Ubuntu Cloud Archive

Bug #1832265
Comment #10

Comment 10 for bug 1832265

Revision history for this message

Drew Freiberger (afreiberger) wrote on 2019-06-11: Re: keystone LDAP integration in rocky not working for RBAC rules or token auth

#10

I performed a quick update to add in an exception for TypeError along with the ValueError exception handler, and was able to clean up the traceback, but it still doesn't function as expected.

/usr/lib/python3/dist-packages/keystone/token/token_formatters.py:

def attempt_convert_uuid_hex_to_bytes(cls, value):
"""Attempt to convert value to bytes or return value.

        :param value: value to attempt to convert to bytes
        :returns: tuple containing boolean indicating whether user_id was
                  stored as bytes and uuid value as bytes or the original value

        """
        try:
            return (True, cls.convert_uuid_hex_to_bytes(value))
        except ValueError:
            # this might not be a UUID, depending on the situation (i.e.
            # federation)
            return (False, value)
        except TypeError:
            # lp#1832265 - py3 uuid may raise TypeError instead of ValueError
            return (False, value)

As I did, I saw the log lines flow through showing user_id as a string, and then immediately after, as a byte-encoded value in the log.

(keystone.common.controller): 2019-06-11 18:12:07,270 DEBUG RBAC: Adding query filter params ()
(keystone.common.authorization): 2019-06-11 18:12:07,270 DEBUG RBAC: Authorizing identity:list_user_projects(user_id=d4fb94cfa3ce0f7829d76fe44697488e7765d88e29f5a896f57d43caadb0fad4)
**** somewhere in here is where user_id ends up getting bytestring encoded ****
(keystone.policy.backends.rules): 2019-06-11 18:12:07,270 DEBUG enforce identity:list_user_projects: {'trust_id': None, 'trustor_id': None, 'trustee_id': None, 'domain_id': None, 'domain_name': None, 'group_ids': [], 'token': <TokenModel (audit_id=azlKaSkfR3arBR5tGIzRlw, audit_chain_id=['azlKaSkfR3arBR5tGIzRlw']) at 0x7fd2e1d53e80>, 'user_id': b'd4fb94cfa3ce0f7829d76fe44697488e7765d88e29f5a896f57d43caadb0fad4', 'user_domain_id': '997b3e91271140feb1635eefba7c65a1', 'system_scope': None, 'project_id': None, 'project_domain_id': None, 'roles': [], 'is_admin_project': True, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_id': None, 'service_project_domain_id': None, 'service_roles': []}

I performed a quick update to add in an exception for TypeError along with the ValueError exception handler, and was able to clean up the traceback, but it still doesn't function as expected.

/usr/lib/python3/dist-packages/keystone/token/token_formatters.py:

def attempt_convert_uuid_hex_to_bytes(cls, value):
        """Attempt to convert value to bytes or return value.

As I did, I saw the log lines flow through showing user_id as a string, and then immediately after, as a byte-encoded value in the log.