OpenStack Identity (keystone)

Can't map user description using LDAP

Bug #1293698 reported by Brant Knudson
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Wishlist
Brant Knudson
OpenStack Identity (keystone) 2014.2 "juno"
Icehouse
Fix Released
Wishlist
Brant Knudson
OpenStack Identity (keystone) 2014.1.1

Bug Description

There's no way to set a mapping for the description attribute.

First, there's no user_desc_attribute config option (there's a tenant_desc_attribute), although there doesn't need to be, but

Second, if you try to set "user_additional_attribute_mapping=description:description" the server ignores it. The log says:

  WARNING keystone.common.ldap.core [-] Invalid additional attribute mapping: "description:description". Value "description" must use one of password, enabled, default_project_id, name, email.

Why only allow the attributes that keystone knows about? Those attributes already have user_*_attribute config options anyways!

Third, when keystone gets the users, it doesn't include the extra attr mapping attrs.

Tags: ldap
Brant Knudson (blk-u)
Changed in keystone:
assignee: nobody → Brant Knudson (blk-u)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/81040

Changed in keystone:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/81041

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/81046

Dolph Mathews (dolph)
tags: added: ldap
Changed in keystone:
importance: Undecided → Wishlist
milestone: none → juno-1
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/81046
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=17db03164200f0d7fff564058fc7df8e97705523
Submitter: Jenkins
Branch: master

commit 17db03164200f0d7fff564058fc7df8e97705523
Author: Brant Knudson <email address hidden>
Date: Mon Mar 17 13:41:32 2014 -0500

    Enhance tests for user extra attribute mapping

    This test shows that when an extra attribute mapping like
    'description:description' is used, the description isn't returned
    in the user.

    Change-Id: Ie3520b315a0eecc2503953c0f15ae1da9a8070c9
    Related-Bug: #1293698

Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/81040
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=10051adace7cd728d46cd4c999e3019fdbf2d961
Submitter: Jenkins
Branch: master

commit 10051adace7cd728d46cd4c999e3019fdbf2d961
Author: Brant Knudson <email address hidden>
Date: Mon Mar 17 13:12:09 2014 -0500

    Allow any attributes in mapping

    When using attribute mapping (e.g., user_additional_attribute_mapping), any
    attributes that Keystone didn't know about were ignored and a warning was
    issued, like

     WARNING keystone.common.ldap.core [-] Invalid additional attribute mapping:
     "description:description". Value "description" must use one of password,
     enabled, default_project_id, name, email.

    This check is removed. Additional attribute mappings for "unexpected"
    attributes (such as description) should be allowed. For one thing, all the
    known attributes already have a way of setting the mapping, via the
    user_*_attribute config option. This will allow setting a "description" or
    any other attribute mapping for users.

    Change-Id: Idc2cd75ecd3e1a06a50fd0a676d83c5de74ca7a5
    Partial-Bug: #1293698

Brant Knudson (blk-u)
tags: added: icehouse-backport-potential
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote :

Reviewed: https://review.openstack.org/81041
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ebfdab034f2b35074f1645b70c1f07d0c4dfd337
Submitter: Jenkins
Branch: master

commit ebfdab034f2b35074f1645b70c1f07d0c4dfd337
Author: Brant Knudson <email address hidden>
Date: Mon Mar 17 13:12:29 2014 -0500

    Include extra attributes in list results

    The extra attributes defined in the *_additional_attribute_mapping config
    options weren't included in the list results. These attributes should be
    included in the list results.

    Change-Id: Ia80174063a5eacdef690ca378b7cb71300a5f5f8
    Closes-Bug: #1293698

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix proposed to keystone (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/91490

Alan Pevec (apevec)
tags: removed: icehouse-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/icehouse)

Reviewed: https://review.openstack.org/91490
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b932321212897ca18ea4fd566d73c9d86b781182
Submitter: Jenkins
Branch: stable/icehouse

commit b932321212897ca18ea4fd566d73c9d86b781182
Author: Brant Knudson <email address hidden>
Date: Mon Mar 17 13:41:32 2014 -0500

    Allow any attributes in mapping and include in results

    When using attribute mapping (e.g., user_additional_attribute_mapping), any
    attributes that Keystone didn't know about were ignored and a warning was
    issued, like

     WARNING keystone.common.ldap.core [-] Invalid additional attribute mapping:
     "description:description". Value "description" must use one of password,
     enabled, default_project_id, name, email.

    This check is removed. Additional attribute mappings for "unexpected"
    attributes (such as description) should be allowed. For one thing, all the
    known attributes already have a way of setting the mapping, via the
    user_*_attribute config option. This will allow setting a "description" or
    any other attribute mapping for users.

    The extra attributes defined in the *_additional_attribute_mapping config
    options weren't included in the list results. These attributes should be
    included in the list results.

    This is a combination of 3 commits from master:
    (cherry picked from commit 17db03164200f0d7fff564058fc7df8e97705523)
    (cherry picked from commit 10051adace7cd728d46cd4c999e3019fdbf2d961)
    (cherry picked from commit ebfdab034f2b35074f1645b70c1f07d0c4dfd337)

    Change-Id: Ia80174063a5eacdef690ca378b7cb71300a5f5f8
    Closes-Bug: #1293698

Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Revision history for this message
Marcos Lobo (marcos-fermin-lobo) wrote :

I think this patch could be interesting for Havana release as well.

Thierry Carrez (ttx)
Changed in keystone:
milestone: juno-1 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.