OpenStack Identity (keystone)

domain-specific drivers does not honor the list_limit set in domain-specific conf file

Bug #1495669 reported by Guang Yee
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Boris Bobrov
OpenStack Identity (keystone) mitaka-3 "m3"

Bug Description

Step to reproduce:

1. enable domain_specific drivers in keystone.conf

  domain_specific_drivers_enabled = true
  domain_configurations_from_database = false
  domain_config_dir = /etc/keystone/domains

2. set the global list_limit to 2 in keystone.conf

  [default]
  list_limit = 2

3. create a new domain, along with the corresponding domain-specific conf in /etc/keystone/domains/ and set the list_limit to 3 at the driver level

[identity]
driver = ldap
list_limit = 5

[ldap]

url = ldap://localhost
...

4. restart Keystone and do user list for the specific domain and notice that only 2 users are returned

Interestingly, the list_limit set in the [identity] section in keystone.conf works. i.e.

  [default]
  list_limit = 2

  [identity]
  list_limit = 5

We just can't override it in the domain-specific conf file.

Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
Thomas Hsiao (thomas-hsiao)
Changed in keystone:
assignee: nobody → Thomas Hsiao (thomas-hsiao)
Revision history for this message
Boris Bobrov (bbobrov) wrote :

Could you please try to reproduce the bug after applying my patches from https://review.openstack.org/#/c/234849/ ?

Thomas, I am assigning the bugreport to myself, feel free to grab it back if you're working on it.

Changed in keystone:
assignee: Thomas Hsiao (thomas-hsiao) → Boris Bobrov (bbobrov)
Revision history for this message
Thomas Hsiao (thomas-hsiao) wrote :

Boris,

The resolution in https://review.openstack.org/#/c/233070/9 and https://review.openstack.org/#/c/234849/ look neat.
I haven't got a chance to test your patches. Will do it later...
Thanks.

Revision history for this message
Thomas Hsiao (thomas-hsiao) wrote :
Download full text (9.1 KiB)

HI Boris,

I brought down the review build : git review -d 234849 and config to a ldap backend with 50 users.
keystne.conf :
[default]
list_limit = 2

w/o 234849 and its dependency, I was able to get two records for openstack user list --domain ad50.
However, after switch to the this patch, I encountered the following errors. I am wondering if you have seen that before.

2 19:04:05.758811 2015-10-22 19:04:05.758 6135 DEBUG keystone.common.ldap.core [req-a05be3d5-dbdf-4054-a807-b3aab4c030df - - - - -] LDAP init: use_tls=True tls_cacertfile=/etc/keystone/ssl/certs/openldap_ca.pem tls_cacertdir=None tls_req_cert=0 tls_avail=1 _common_ldap_initialization /usr/local/lib/python2.7/dist-packages/keystone/common/ldap/core.py:587
2015-10-22 19:04:05.760069 2015-10-22 19:04:05.759 6135 DEBUG keystone.common.ldap.core [req-a05be3d5-dbdf-4054-a807-b3aab4c030df - - - - -] LDAP search: base=ou=Users50,dc=cdl,dc=hp,dc=com scope=1 filterstr=(&(objectClass=posixAccount)(uid=*)) attrs=['uid', 'userPassword', 'enabled', 'mail', 'cn'] attrsonly=0 search_ext_s /usr/local/lib/python2.7/dist-packages/keystone/common/ldap/core.py:947
2015-10-22 19:04:06.082955 2015-10-22 19:04:06.082 6135 DEBUG keystone.common.ldap.core [req-a05be3d5-dbdf-4054-a807-b3aab4c030df - - - - -] LDAP unbind unbind_s /usr/local/lib/python2.7/dist-packages/keystone/common/ldap/core.py:918
2015-10-22 19:04:06.086384 2015-10-22 19:04:06.083 6135 ERROR keystone.common.wsgi [req-a05be3d5-dbdf-4054-a807-b3aab4c030df - - - - -] {'desc': 'Size limit exceeded'}
2015-10-22 19:04:06.086442 2015-10-22 19:04:06.083 6135 ERROR keystone.common.wsgi Traceback (most recent call last):
2015-10-22 19:04:06.086451 2015-10-22 19:04:06.083 6135 ERROR keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 248, in __call__
2015-10-22 19:04:06.086458 2015-10-22 19:04:06.083 6135 ERROR keystone.common.wsgi result = method(context, **params)
2015-10-22 19:04:06.086465 2015-10-22 19:04:06.083 6135 ERROR keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/common/controller.py", line 207, in wrapper
2015-10-22 19:04:06.086472 2015-10-22 19:04:06.083 6135 ERROR keystone.common.wsgi return f(self, context, filters, **kwargs)
2015-10-22 19:04:06.086479 2015-10-22 19:04:06.083 6135 ERROR keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 224, in list_users
2015-10-22 19:04:06.086487 2015-10-22 19:04:06.083 6135 ERROR keystone.common.wsgi hints=hints)
2015-10-22 19:04:06.086493 2015-10-22 19:04:06.083 6135 ERROR keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/common/manager.py", line 58, in wrapper
2015-10-22 19:04:06.086500 2015-10-22 19:04:06.083 6135 ERROR keystone.common.wsgi return f(self, *args, **kwargs)
2015-10-22 19:04:06.086507 2015-10-22 19:04:06.083 6135 ERROR keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py", line 433, in wrapper
2015-10-22 19:04:06.086514 2015-10-22 19:04:06.083 6135 ERROR keystone.common.wsgi return f(self, *args, **kwargs)
2015-10-22 19:04:06.086521 2015-10-22 19:04:06.083 61...

