OpenStack Identity (keystone)

get_group_project_roles() asks same ldap query for all groups associated with user

Bug #1205506 reported by alexius ludeman on 2013-07-26

12

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Morgan Fainberg	OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

in assignment/core.py:_get_group_project_roles() iterators over all my ldap user groups and calls self._get_metadata(group_id=x['id'], tenant_id=project_ref['id'])

in assignment/backends/ldap.py:_get_metadata() has a parameter group_id but it not used in the function.

this effectively calls ldap for every group with the identical question:
2013-07-26 21:50:32,026 (keystone.common.ldap.core): DEBUG core search_s LDAP search: dn=cn=groups,dc=bogus,dc=com, scope=1, query=(&(cn=OS_TENANT_NAME)(objectClass=posixGroup)), attrs=['enabled', 'cn', 'businessCategory', 'description']

where OS_TENANT_NAME is shell environment variable.

Tags:

alexius ludeman (lexinator) on 2013-07-26

summary:

- _get_group_project_roles() doesn't do anything
+ get_group_project_roles() asks same ldap query for all groups associated
+ with user

Adam Young (ayoung) on 2013-08-05

Changed in keystone:
assignee:	nobody → Adam Young (ayoung)

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-08-16:

#1

I assume the same can be accomplished in a single query to LDAP?

Adam- I believe I saw a patch in review for this... if that's the case, is the commit message missing this bug number?

Changed in keystone:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-02-05:

#2

Unassigning due to inactivity.

Changed in keystone:
assignee:	Adam Young (ayoung) → nobody

Pablo Fernando Cargnelutti (pablo-fernando-cargnelutti) on 2014-04-04

Changed in keystone:
assignee:	nobody → Pablo Fernando Cargnelutti (pablo-fernando-cargnelutti)

Revision history for this message

Pablo Fernando Cargnelutti (pablo-fernando-cargnelutti) wrote on 2014-04-04:

#3

Just for my clarification. The idea would be to override get_roles_for_user_and_projects in ldap driver so we can do a the roles gattering using a single LDAP query?

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-04-04:

#4

Sort of - get_roles_for_user_and_project(user_id, tenant_id) is a manager method, not a driver method. But loops over the results of a driver call to list_groups_for_user() because the driver method it really needs doesn't actually exist (something to provide _get_group_project_roles() in a single driver call). So, the for loop could be factored out into the base driver class as a *new* method, and then the LDAP, SQL and KVS implementations could override it with much more efficient methods.

tags:	added: performance
tags:	added: ldap sql

Revision history for this message

Pablo Fernando Cargnelutti (pablo-fernando-cargnelutti) wrote on 2014-04-04:

#5

Clear, thanks for the response.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-04-08: Fix proposed to keystone (master)

#6

Fix proposed to branch: master
Review: https://review.openstack.org/86025

Changed in keystone:
status:	Triaged → In Progress

OpenStack Infra (hudson-openstack) on 2014-06-25

Changed in keystone:
assignee:	Pablo Fernando Cargnelutti (pablo-fernando-cargnelutti) → Morgan Fainberg (mdrnstm)

OpenStack Infra (hudson-openstack) on 2014-07-21

Changed in keystone:
status:	In Progress → Fix Committed

Russell Bryant (russellb) on 2014-07-24

Changed in keystone:
milestone:	none → juno-2
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in keystone:
milestone:	juno-2 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.