Fernet tokens fail for some users with LDAP identity backend
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Eric Brown | ||
Kilo |
Fix Released
|
High
|
Eric Brown | ||
Liberty |
Fix Released
|
High
|
Eric Brown |
Bug Description
The following bug fixed most situations where when using Fernet + LDAP identify backend.
https:/
However, some users have trouble, resulting in a UserNotFound exception in the logs with a UUID. Here's the error:
2015-09-18 20:04:47.313 12979 WARNING keystone.
So the issue is this. The user DN query + filter will return my user as:
CN=Eric Brown 72620,OU=
Therefore, I have to use CN as the user id attribute. My user id would therefore be "Eric Brown 72620". The fernet token_formatters.py attempts to convert this user id into a UUID. And in my case that is successful. It results in UUID of 457269632042726
For other users, the token_formatter
>>> import uuid
>>> uuid_obj = uuid.UUID(
>>> uuid_obj.hex
'45726963204272
>>> import uuid
>>> uuid_obj = uuid.UUID(
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/
raise ValueError('bytes is not a 16-char string')
ValueError: bytes is not a 16-char string
Here's the complete traceback (after adding some additional debug):
2015-09-18 20:04:47.312 12979 WARNING keystone.
File "/usr/lib/
response = self.process_
File "/usr/lib/
auth_context = self._build_
File "/usr/lib/
token_
File "/usr/lib/
token = self._validate_
File "/usr/lib/
should_
File "/usr/lib/
async_creator) as value:
File "/usr/lib/
return self._enter()
File "/usr/lib/
generated = self._enter_
File "/usr/lib/
created = self.creator()
File "/usr/lib/
created_value = creator()
File "/usr/lib/
return fn(*arg, **kw)
File "/usr/lib/
return self.driver.
File "/usr/lib/
audit_
File "/usr/lib/
self.
File "/usr/lib/
user_ref = self.identity_
File "/usr/lib/
return f(self, *args, **kwargs)
File "/usr/lib/
return f(self, *args, **kwargs)
File "/usr/lib/
should_
File "/usr/lib/
async_creator) as value:
File "/usr/lib/
return self._enter()
File "/usr/lib/
generated = self._enter_
File "/usr/lib/
created = self.creator()
File "/usr/lib/
created_value = creator()
File "/usr/lib/
return fn(*arg, **kw)
File "/usr/lib/
ref = driver.
File "/usr/lib/
return self.user.
File "/usr/lib/
user = self.get(user_id)
File "/usr/lib/
ref = super(EnabledEm
File "/usr/lib/
raise self._not_
UserNotFound: Could not find user: 457269632042726
Changed in keystone: | |
importance: | Undecided → High |
tags: | added: fernet kilo-backport-potential |
Changed in keystone: | |
assignee: | nobody → Eric Brown (ericwb) |
tags: | added: ldap |
tags: | added: liberty-backport-potential |
tags: | removed: kilo-backport-potential liberty-backport-potential |
Changed in keystone: | |
milestone: | none → mitaka-1 |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
We have two methods designed to safely pack & unpack values in this scenario:
https:/ /github. com/openstack/ keystone/ blob/f3e3a653f9 c9ce0f9a7ba842e ff118e5887eb388 /keystone/ token/providers /fernet/ token_formatter s.py#L336- L362
But we must be using the variants of those calls that do not expect to encounter value errors:
https:/ /github. com/openstack/ keystone/ blob/f3e3a653f9 c9ce0f9a7ba842e ff118e5887eb388 /keystone/ token/providers /fernet/ token_formatter s.py#L285- L311