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -35,10 +35,12 @@
 - job:
     name: keystone-dsvm-py3-functional-fips
     parent: keystone-dsvm-py3-functional
-    nodeset: devstack-single-node-centos-8-stream
+    nodeset: devstack-single-node-centos-9-stream
     description: |
-      Functional testing for a FIPS enabled Centos 8 system
+      Functional testing for a FIPS enabled Centos 9 system
     pre-run: playbooks/enable-fips.yaml
+    vars:
+      nslookup_target: 'opendev.org'
 
 - job:
     name: keystone-dsvm-functional-federation-opensuse15
diff --git a/api-ref/source/v3/roles.inc b/api-ref/source/v3/roles.inc
index 3073e241d..80092ec82 100644
--- a/api-ref/source/v3/roles.inc
+++ b/api-ref/source/v3/roles.inc
@@ -1002,7 +1002,7 @@ Status Codes
 
 .. rest_status_code:: success status.yaml
 
-   - 201
+   - 204
 
 .. rest_status_code:: error status.yaml
 
diff --git a/keystone/locale/zh_CN/LC_MESSAGES/keystone.po b/keystone/locale/zh_CN/LC_MESSAGES/keystone.po
index 8c471382f..cb194dc71 100644
--- a/keystone/locale/zh_CN/LC_MESSAGES/keystone.po
+++ b/keystone/locale/zh_CN/LC_MESSAGES/keystone.po
@@ -11,16 +11,18 @@
 # 颜海峰 <yanheven@gmail.com>, 2014
 # Andreas Jaeger <jaegerandi@gmail.com>, 2016. #zanata
 # Eric Lei <1165970798@qq.com>, 2016. #zanata
+# Research and Development Center UnitedStack <dev@unitedstack.com>, 2022. #zanata
 msgid ""
 msgstr ""
 "Project-Id-Version: keystone VERSION\n"
 "Report-Msgid-Bugs-To: https://bugs.launchpad.net/openstack-i18n/\n"
-"POT-Creation-Date: 2022-05-20 04:41+0000\n"
+"POT-Creation-Date: 2022-07-01 18:11+0000\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"PO-Revision-Date: 2016-09-28 03:23+0000\n"
-"Last-Translator: Eric Lei <1165970798@qq.com>\n"
+"PO-Revision-Date: 2022-06-14 12:29+0000\n"
+"Last-Translator: Research and Development Center UnitedStack "
+"<dev@unitedstack.com>\n"
 "Language: zh_CN\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
 "Generated-By: Babel 2.0\n"
@@ -729,6 +731,14 @@ msgstr "用户类型 %s 不受支持"
 msgid "You are not authorized to perform the requested action."
 msgstr "您没有授权完成所请求的操作。"
 
+msgid ""
+"You cannot change your password at this time due to password policy "
+"disallowing password changes. Please contact your administrator to reset "
+"your password."
+msgstr ""
+"因为密码策略被设置为禁止修改密码，目前您不能更改密码。请联系管理员重置您的密"
+"码。"
+
 #, python-format
 msgid ""
 "You cannot change your password at this time due to the minimum password "
@@ -737,7 +747,7 @@ msgid ""
 "contact your administrator to reset your password."
 msgstr ""
 "没有达到密码最小使用时长，目前您不能更改密码。一旦您修改了密码，在下次可被修"
-"改前该密码必须使用%(min_age_days)d天.请在%(days_left)d天后重试，或者联系管理"
+"改前该密码必须使用%(min_age_days)d天。请在%(days_left)d天后重试，或者联系管理"
 "员重置您的密码。"
 
 msgid ""
diff --git a/keystone/tests/unit/token/test_fernet_provider.py b/keystone/tests/unit/token/test_fernet_provider.py
index cc2a49d0b..997b5e6f7 100644
--- a/keystone/tests/unit/token/test_fernet_provider.py
+++ b/keystone/tests/unit/token/test_fernet_provider.py
@@ -17,6 +17,8 @@ import os
 from unittest import mock
 import uuid
 
+import fixtures
+from oslo_log import log
 from oslo_utils import timeutils
 
 from keystone import auth
@@ -26,6 +28,7 @@ from keystone.common import utils
 import keystone.conf
 from keystone import exception
 from keystone.federation import constants as federation_constants
+from keystone.models import token_model
 from keystone.tests import unit
 from keystone.tests.unit import default_fixtures
 from keystone.tests.unit import ksfixtures
@@ -51,6 +54,59 @@ class TestFernetTokenProvider(unit.TestCase):
             self.provider.validate_token,
             token_id)
 