Read more...

Revision history for this message
Boris Bobrov (bbobrov) wrote :

Thomas, thanks for checking. I've uploaded a new patch and will check whether it fixes this problem shortly.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/253183

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Boris Bobrov (<email address hidden>) on branch: master
Review: https://review.openstack.org/253183

Revision history for this message
Boris Bobrov (bbobrov) wrote :

Still working on this

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/266989

Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → mitaka-2
Revision history for this message
Steve Martinelli (stevemar) wrote :

the patch is WIP so i'm bumping to mitaka-3 as mitaka-2 is due tomorrow

Changed in keystone:
milestone: mitaka-2 → mitaka-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/255408
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5d9a16d19735be0c02bd1ba7090720bba3d58613
Submitter: Jenkins
Branch: master

commit 5d9a16d19735be0c02bd1ba7090720bba3d58613
Author: Boris Bobrov <email address hidden>
Date: Wed Dec 9 20:45:50 2015 +0300

    Store config in drivers and use it to get list_limit

    With domain-specific configs, different drivers will be used for
    different domains. Options might be different for these drivers. For
    example, user might want to user different list_limit for a domain.

    Partial-Bug: 1495669
    Change-Id: I706843d7860ec5718c9fbf62af7a65b89b67e4b3

OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Boris Bobrov (bbobrov) → Guang Yee (guang-yee)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Guang Yee (guang-yee) → Boris Bobrov (bbobrov)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/280804

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/281360

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/281360
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=06421ebd8797acaa5ab19fc5732d4d54f756e0ec
Submitter: Jenkins
Branch: master

commit 06421ebd8797acaa5ab19fc5732d4d54f756e0ec
Author: Boris Bobrov <email address hidden>
Date: Wed Feb 17 18:32:23 2016 +0300

    Add list_limit to the white list for configs in db

    There is a list of options that are allowed to be stored in the
    database. list_limit was not there. Now it is.

    Change-Id: I628b2f6dcc58b49b366b8a72511866bc6004cdab
    Related-Bug: 1495669

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/280804
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d7a9018522b0d617c20b10b7423e52dac2b7ff64
Submitter: Jenkins
Branch: master

commit d7a9018522b0d617c20b10b7423e52dac2b7ff64
Author: Boris Bobrov <email address hidden>
Date: Tue Feb 16 19:33:16 2016 +0300

    Fallback to list_limit from default config

    If list_limit is not provided in domain-specific driver, it should be
    used from the default config. It doesn't work out of the box with
    domain-specific conf and requires manual handling.

    Partial-Bug: 1495669
    Change-Id: Ib2251e61d30288eb0baca61861d17f6ac428b242

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/266989
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7b6364a4f85e93ac77f740e654b681dfbd47e1f8
Submitter: Jenkins
Branch: master

commit 7b6364a4f85e93ac77f740e654b681dfbd47e1f8
Author: Boris Bobrov <email address hidden>
Date: Wed Jan 13 18:26:51 2016 +0300

    Use the driver to get limits

    @response_truncated was used to set the limit of returned entries. It
    asked the driver about the limit and set it to hints. With
    domain-specific configs, there are multiple driver instances and each of
    them carries domain-specific config.

    However, with domain-specific configs, the driver is not yet configured
    at that point, because sometimes the manager needs to perform additional
    actions in order to understand what domain it works with. Because of
    that, @response_truncated always got the limit from the default driver,
    not from the one actually used for the domain.

    Move the logic of setting the limit from the decorator to a private
    method, call it after determining the domain and driver.

    Change-Id: I1748d491b047e33712380da731c272f9d471ec0a
    Closes-Bug: 1495669

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/keystone 9.0.0.0b3

This issue was fixed in the openstack/keystone 9.0.0.0b3 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/289768

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/liberty)

Reviewed: https://review.openstack.org/289768
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cf9ebb4d0fc122f9a06188ab06b6523959ec654f
Submitter: Jenkins
Branch: stable/liberty

commit cf9ebb4d0fc122f9a06188ab06b6523959ec654f
Author: Boris Bobrov <email address hidden>
Date: Wed Dec 9 20:45:50 2015 +0300

    Store config in drivers and use it to get list_limit

    With domain-specific configs, different drivers will be used for
    different domains. Options might be different for these drivers. For
    example, user might want to user different list_limit for a domain.

    Partial-Bug: 1495669
    Change-Id: I706843d7860ec5718c9fbf62af7a65b89b67e4b3
    (cherry picked from commit 5d9a16d19735be0c02bd1ba7090720bba3d58613)

tags: added: in-stable-liberty
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.