Failure on list users when using ldap domain configuration from database

Bug #1461299 reported by Roxana Gherle
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Roxana Gherle
Kilo
Fix Released
Medium
Roxana Gherle
oslo.config
Fix Released
Undecided
Roxana Gherle

Bug Description

When having a setup with domain_specific_drivers_enabled set to true, and a domain configured with ldap backend and configurations stored in the database : the keystone user list API fails with the following error:

openstack user list --domain domainX
ERROR: openstack An unexpected error prevented the server from fulfilling your request: Message objects do not support str() because they may contain non-ascii characters. Please use unicode() or translate() instead. (Disable debug mode to suppress these details.) (HTTP 500)

Changed in keystone:
assignee: nobody → Roxana Gherle (roxana-gherle)
Revision history for this message
Henry Nash (henry-nash) wrote :

Sorry you are having problems - is it possible to get a keystone debug log for the error?

Revision history for this message
Roxana Gherle (roxana-gherle) wrote :
Download full text (16.7 KiB)

Here's the log:

2015-06-03 18:16:53.777205 26007 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /opt/stack/keystone/keystone/middleware/core.py:230
2015-06-03 18:16:53.778059 26007 INFO keystone.common.wsgi [-] GET /
2015-06-03 18:16:53.781840 26006 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /opt/stack/keystone/keystone/middleware/core.py:230
2015-06-03 18:16:53.828969 26006 INFO keystone.common.wsgi [-] POST /auth/tokens
2015-06-03 18:16:53.847859 26006 DEBUG oslo_db.sqlalchemy.session [-] MySQL server mode set to STRICT_TRANS_TABLES,STRICT_ALL_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,TRADITIONAL,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION _check_effective_sql_mode /usr/local/lib/python2.7/dist-packages/oslo_db/sqlalchemy/session.py:514
2015-06-03 18:16:53.912490 26006 DEBUG passlib.registry [-] registered 'sha512_crypt' handler: <class 'passlib.handlers.sha2_crypt.sha512_crypt'> register_crypt_handler /usr/local/lib/python2.7/dist-packages/passlib/registry.py:282
2015-06-03 18:16:54.072710 26008 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /opt/stack/keystone/keystone/middleware/core.py:230
2015-06-03 18:16:54.074689 26008 INFO keystone.common.wsgi [-] POST /auth/tokens
2015-06-03 18:16:54.120605 26008 DEBUG passlib.registry [-] registered 'sha512_crypt' handler: <class 'passlib.handlers.sha2_crypt.sha512_crypt'> register_crypt_handler /usr/local/lib/python2.7/dist-packages/passlib/registry.py:282
2015-06-03 18:16:54.262197 26009 INFO keystone.common.wsgi [-] GET /
2015-06-03 18:16:54.272568 26005 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'eb6d1f18dfa14e1bac45ea0108999f78', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=k2wtM9aFQoSbFG5EQs5iPw, audit_chain_id=k2wtM9aFQoSbFG5EQs5iPw) at 0x7f66898ffe30>, 'project_id': u'86a3649b12554a3789d73e245c0e7de9', 'trust_id': None} process_request /opt/stack/keystone/keystone/middleware/core.py:240
2015-06-03 18:16:54.275613 26005 INFO keystone.common.wsgi [-] GET /domains/domainRox1
2015-06-03 18:16:54.276942 26005 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:get_domain(domain_id=domainRox1) _build_policy_check_credentials /opt/stack/keystone/keystone/common/controller.py:57
2015-06-03 18:16:54.277285 26005 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment _build_policy_check_credentials /opt/stack/keystone/keystone/common/controller.py:62
2015-06-03 18:16:54.279815 26005 WARNING keystone.common.wsgi [-] Could not find domain: domainRox1
2015-06-03 18:16:54.290867 26006 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'eb6d1f18dfa14e1bac45ea0108999f78', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=k2wtM9aFQoSbFG5EQs5iPw, ...

Revision history for this message
Roxana Gherle (roxana-gherle) wrote :

Sorry for the long output..

Revision history for this message
Dolph Mathews (dolph) wrote :

Is this in Python 2.7 or 3.4?