+    def test_log_warning_when_token_exceeds_max_token_size_default(self):
+        self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO))
+
+        token = token_model.TokenModel()
+        token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
+        token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
+        token.expires_at = utils.isotime(
+            provider.default_expire_time(), subsecond=True)
+        token.methods = ['password']
+        token.audit_id = provider.random_urlsafe_str()
+        token_id, issued_at = self.provider.generate_id_and_issued_at(token)
+        expected_output = (
+            f'Fernet token created with length of {len(token_id)} characters, '
+            'which exceeds 255 characters'
+        )
+        self.assertIn(expected_output, self.logging.output)
+
+    def test_log_warning_when_token_exceeds_max_token_size_override(self):
+        self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO))
+        self.config_fixture.config(max_token_size=250)
+
+        token = token_model.TokenModel()
+        token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
+        token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
+        token.expires_at = utils.isotime(
+            provider.default_expire_time(), subsecond=True)
+        token.methods = ['password']
+        token.audit_id = provider.random_urlsafe_str()
+        token_id, issued_at = self.provider.generate_id_and_issued_at(token)
+        expected_output = (
+            f'Fernet token created with length of {len(token_id)} characters, '
+            'which exceeds 250 characters'
+        )
+        self.assertIn(expected_output, self.logging.output)
+
+    def test_no_warning_when_token_does_not_exceed_max_token_size(self):
+        self.config_fixture.config(max_token_size=300)
+        self.logging = self.useFixture(fixtures.FakeLogger(level=log.INFO))
+
+        token = token_model.TokenModel()
+        token.user_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
+        token.project_id = '0123456789abcdef0123456789abcdef0123456789abcdef'
+        token.expires_at = utils.isotime(
+            provider.default_expire_time(), subsecond=True)
+        token.methods = ['password']
+        token.audit_id = provider.random_urlsafe_str()
+        token_id, issued_at = self.provider.generate_id_and_issued_at(token)
+        expected_output = (
+            f'Fernet token created with length of {len(token_id)} characters, '
+            'which exceeds 255 characters'
+        )
+        self.assertNotIn(expected_output, self.logging.output)
+
 
 class TestValidate(unit.TestCase):
     def setUp(self):
diff --git a/keystone/token/token_formatters.py b/keystone/token/token_formatters.py
index bb407ab09..76220b0ef 100644
--- a/keystone/token/token_formatters.py
+++ b/keystone/token/token_formatters.py
@@ -156,10 +156,11 @@ class TokenFormatter(object):
         # characters. Even though Keystone isn't storing a Fernet token
         # anywhere, we can't say it isn't being stored somewhere else with
         # those kind of backend constraints.
-        if len(token) > 255:
-            LOG.info('Fernet token created with length of %d '
-                     'characters, which exceeds 255 characters',
-                     len(token))
+        if len(token) > CONF.max_token_size:
+            LOG.info(
+                f'Fernet token created with length of {len(token)} '
+                f'characters, which exceeds {CONF.max_token_size} characters',
+            )
 
         return token
 
diff --git a/releasenotes/notes/bug-1926483-a77ab887e0e7f5c9.yaml b/releasenotes/notes/bug-1926483-a77ab887e0e7f5c9.yaml
new file mode 100644
index 000000000..040811b79
--- /dev/null
+++ b/releasenotes/notes/bug-1926483-a77ab887e0e7f5c9.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    [`bug 1926483 <https://bugs.launchpad.net/keystone/+bug/1926483>`_]
+    Keystone will only log warnings about token length for Fernet tokens when
+    the token length exceeds the value of `keystone.conf [DEFAULT]
+    max_token_size`.
diff --git a/releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po b/releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po
index 150a23c39..713bd7089 100644
--- a/releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po
+++ b/releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po
@@ -1,15 +1,16 @@
 # Andi Chandler <andi@gowling.com>, 2017. #zanata
 # Andi Chandler <andi@gowling.com>, 2018. #zanata
 # Andi Chandler <andi@gowling.com>, 2020. #zanata
+# Andi Chandler <andi@gowling.com>, 2022. #zanata
 msgid ""
 msgstr ""
 "Project-Id-Version: Keystone Release Notes\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-20 04:40+0000\n"
+"POT-Creation-Date: 2022-07-01 18:09+0000\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"PO-Revision-Date: 2020-12-19 01:35+0000\n"
+"PO-Revision-Date: 2022-06-20 11:10+0000\n"
 "Last-Translator: Andi Chandler <andi@gowling.com>\n"
 "Language-Team: English (United Kingdom)\n"
 "Language: en_GB\n"
@@ -81,6 +82,9 @@ msgstr "13.0.2"
 msgid "13.0.3"
 msgstr "13.0.3"
 
+msgid "13.0.4-9"
+msgstr "13.0.4-9"
+
 msgid "14.0.0"
 msgstr "14.0.0"
 
@@ -93,21 +97,51 @@ msgstr "14.1.0"
 msgid "14.2.0"
 msgstr "14.2.0"
 
+msgid "14.2.0-7"
+msgstr "14.2.0-7"
+
 msgid "15.0.0"
 msgstr "15.0.0"
 
 msgid "15.0.1"
 msgstr "15.0.1"
 
+msgid "15.0.1-9"
+msgstr "15.0.1-9"
+
 msgid "16.0.0"
 msgstr "16.0.0"
 
 msgid "16.0.1"
 msgstr "16.0.1"
 
+msgid "16.0.2"
+msgstr "16.0.2"
+
 msgid "17.0.0"
 msgstr "17.0.0"
 
+msgid "17.0.1"
+msgstr "17.0.1"
+
+msgid "18.0.0"
+msgstr "18.0.0"
+
+msgid "18.1.0"
+msgstr "18.1.0"
+
+msgid "19.0.0"
+msgstr "19.0.0"
+
+msgid "19.0.0-8"
+msgstr "19.0.0-8"
+
+msgid "20.0.0"
+msgstr "20.0.0"
+
+msgid "21.0.0"
+msgstr "21.0.0"
+
 msgid "8.0.1"
 msgstr "8.0.1"
 
@@ -291,6 +325,15 @@ msgstr ""
 "Certain variables in ``keystone.conf`` now have options, which determine if "
 "the user's setting is valid."
 
