keystone chokes on empty "description" field in active directory

Bug #1210515 reported by Isaac Hailperin on 2013-08-09
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
David Stanek

Bug Description

I configured keystone (from grizzly) with an active directory backend, following https://wiki.openstack.org/wiki/HowtoIntegrateKeystonewithAD.
It works so far.

Now I can create projects in horizon (tenants in keystone) with an empty "description" field. The result is that there is no attribute "description" for that tenant in AD. When I then try to edit such a project (e.g. add description, or add member), I get an

Error: Unable to modify project "test02".

message from horizon, and in keystone.log I see

2013-08-09 15:07:23 ERROR [root] u'description'
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 236, in __call__
    result = method(context, **params)
  File "/usr/lib/python2.6/site-packages/keystone/identity/controllers.py", line 115, in update_project
    context, tenant_id, clean_tenant)
  File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 47, in _wrapper
    return f(*args, **kw)
  File "/usr/lib/python2.6/site-packages/keystone/identity/backends/ldap/core.py", line 229, in update_project
    return self._set_default_domain(self.project.update(tenant_id, tenant))
  File "/usr/lib/python2.6/site-packages/keystone/identity/backends/ldap/core.py", line 614, in update
    return super(ProjectApi, self).update(id, values, old_obj)
  File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py", line 586, in update
    object_id, values, old_obj)
  File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py", line 328, in update
    elif old_obj[k] != v:
KeyError: u'description'

I can add a description attribute to AD via its ldap interface using ldapmodify. Then I can modify the project without problems. I think keystone should be able to deal with a missing description field if its optional at creation time.

Dolph Mathews (dolph) wrote :

It should definitely be optional.

Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
milestone: none → havana-3
ZhiQiang Fan (aji-zqfan) on 2013-08-23
Changed in keystone:
assignee: nobody → ZhiQiang Fan (aji-zqfan)
ZhiQiang Fan (aji-zqfan) on 2013-08-23
Changed in keystone:
assignee: ZhiQiang Fan (aji-zqfan) → nobody
Chmouel Boudjnah (chmouel) wrote :

looking at the code, this seems to fix it :

http://pasteraw.com/k0pe4yieqtgmw7ex3m6bmd3obutus1z

I don't have any LDAP install so I can't really test it (and I am not even sure where to put the unittests) but if someone want to try it see if that fixes. it.

Testing this with my setup (grizzly on centos 6.4 with active directory as ldap server) this fixes the issue only partly. I can now modify a project without error, e.g. I can add users. But if I create a project without description field, I can not update this field later. I can input data, and it will process it without error, but just not update the attribute in ldap, so I can not add a description.

I also see that you seem to have a different code base, I added your snipped in the "update" function, which looks like
    def update(self, id, values, old_obj=None):
        if not self.allow_update:
            action = _('LDAP %s update') % self.options_name
            raise exception.ForbiddenAction(action=action)

        if old_obj is None:
            old_obj = self.get(id)

        modlist = []
        for k, v in values.iteritems():
            if k == 'id' or k in self.attribute_ignore:
                continue
            # fix for bug https://bugs.launchpad.net/keystone/+bug/1210515
            if k not in old_obj:
                continue
            if v is None:
                if old_obj[k] is not None:
                    modlist.append((ldap.MOD_DELETE,
                                    self.attribute_mapping.get(k, k),
                                    None))

So maybe it would work if I would user a different (probably more recent?) version of keystone?

Dolph Mathews (dolph) on 2013-08-28
Changed in keystone:
milestone: havana-3 → havana-rc1
Chmouel Boudjnah (chmouel) wrote :

@isaac I am not sure I am definively not a LDAP/AD expert, but it would be nice if that's easy for you to test with trunk so we can at least make sure this is reproducible there.

Changed in keystone:
assignee: nobody → Chmouel Boudjnah (chmouel)
Dolph Mathews (dolph) on 2013-08-29
tags: added: grizzly-backport-potential

@chmouel sorry for asking, but what exactly do you mean by "trunk"? "trunk" -docs only mention installation via yum, which is what I did. So I guess you mean maybe checking out the latest dev code? If there is any description on how to install what you want, I'll be happy to do it.

Ok, tested the suggested patch with code I pulled from git on 30th of august, but same symptons as described above: It supresses the error message, but once a project is created without a description, you can not add a description.

From my previous experience with ldap this seems no surprise, as you would have to "add" the attribute first bevore setting it.

Here is a patch that fixes the bug for me.
I am aware that this is not the most beautiful code (see comment in the patch), but since I am not a professional coder, I leave the task of making this more elegant to the pros :)

Dolph Mathews (dolph) wrote :

@Isaac: Ha, patches are always appreciated!