Revision history for this message
Roxana Gherle (roxana-gherle) wrote :

Python 2.7

Dolph Mathews (dolph)
tags: added: kilo-backport-potential
affects: keystone → oslo.config
Revision history for this message
Roxana Gherle (roxana-gherle) wrote :

The fix will be in oslo_config.
The problem is that the ldap configuration options which are loaded from database are setting an 'override' attribute of the option object and when we retrieve all these config options they are all coming as string (unicode) type because the code in oslo_config does not convert the 'override' values to the specific type of the config option.

In this case, when we were using ldap configuration use_tls = False -> the type of the use_tls option was String instead a boolean value - therefore the code was failing because of the wrong evaluation of the string type. This problem can appear at any other ldap config options loaded from database that should be a boolean value.

Changed in oslo.config:
status: New → In Progress
Changed in keystone:
assignee: nobody → Roxana Gherle (roxana-gherle)
Changed in oslo.config:
assignee: Roxana Gherle (roxana-gherle) → Guang Yee (guang-yee)
Changed in oslo.config:
assignee: Guang Yee (guang-yee) → Roxana Gherle (roxana-gherle)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to oslo.config (master)

Reviewed: https://review.openstack.org/195355
Committed: https://git.openstack.org/cgit/openstack/oslo.config/commit/?id=67c3abb048402e4910f18386091a4ccf68448dcf
Submitter: Jenkins
Branch: master

commit 67c3abb048402e4910f18386091a4ccf68448dcf
Author: Roxana Gherle <email address hidden>
Date: Wed Jun 24 16:10:37 2015 -0700

    Add enforce_type option when setting an override

    The 'override' value of an option is currently stored and retrieved
    with the exact value that is set through set_override method - not
    taking into account the type of that option. Sometimes we want the type
    of the override value to be the same as the option type and therefore
    we will add an optional parameter to the set_override method that will
    enforce the option value type.

    Closes-Bug: #1461299
    Change-Id: I008b76d3292f76d0699f0063930a3b190539740f

Changed in oslo.config:
status: In Progress → Fix Committed
Changed in oslo.config:
milestone: none → 2.1.0
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/206224

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Roxana Gherle (<email address hidden>) on branch: master
Review: https://review.openstack.org/206224
Reason: This was not the correct project to upload the change to.

description: updated
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/212816

Changed in keystone:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/212816
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=781e78b41b7b31ca152926bf6b60cb21f105e7a5
Submitter: Jenkins
Branch: master

commit 781e78b41b7b31ca152926bf6b60cb21f105e7a5
Author: Roxana Gherle <email address hidden>
Date: Thu Aug 13 11:09:40 2015 -0700

    Maintain datatypes when loading configs from DB

    When loading domain configuration from database we are changing
    the actual data type of the configuration to unicode string. We
    want to preserve the type of the configuration value because
    otherwise we have problems later in the code when for example a
    'bool' configuration value like 'use_tls' is evaluated incorrectly
    because its type is unicode instead of bool.

    Closes-Bug: #1461299
    Change-Id: I54f5bd19910528b18c428bb3702c8cd4db3cc801

Changed in keystone:
status: In Progress → Fix Committed
Dolph Mathews (dolph)
tags: removed: kilo-backport-potential
Changed in keystone:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to oslo.config (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/214385

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to oslo.config (stable/kilo)

Reviewed: https://review.openstack.org/214385
Committed: https://git.openstack.org/cgit/openstack/oslo.config/commit/?id=90fbc249dcec55dff29ba84c51783a56e2f07960
Submitter: Jenkins
Branch: stable/kilo

commit 90fbc249dcec55dff29ba84c51783a56e2f07960
Author: Roxana Gherle <email address hidden>
Date: Wed Jun 24 16:10:37 2015 -0700

    Add enforce_type option when setting an override

    The 'override' value of an option is currently stored and retrieved
    with the exact value that is set through set_override method - not
    taking into account the type of that option. Sometimes we want the type
    of the override value to be the same as the option type and therefore
    we will add an optional parameter to the set_override method that will
    enforce the option value type.

    Closes-Bug: #1461299
    Change-Id: I008b76d3292f76d0699f0063930a3b190539740f
    (cherry picked from commit 67c3abb048402e4910f18386091a4ccf68448dcf)

Changed in keystone:
milestone: none → liberty-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: liberty-3 → 8.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.