+msgid ""
+"Change the min value of pool_retry_max to 1. Setting this value to 0 caused "
+"the pool to fail before connecting to ldap, always raising "
+"MaxConnectionReachedError."
+msgstr ""
+"Change the min value of pool_retry_max to 1. Setting this value to 0 caused "
+"the pool to fail before connecting to ldap, always raising "
+"MaxConnectionReachedError."
+
 msgid "Configuring per-Identity Provider WebSSO is now supported."
 msgstr "Configuring per-Identity Provider WebSSO is now supported."
 
@@ -457,6 +500,24 @@ msgstr ""
 "this option is set back to `False`."
 
 msgid ""
+"If you are affected by this bug, a fix in the keystone database will be "
+"needed so we recommend to dump the users' tables before doing this process:"
+msgstr ""
+"If you are affected by this bug, a fix in the keystone database will be "
+"needed so we recommend to dump the users' tables before doing this process:"
+
+msgid ""
+"If you are affected by this bug, you must remove stale role assignments "
+"manually. The following is an example SQL statement you can use to fix the "
+"issue, but you should verify it's applicability to your deployment's SQL "
+"implementation and version."
+msgstr ""
+"If you are affected by this bug, you must remove stale role assignments "
+"manually. The following is an example SQL statement you can use to fix the "
+"issue, but you should verify it's applicability to your deployment's SQL "
+"implementation and version."
+
+msgid ""
 "In ``keystone-paste.ini``, using ``paste.filter_factory`` is deprecated in "
 "favor of the \"use\" directive, specifying an entrypoint."
 msgstr ""
@@ -675,6 +736,9 @@ msgstr ""
 msgid "Queens Series Release Notes"
 msgstr "Queens Series Release Notes"
 
+msgid "Rocky Series Release Notes"
+msgstr "Rocky Series Release Notes"
+
 msgid ""
 "Routes and SQL backends for the contrib extensions have been removed, they "
 "have been incorporated into keystone and are no longer optional. This "
@@ -766,6 +830,9 @@ msgstr ""
 "``validate_token(self, token_ref)``. If using a custom token provider, "
 "update the custom provider accordingly."
 
+msgid "Stein Series Release Notes"
+msgstr "Stein Series Release Notes"
+
 msgid ""
 "Support for writing to LDAP has been removed. See ``Other Notes`` for more "
 "details."
@@ -1392,6 +1459,9 @@ msgstr ""
 msgid "Tokens can now be cached when issued."
 msgstr "Tokens can now be cached when issued."
 
+msgid "Train Series Release Notes"
+msgstr "Train Series Release Notes"
+
 msgid ""
 "UUID token provider ``[token] provider=uuid`` has been deprecated in favor "
 "of Fernet tokens ``[token] provider=fernet``. With Fernet tokens becoming "
@@ -1427,6 +1497,15 @@ msgstr ""
 "Using the full path to the driver class is deprecated in favour of using the "
 "entrypoint. In the Mitaka release, the entrypoint must be used."
 
+msgid "Ussuri Series Release Notes"
+msgstr "Ussuri Series Release Notes"
+
+msgid "Victoria Series Release Notes"
+msgstr "Victoria Series Release Notes"
+
+msgid "Wallaby Series Release Notes"
+msgstr "Wallaby Series Release Notes"
+
 msgid ""
 "We have added the ``password_expires_at`` attribute to the user response "
 "object."
@@ -1448,6 +1527,12 @@ msgstr ""
 "Write support for the LDAP has been removed in favour of read-only support. "
 "The following operations are no longer supported for LDAP:"
 
+msgid "Xena Series Release Notes"
+msgstr "Xena Series Release Notes"
+
+msgid "Yoga Series Release Notes"
+msgstr "Yoga Series Release Notes"
+
 msgid ""
 "[`Bug 1645487 <https://bugs.launchpad.net/keystone/+bug/1645487>`_] Added a "
 "new PCI-DSS feature that will require users to immediately change their "
@@ -1786,6 +1871,13 @@ msgstr "lt - password expires before the timestamp"
 msgid "lte - password expires at or before timestamp"
 msgstr "lte - password expires at or before timestamp"
 
+msgid ""
+"mysqldump -h <mysql host> -p -P <mysql port> -u keystone keystone "
+"federated_user local_user user > user_tables.sql"
+msgstr ""
+"mysqldump -h <mysql host> -p -P <mysql port> -u keystone keystone "
+"federated_user local_user user > user_tables.sql"
+
 msgid "neq - password expires not at the timestamp"
 msgstr "neq - password expires not at the timestamp"