LDAP identity backend does not honor list_limit

Bug #1501698 reported by Alexander Makarov on 2015-10-01
26
This bug affects 5 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Boris Bobrov

Bug Description

list_limit set in [identity] section is not used to limit user list: the result contains entire set of users returned by the query

Changed in keystone:
assignee: nobody → Alexander Makarov (amakarov)
Dolph Mathews (dolph) on 2015-10-02
Changed in keystone:
importance: Undecided → Medium
Dolph Mathews (dolph) wrote :

Depending on the nature of the fix, I could also see this as a non-backportable Wishlist item.

Changed in keystone:
status: New → Triaged
Boris Bobrov (bbobrov) wrote :

Todo:
1. Implement search_ext_s
2. Use it instead of search_s
3. Implement passing list_limit like we do in sql backend

Changed in keystone:
assignee: Alexander Makarov (amakarov) → Boris Bobrov (bbobrov)

Fix proposed to branch: master
Review: https://review.openstack.org/232995

Changed in keystone:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/229811
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=daf0fb70d03e8f081ddb7e90bfe658de30b187af
Submitter: Jenkins
Branch: master

commit daf0fb70d03e8f081ddb7e90bfe658de30b187af
Author: Alexander Makarov <email address hidden>
Date: Thu Oct 1 13:26:55 2015 +0300

    Expose 1501698 bug

    Specifying list_limit in [identity] section has no effect on the returned
    user list size.

    Related-Bug: 1501698

    Change-Id: I7443a7e4c65c2e40c02826b53130738bc7689a07

Fix proposed to branch: master
Review: https://review.openstack.org/234849

Change abandoned by Boris Bobrov (<email address hidden>) on branch: master
Review: https://review.openstack.org/232995
Reason: yep, not needed

Changed in keystone:
milestone: none → mitaka-2
Changed in keystone:
assignee: Boris Bobrov (bbobrov) → Steve Martinelli (stevemar)
Changed in keystone:
assignee: Steve Martinelli (stevemar) → Boris Bobrov (bbobrov)

Reviewed: https://review.openstack.org/234226
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1968ab54aadd65c8dfe6930f7875f7d61f5c043a
Submitter: Jenkins
Branch: master

commit 1968ab54aadd65c8dfe6930f7875f7d61f5c043a
Author: Boris Bobrov <email address hidden>
Date: Tue Oct 13 16:17:36 2015 +0300

    Fix exposition of bug about limiting with ldap

    The test did not take into account that even with the limits set,
    as part of some internal calculation we want to get the full list
    of entities. Calling the API without a hints list should achieve
    this, and return all available entries.

    Drop the custom test and use generic LimitTests.

    Change-Id: Id3120ed66cc23228edcf18e0177c1df1955ac5e7
    Partial-Bug: 1501698

Reviewed: https://review.openstack.org/233069
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=19a25bab9c9fd1162350b9b0ff0f25585a371cc1
Submitter: Jenkins
Branch: master

commit 19a25bab9c9fd1162350b9b0ff0f25585a371cc1
Author: Boris Bobrov <email address hidden>
Date: Fri Oct 9 16:54:56 2015 +0300

    Make @truncated common for all backends

    Although not used in all backends now, @truncated decorator can be
    useful in all of them and there is no sense in making it sql-only.

    Change-Id: I063cb1d621f4e2bf4d350450a56044d0b6cee7c1
    Partial-Bug: 1501698

Reviewed: https://review.openstack.org/247749
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3dbc2f64e25d69337a17b72b6f1103a4b1b8c262
Submitter: Jenkins
Branch: master

commit 3dbc2f64e25d69337a17b72b6f1103a4b1b8c262
Author: Boris Bobrov <email address hidden>
Date: Thu Nov 19 21:00:36 2015 +0300

    Limiting for fake LDAP

    In LDAP limiting can be implemented using server controls by
    requesting only one page of results. Server controls are supported
    by search_ext.

    Implement search_ext emulation required for limiting. All options
    except those required for limiting are marked as not implemented.

    Partial-Bug: 1501698
    Change-Id: Ic10c59e6f3c80caf6658c5b8e3ddf139025e0391

Reviewed: https://review.openstack.org/233070
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9c6c24f35717bd0a9271c975f75e0dc3419b7203
Submitter: Jenkins
Branch: master

commit 9c6c24f35717bd0a9271c975f75e0dc3419b7203
Author: Boris Bobrov <email address hidden>
Date: Fri Oct 9 16:56:43 2015 +0300

    Enable limiting in ldap for users

    In previous commit @truncated was decoupled from sql. Use the
    decorator for ldap and implement limiting of results. The
    information about limits is passed as part of driver hints.

    Also implement sizelimit in fake ldap and fix the test.

