When using per-domain-identity backend, user_ids could collide

Bug #1226171 reported by Morgan Fainberg
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Morgan Fainberg
OpenStack Identity (keystone)
Fix Released
Wishlist
Henry Nash

Bug Description

When using the per-domain-identity backend usernames could end up colliding when multiple LDAP backends are used since we extract very limited information from the DN.

Example

cn=example user, dc=example1,dc=com
cn=example user, dc=example2,dc=com

Would net the same "user_id" of "example user"

This can also affect groups in the same manner.

Tags: ldap
Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

This requires increasing the storage in the assignment backend (SQL) for the user_id followed by changing the way we calculate the user_id from DN.

Changed in keystone:
assignee: nobody → Morgan Fainberg (mdrnstm)
importance: Undecided → Medium
description: updated
Dolph Mathews (dolph)
Changed in keystone:
status: New → Triaged
Revision history for this message
Dolph Mathews (dolph) wrote :

Unassigning due to inactivity.

Changed in keystone:
assignee: Morgan Fainberg (mdrnstm) → nobody
Dolph Mathews (dolph)
Changed in keystone:
assignee: nobody → Henry Nash (henry-nash)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/74214

Changed in keystone:
status: Triaged → In Progress
Henry Nash (henry-nash)
Changed in keystone:
milestone: none → icehouse-3
Henry Nash (henry-nash)
Changed in keystone:
importance: Medium → High
Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

Fix to nova's Schema to not mis-match keystone's maximum user_id length: https://review.openstack.org/#/c/77450/

Dolph Mathews (dolph)
Changed in keystone:
milestone: icehouse-3 → next
tags: added: icehouse-rc-potential
Dolph Mathews (dolph)
Changed in nova:
status: New → In Progress
Thierry Carrez (ttx)
tags: removed: icehouse-rc-potential
Andrew Laski (alaski)
Changed in nova:
assignee: nobody → Morgan Fainberg (mdrnstm)
importance: Undecided → Medium
Dolph Mathews (dolph)
tags: added: ldap
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/77450
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=dbdb938fc08452ea80379652ee101b6ebe006e3f
Submitter: Jenkins
Branch: master

commit dbdb938fc08452ea80379652ee101b6ebe006e3f
Author: Morgan Fainberg <email address hidden>
Date: Sun Mar 2 13:43:47 2014 -0800

    Update user_id length to match Keystone schema in volume_usage_cache

    Update the maximum length to match the Keystone schema for maximum
    user_id length in volume_usage_cache. In the case that Keystone were
    to leverage the full varchar 64, there would potentially be data loss
    and/or collision of user_ids across records.

    This change originates from the conversation about increasing the
    length of user_ids in Keystone:

    http://lists.openstack.org/pipermail/openstack-dev/2014-February/028125.html

    Even with the length not changing, it is important to ensure there is no
    loss of data/resolution when relying on user_id to identify users uniquely.

    Closes-Bug: #1226171
    Change-Id: I05a5644a29d6e2432311c2ee5331970d5e8b0683

Changed in nova:
status: In Progress → Fix Committed
Changed in keystone:
assignee: Henry Nash (henry-nash) → Adam Young (ayoung)
Dolph Mathews (dolph)
Changed in keystone:
milestone: next → juno-1
Revision history for this message
Dolph Mathews (dolph) wrote :

Moved to wishlist since we haven't merged a working per-domain-identity backend implementation yet.

Changed in keystone:
importance: High → Wishlist
milestone: juno-1 → juno-3
milestone: juno-3 → juno-2
Thierry Carrez (ttx)
Changed in nova:
milestone: none → juno-1
status: Fix Committed → Fix Released
Revision history for this message
Dolph Mathews (dolph) wrote :

Fixed in commit 1a50986e7c122afdc14d40aebb0c852b71bd99e1

https://review.openstack.org/#/c/74214/

Changed in keystone:
assignee: Adam Young (ayoung) → Henry Nash (henry-nash)
status: In Progress → Fix Committed
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: juno-2 → 2014.2
Thierry Carrez (ttx)
Changed in nova:
milestone: juno-1 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.