OpenStack Identity (keystone)

When using per-domain-identity backend, user_ids could collide

Bug #1226171 reported by Morgan Fainberg on 2013-09-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Medium	Morgan Fainberg	OpenStack Compute (nova) 2014.2 "juno"
	OpenStack Identity (keystone)	Fix Released	Wishlist	Henry Nash	OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

When using the per-domain-identity backend usernames could end up colliding when multiple LDAP backends are used since we extract very limited information from the DN.

Example

cn=example user, dc=example1,dc=com
cn=example user, dc=example2,dc=com

Would net the same "user_id" of "example user"

This can also affect groups in the same manner.

See original description

Tags:

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2013-09-16:

This requires increasing the storage in the assignment backend (SQL) for the user_id followed by changing the way we calculate the user_id from DN.

Changed in keystone:
assignee:	nobody → Morgan Fainberg (mdrnstm)
importance:	Undecided → Medium
description:	updated

Dolph Mathews (dolph) on 2013-09-16

Changed in keystone:
status:	New → Triaged

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-02-05:

Unassigning due to inactivity.

Changed in keystone:
assignee:	Morgan Fainberg (mdrnstm) → nobody

Dolph Mathews (dolph) on 2014-02-11

Changed in keystone:
assignee:	nobody → Henry Nash (henry-nash)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-02-18: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/74214

Changed in keystone:
status:	Triaged → In Progress

Henry Nash (henry-nash) on 2014-02-18

Changed in keystone:
milestone:	none → icehouse-3

Henry Nash (henry-nash) on 2014-02-25

Changed in keystone:
importance:	Medium → High

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2014-03-02:

Fix to nova's Schema to not mis-match keystone's maximum user_id length: https://review.openstack.org/#/c/77450/

Dolph Mathews (dolph) on 2014-03-04

Changed in keystone:
milestone:	icehouse-3 → next

Russell Bryant (russellb) on 2014-03-31

tags:

added: icehouse-rc-potential

Dolph Mathews (dolph) on 2014-04-01

Changed in nova:
status:	New → In Progress

Thierry Carrez (ttx) on 2014-04-01

tags:

removed: icehouse-rc-potential

Andrew Laski (alaski) on 2014-04-02

Changed in nova:
assignee:	nobody → Morgan Fainberg (mdrnstm)
importance:	Undecided → Medium

Dolph Mathews (dolph) on 2014-04-04

tags:

added: ldap

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-04-11: Fix merged to nova (master)

Reviewed: https://review.openstack.org/77450
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=dbdb938fc08452ea80379652ee101b6ebe006e3f
Submitter: Jenkins
Branch: master

commit dbdb938fc08452ea80379652ee101b6ebe006e3f
Author: Morgan Fainberg <email address hidden>
Date: Sun Mar 2 13:43:47 2014 -0800

Update user_id length to match Keystone schema in volume_usage_cache

    Update the maximum length to match the Keystone schema for maximum
    user_id length in volume_usage_cache. In the case that Keystone were
    to leverage the full varchar 64, there would potentially be data loss
    and/or collision of user_ids across records.

This change originates from the conversation about increasing the
length of user_ids in Keystone:

http://lists.openstack.org/pipermail/openstack-dev/2014-February/028125.html

Even with the length not changing, it is important to ensure there is no
loss of data/resolution when relying on user_id to identify users uniquely.

Closes-Bug: #1226171
Change-Id: I05a5644a29d6e2432311c2ee5331970d5e8b0683

Changed in nova:
status:	In Progress → Fix Committed

OpenStack Infra (hudson-openstack) on 2014-05-20

Changed in keystone:
assignee:	Henry Nash (henry-nash) → Adam Young (ayoung)

Dolph Mathews (dolph) on 2014-05-22

Changed in keystone:
milestone:	next → juno-1

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-06-11:

Moved to wishlist since we haven't merged a working per-domain-identity backend implementation yet.

Changed in keystone:
importance:	High → Wishlist
milestone:	juno-1 → juno-3
milestone:	juno-3 → juno-2

Thierry Carrez (ttx) on 2014-06-11

Changed in nova:
milestone:	none → juno-1
status:	Fix Committed → Fix Released

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-07-22:

Fixed in commit 1a50986e7c122afdc14d40aebb0c852b71bd99e1

https://review.openstack.org/#/c/74214/

Changed in keystone:
assignee:	Adam Young (ayoung) → Henry Nash (henry-nash)
status:	In Progress → Fix Committed

Russell Bryant (russellb) on 2014-07-24

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in keystone:
milestone:	juno-2 → 2014.2

Thierry Carrez (ttx) on 2014-10-16

Changed in nova:
milestone:	juno-1 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.