    Change-Id: I6c9ddd61dcda1670babfda4b6f546c7368a86b19
    Partial-Bug: 1501698

Reviewed: https://review.openstack.org/234849
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=431f067f645c191a4b569e3561fb96bed3e32717
Submitter: Jenkins
Branch: master

commit 431f067f645c191a4b569e3561fb96bed3e32717
Author: Boris Bobrov <email address hidden>
Date: Wed Oct 14 18:37:20 2015 +0300

    Enable limiting in ldap for groups

    Change-Id: If7f66b72df4d0db1afded0a0e377909e82e1243b
    Closes-Bug: 1501698

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 9.0.0.0b2 development milestone.

Change abandoned by Steve Martinelli (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/294478
Reason: i confirmed with dhellmann, propose to master and backport. treat this like any other fix

Reviewed: https://review.openstack.org/294657
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1041d3340cf454c3ac6e3f042d290c624e324a9c
Submitter: Jenkins
Branch: master

commit 1041d3340cf454c3ac6e3f042d290c624e324a9c
Author: Boris Bobrov <email address hidden>
Date: Fri Mar 18 12:49:42 2016 +0300

    Add release note for list_limit support

    Change-Id: I8a91f681b4d1c1c018bf5d6faf75d2d841ac0383
    Related-Bug: 1501698

Reviewed: https://review.openstack.org/294658
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ff01c0e2be4be19a7be1c9e523c0b2b8e0fea7cd
Submitter: Jenkins
Branch: stable/mitaka

commit ff01c0e2be4be19a7be1c9e523c0b2b8e0fea7cd
Author: Boris Bobrov <email address hidden>
Date: Fri Mar 18 12:49:42 2016 +0300

    Add release note for list_limit support

    Change-Id: I8a91f681b4d1c1c018bf5d6faf75d2d841ac0383
    Related-Bug: 1501698

tags: added: in-stable-mitaka
Download full text (7.8 KiB)

Reviewed: https://review.openstack.org/302567
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a78623a456fc0a657a01aa5a887641f0b73d64a8
Submitter: Jenkins
Branch: master

commit 3e5fca06c6b7dd6060721faa39428b133edd10f0
Author: Boris Bobrov <email address hidden>
Date: Tue Apr 5 18:50:48 2016 +0300

    Update federated user display name with shadow_users_api

    When a user comes to the cloud for the first time, a shadow user is
    created. When the user authenticates again, this shadow user is
    fetched and returned. Before it is returned, its display name should
    be updated. But the call to update the display name fails because
    neither identity manager nor identity drivers have the required
    method. However, the required method exists in shadow_users_api.

    The issue was hidden because method shadow_federated_user was
    cached and while the cache lived, the user could authenticate.

    Use the method of shadow_user_api instead of identity_api to update
    federated user display name.

    Change-Id: I58e65bdf3a953f3ded485003939b81f908738e1e
    Closes-Bug: 1566282
    (cherry picked from commit 7ad4f8728cce354617b5facefe5076d65af311c6)

commit dba04cdd232ab72704df58cff791d52c1c99bc90
Author: Morgan Fainberg <email address hidden>
Date: Mon Mar 28 10:50:12 2016 -0700

    Correct `role_name` constraint dropping

    The `role_name` constraint was not properly dropped in some cases
    because the unique constraint was not consistently named. In all
    cases we must search for the constraint expected, not assume the
    name of the constraint will be consistent (especially from older
    installs that have been moved forward in releases).

    This change fixes migration 88, updates 96 (for backport to
    stable/mitaka) This is being overly cautious, but specifically
    is to handle the case where someone performed the upgrade and
    manually fixed the migration resulting in duplicated constraints
    in the role_table. Note that migration 100 was not backported since
    it was a placeholder migration.

    Conflicts:
        keystone/tests/unit/test_sql_upgrade.py

    Co-Authored-By: "Matthew Thode" <email address hidden>
    Change-Id: Ie0dc3d2449bace57d3e9323b281a2abd2ad0c983
    closes-bug: #1562934
    (cherry picked from commit 276e57e2083dcad8cbabf9aa9b3bd06c6079c415)

commit cf1fd9dad7d89d50a10ab204aa487663ea258988
Author: OpenStack Proposal Bot <email address hidden>
Date: Wed Mar 30 06:16:27 2016 +0000

    Imported Translations from Zanata

    For more information about this automatic import see:
    https://wiki.openstack.org/wiki/Translations/Infrastructure

    Change-Id: Iff9556deb5ebb465c7124c120e7806774c517472

commit c4b08ed2522ee771331d53f153bda5098c9fb9f4
Author: OpenStack Proposal Bot <email address hidden>
Date: Tue Mar 29 06:52:52 2016 +0000

    Imported Translations from Zanata

    For more information about this automatic import see:
    https://wiki.openstack.org/wiki/Translations/Infrastructure

    Change-Id: I1e81320c932549e38bade5ef8d885ef426990f40

commit dd38543bdc2a11...

Read more...

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers