OpenStack Identity (keystone)

Unable to request details for a specific group on non default domain

Bug #1572161 reported by Stefan Herrnleben
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Undecided
Unassigned

Bug Description

We want to get details about one specific user-group from keystone. The group is managed by our external LDAP server.

The following command will list all groups, this works fine:
curl -g -i --cacert "os.pem" -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: ***" -X GET "https://myopenstack:5000/v3/groups?domain_id=c867fccd207540f1818625218bbd9f50"

There exists an optional parameter "name" to filter the results on server side for only one specific group. We added this parameter and executed the following request:
curl -g -i --cacert "os.pem" -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: ***" -X GET "https://myopenstack:5000/v3/groups?domain_id=c867fccd207540f1818625218bbd9f50&name=testgroup"

With the second request we get a "500 Internal Server Error": An unexpected error prevented the server from fulfilling your request.

Executing the same request on the the default domain succeed. Is there a bug when requesting detail for a specific group on a non default domain or a LDAP server?

Revision history for this message
Steve Martinelli (stevemar) wrote :

Unfortunately ""500 Internal Server Error": An unexpected error prevented the server from fulfilling your request." if the default message when something unexpected happens. Do you have any logs that have more detail? Also, what version of keystone were you running?

Revision history for this message
Stefan Herrnleben (stefan-herrnleben) wrote :
Download full text (4.9 KiB)

Thank you for your reply. A "keystone-all --version" reports "2015.1.0".

I have searched for affected log files an I have found some entries in /var/log/keystone/main.log:

2016-04-19 18:05:01.856 18112 INFO keystone.common.wsgi [-] GET /groups?domain_id=c867fccd207540f1717635018bbd9f50&name=testgroup
2016-04-19 18:05:01.918 18112 ERROR keystone.common.wsgi [-] {'desc': 'Bad search filter'}
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi Traceback (most recent call last):
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 239, in __call__
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi result = method(context, **params)
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 206, in wrapper
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi return f(self, context, filters, **kwargs)
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 309, in list_groups
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi hints=hints)
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 52, in wrapper
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 342, in wrapper
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 353, in wrapper
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 1000, in list_groups
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi ref_list = driver.list_groups(hints)
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 164, in list_groups
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi return self.group.get_all_filtered(hints)
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 402, in get_all_filtered
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi for group in self.get_all(query)]
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 1506, in get_all
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi for x in self._ldap_get_all(ldap_filter)]
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 1468, in _ldap_get_all
2016-04-19 18:05:01.918 18112 TRACE keystone.common.wsgi attrs)
2016-04-19 1...

Read more...

Revision history for this message
Guang Yee (guang-yee) wrote :

Can you please providing the following? I presume you are using the per-domain driver enabled in /etc/keystone/keystone.conf

domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains

Find the domain-specific config file corresponding to your c867fccd207540f1717635018bbd9f50 domain in /etc/keystone/domains and do this

grep 'group_' /etc/keystone/domains/keystone.<your domain>.conf

and paste the output here?

I suspect there's a misconfiguration on group_filter and group_name_attribute.

Revision history for this message
Stefan Herrnleben (stefan-herrnleben) wrote :

You are right, we use the per-domain driver and our /etc/keystone/keystone.conf contains the following parameters:
domain_specific_drivers_enabled = True
The domain_config_dir is commented out, but the domain-specific configuration file in /etc/keystone/domains exists however.

A grep 'group_' on this file provides the following output:
group_allow_delete=False
group_allow_update=False
group_tree_dn=ou=groups,dc=info,dc=example,dc=de
group_filter=
group_objectclass=groupOfNames
group_allow_create=False
group_member_attribute=member
group_id_attribute=cn
group_desc_attribute=description
group_name_attribute=cn

It seems that you are right and there is a misconfiguration with the group_filter. We try to fix our configuration and give you feedback about the result.

Revision history for this message
Guang Yee (guang-yee) wrote :

I think your version of Keystone likely have this bug

https://bugs.launchpad.net/keystone/+bug/1454309

Fix was backported to Kilo but not sure if your deployment absorb it yet. Otherwise, workaround would be to explicitly define a group_filter. For example,

group_filter=(objectclass=groupOfNames)

Revision history for this message
Stefan Herrnleben (stefan-herrnleben) wrote :
Download full text (5.6 KiB)

Thank you for your reply. I looked into the file, affected by be referenced bug, but the patch is already applied in our keystone.

I enabled the debugging of keystone, executed the query again and got the following output in /var/log/keystone/main.log:

2016-04-20 22:54:34.186 6663 DEBUG keystone.common.ldap.core [-] LDAP search: base=ou=groups,dc=info,dc=example,dc=de scope=1 filterstr=(&(&None(cn=testgroup))(objectClass=groupOfNames)(cn=*)) attrs=['cn', 'description'] attrsonly=0 search_s /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:931
2016-04-20 22:54:34.187 6663 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:904
2016-04-20 22:54:34.187 6663 ERROR keystone.common.wsgi [-] {'desc': 'Bad search filter'}
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi Traceback (most recent call last):
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 239, in __call__
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi result = method(context, **params)
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 206, in wrapper
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi return f(self, context, filters, **kwargs)
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 309, in list_groups
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi hints=hints)
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 52, in wrapper
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 342, in wrapper
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 353, in wrapper
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 1000, in list_groups
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi ref_list = driver.list_groups(hints)
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 164, in list_groups
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi return self.group.get_all_filtered(hints)
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 402, in get_all_filtered
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi for group in self.get_all(query)]
2016-04-20 22:54:34.187 6663 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/key...

Read more...

Stefan Herrnleben (stefan-herrnleben)
Changed in keystone:
status: New → In Progress
Stefan Herrnleben (stefan-herrnleben)
Changed in keystone:
assignee: nobody → Stefan Herrnleben (stefan-herrnleben)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/311612

Revision history for this message
Steve Martinelli (stevemar) wrote :

Automatically unassigning due to inactivity.

Changed in keystone:
assignee: Stefan Herrnleben (stefan-herrnleben) → nobody
status: In Progress → Triaged
Revision history for this message
Steve Martinelli (stevemar) wrote :

This should be fixed, refer to https://github.com/openstack/keystone/blob/d9c6b50a3ae514e640fa13a344e59fe3649ee0ef/keystone/identity/backends/ldap/common.py#L1780-L1783

Please re-open the bug if it's not.

Changed in keystone:
status: Triaged → Invalid
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Samuel de Medeiros Queiroz (<email address hidden>) on branch: master
Review: https://review.openstack.org/311612

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.