Fix Error 400 Header Line Too Long

Fix Error 400 Header Line Too Long when using Identity v3 PKI Tokens

Uses swift.conf max_header_size option to set wsgi.MAX_HEADER_LINE,
allowing the operator to customize this parameter.

The default value has been let to 8192 to avoid unexpected
configuration change on deployed platforms. The max_header_size option
has to be increased (for example to 16384), to accomodate for large
Identity v3 PKI tokens, including more than 7 catalog entries.

The default max header line size of 8192 is exceeded in the following
scenario:
- Auth tokens generated by Keystone v3 API include the catalog.
- Keystone's catalog contains more than 7 services.

Similar fixes have been merged in other projects.

Change-Id: Ia838b18331f57dfd02b9f71d4523d4059f38e600
Closes-Bug: 1190149

doc/source/deployment_guide.rst

@@ -304,7 +304,27 @@ The main rule to remember when working with Swift configuration files is:
     using the ``set`` syntax or you'll probably mess up your non-paste.deploy
     configuration files.
 
+--------------------
+Common configuration
+--------------------
 
+An example of common configuration file can be found at etc/swift.conf-sample
+
+The following configuration options are available:
+
+===================  ==========  =============================================
+Option               Default     Description
+-------------------  ----------  ---------------------------------------------
+max_header_size      8192        max_header_size is the max number of bytes in
+                                 the utf8 encoding of each header. Using 8192
+                                 as default because eventlet use 8192 as max
+                                 size of header line. This value may need to
+                                 be increased when using identity v3 API
+                                 tokens including more than 7 catalog entries.
+                                 See also include_service_catalog in
+                                 proxy-server.conf-sample (documented in
+                                 overview_auth.rst)
+===================  ==========  =============================================
 
 ---------------------------
 Object Server Configuration

etc/swift.conf-sample

@@ -47,11 +47,12 @@ swift_hash_path_prefix = changeme
 
 #max_meta_overall_size = 4096
 
-
 # max_header_size is the max number of bytes in the utf8 encoding of each
-# header. Using 8192 as default becasue eventlet use 8192 as max size of
+# header. Using 8192 as default because eventlet use 8192 as max size of
-# header line and the longest header passed from Keystone(PKI token) uses
+# header line. This value may need to be increased when using identity
-# 8192 as default too.
+# v3 API tokens including more than 7 catalog entries.
+# See also include_service_catalog in proxy-server.conf-sample
+# (documented in overview_auth.rst)
 
 #max_header_size = 8192
 

swift/common/wsgi.py

@@ -31,13 +31,16 @@ from paste.deploy import loadwsgi
 from eventlet.green import socket, ssl
 from urllib import unquote
 
-from swift.common import utils
+from swift.common import utils, constraints
 from swift.common.swob import Request
 from swift.common.utils import capture_stdio, disable_fallocate, \
     drop_privileges, get_logger, NullLogger, config_true_value, \
     validate_configuration, get_hub, config_auto_int_value, \
     CloseableChain
 
+# Set maximum line size of message headers to be accepted.
+wsgi.MAX_HEADER_LINE = constraints.MAX_HEADER_SIZE
+
 try:
     import multiprocessing
     CPU_COUNT = multiprocessing.cpu_count() or 1