Invalid SQL Identity Assertion - Load Config from Database
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Henry Nash |
Bug Description
I have a default domain pointing to LDAP and ServiceDomain pointing to SQL identity backend. This kind of configuration is supported with enabling domain specific drivers. While upgrading to Kilo to leverage domain config from database capability, the same configuration is not supported.
$ openstack user list --domain 5681226a68de4f7
ERROR: openstack Invalid domain specific configuration: Domain specific sql drivers are not supported via the Identity API. One is specified in /domains/
Notice the same domain ID in request and error message.
In identity/core.py:
def _load_config_
def _assert_
Due to multi-threading safety concerns, we do not currently support
the setting of a specific identity driver to sql via the Identity
API.
"""
if new_config[
_assert_
description: | updated |
tags: | added: kilo-backport-potential |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in keystone: | |
milestone: | none → liberty-rc1 |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | liberty-rc1 → 8.0.0 |
There was actually an error in the logic for enforcing per-domain SQL drivers in the previous releases which was corrected in Kilo allowing more than one SQL driver to be loaded.
(1) Most commonly the base Identity driver is sql:
[identity] keystone. identity. backends. sql.Identity
driver=
(2) And then the deployer would specify an LDAP per-domain backend for <domain>, which might be the default domain.
(3) The deployer would then supply another per-domain backend that re-specified SQL as the driver for that domain.
The issue lies in the order the configurations were loaded. Unfortunately, there are a number of edge cases that were addressed by not allowing multiple SQL drivers, notably that you run into issues with different SQL connection strings.
--------
Does the above describe your deployment? If so, it is highly recommended that the second SQL-backed domain is merged into the main SQL backend, since the secondary backend is not really needed (it is only needed for LDAP + SQL or Multiple LDAP backends).
As a point, please keep in mind domain configs in the DB are highly experimental and subject to change over the next cycle (due to issues as they are found)