Chmouel Boudjnah (chmouel) wrote :

@Isaac thanks for the patch, feel free to propose it for reviews and reviewers will help you improving the code style.

you can find guide for how to contribute with gerrit workflow on
wiki.openstack.org, any patch will be appreciated

On Tue, Sep 3, 2013 at 12:12 AM, Chmouel Boudjnah <email address hidden>wrote:

> @Isaac thanks for the patch, feel free to propose it for reviews and
> reviewers will help you improving the code style.
>
> --
> You received this bug notification because you are subscribed to
> Keystone.
> Matching subscriptions: keystone-bugs
> https://bugs.launchpad.net/bugs/1210515
>
> Title:
> keystone chokes on empty "description" field in active directory
>
> Status in OpenStack Identity (Keystone):
> Triaged
>
> Bug description:
> I configured keystone (from grizzly) with an active directory backend,
> following https://wiki.openstack.org/wiki/HowtoIntegrateKeystonewithAD.
> It works so far.
>
> Now I can create projects in horizon (tenants in keystone) with an
> empty "description" field. The result is that there is no attribute
> "description" for that tenant in AD. When I then try to edit such a
> project (e.g. add description, or add member), I get an
>
> Error: Unable to modify project "test02".
>
> message from horizon, and in keystone.log I see
>
> 2013-08-09 15:07:23 ERROR [root] u'description'
> Traceback (most recent call last):
> File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line
> 236, in __call__
> result = method(context, **params)
> File
> "/usr/lib/python2.6/site-packages/keystone/identity/controllers.py", line
> 115, in update_project
> context, tenant_id, clean_tenant)
> File "/usr/lib/python2.6/site-packages/keystone/common/manager.py",
> line 47, in _wrapper
> return f(*args, **kw)
> File
> "/usr/lib/python2.6/site-packages/keystone/identity/backends/ldap/core.py",
> line 229, in update_project
> return self._set_default_domain(self.project.update(tenant_id,
> tenant))
> File
> "/usr/lib/python2.6/site-packages/keystone/identity/backends/ldap/core.py",
> line 614, in update
> return super(ProjectApi, self).update(id, values, old_obj)
> File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py",
> line 586, in update
> object_id, values, old_obj)
> File "/usr/lib/python2.6/site-packages/keystone/common/ldap/core.py",
> line 328, in update
> elif old_obj[k] != v:
> KeyError: u'description'
>
> I can add a description attribute to AD via its ldap interface using
> ldapmodify. Then I can modify the project without problems. I think
> keystone should be able to deal with a missing description field if
> its optional at creation time.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1210515/+subscriptions
>

--
blog: zqfan.github.com
git: github.com/zqfan

Chmouel Boudjnah (chmouel) wrote :

Hi Isaac, I have successfully reproduced and tested your patch, let me know if you plans to submit or i'll clean this up add a test and submit. Chmouel.

Chmouel, I would be greatefull if you could submit this patch. Among other things I will have to check with my employer about the licencing thingy, so for this patch it will be faster if you would carry on. I hope some day I will also submit :)

Dolph Mathews (dolph) wrote :

Isaac- Looking forward to it!

Fix proposed to branch: master
Review: https://review.openstack.org/45447

Changed in keystone:
status: Triaged → In Progress
Changed in keystone:
assignee: Chmouel Boudjnah (chmouel) → Lance Bragstad (ldbragst)
assignee: Lance Bragstad (ldbragst) → Chmouel Boudjnah (chmouel)

Fix proposed to branch: master
Review: https://review.openstack.org/48266

Changed in keystone:
assignee: Chmouel Boudjnah (chmouel) → David Stanek (dstanek)
Changed in keystone:
assignee: David Stanek (dstanek) → Dolph Mathews (dolph)
Changed in keystone:
assignee: Dolph Mathews (dolph) → David Stanek (dstanek)

Reviewed: https://review.openstack.org/48266
Committed: http://github.com/openstack/keystone/commit/89249257e8b61d57e7cb29f6bd3e2977c1b1b692
Submitter: Jenkins
Branch: master

commit 89249257e8b61d57e7cb29f6bd3e2977c1b1b692
Author: Chmouel Boudjnah <email address hidden>
Date: Fri Sep 6 17:25:51 2013 +0200

    Fix updating attributes with ldap backend

    - Patch originally provided by Chmouel Boudjnah in review:
      https://review.openstack.org/45447

    Change-Id: I645e0dba17f6a8d841dac07590c7f26ab65c5a72
    Fixes-Bug: #1210515

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-10-02
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-rc1 → 2013.2
Alan Pevec (apevec) on 2014-03-30
tags: removed: grizzly-backport-potential
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers