OpenStack Identity (keystone)

LDAPServerConnectionError gives out too much info

Bug #1687115 reported by Boris Bobrov on 2017-04-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Low	Matthew Edmonds	OpenStack Identity (keystone) pike-1 "pike-1"

Bug Description

Exception LDAPServerConnectionError (https://git.openstack.org/cgit/openstack/keystone/tree/keystone/exception.py?h=12.0.0.0b1#n597) is now implemented as a subclass of Error. It gives out too much info about setup (that LDAP is used) and it should not set its error code.

Instead, it should be implemented as subclass of UnexpectedError and debug_message_format should be used, like in https://git.openstack.org/cgit/openstack/keystone/tree/keystone/exception.py?h=12.0.0.0b1#n491

Tags:

Lance Bragstad (lbragstad) on 2017-04-28

tags:	added: ldap
Changed in keystone:
status:	New → Triaged
importance:	Undecided → Low

Revision history for this message

Matthew Edmonds (edmondsw) wrote on 2017-04-28:

Once this is fixed, we can use this exception in the ldap.INVALID_CREDENTIALS case to fix https://bugs.launchpad.net/keystone/+bug/1684994

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-09: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/463506

Changed in keystone:
assignee:	nobody → xuhaigang (rocky0722)
status:	Triaged → In Progress

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-05-16:

For what's it worth, this was pulled into it's own bug report because the current implementation leaks information when using LDAP credentials to do anything. For example, if a user does something that requires a connection to LDAP, but the connection credentials are wrong, then the end user will see that information.

OpenStack Infra (hudson-openstack) on 2017-05-18

Changed in keystone:
assignee:	xuhaigang (rocky0722) → Matthew Edmonds (edmondsw)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-18: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/463506
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6ae168544ac1fdf4edd8c8b97c22ccafabc643ac
Submitter: Jenkins
Branch: master

commit 6ae168544ac1fdf4edd8c8b97c22ccafabc643ac
Author: rocky <email address hidden>
Date: Tue May 9 17:21:23 2017 +0800

Change LDAPServerConnectionError

    The base class of LDAPServerConnectionError is changed from Error to
    UnexpectedError so that it will result in HTTP 500 instead of 504. It
    is inappropriate to be telling API users that there was a timeout,
    which implies that LDAP is being used when they should not know that.

Change-Id: Ic9ac3443bb2117e33b1ec66d570ae2a7a2f62df2
Closes-Bug: #1687115

Changed in keystone:
status:	In Progress → Fix Released

Lance Bragstad (lbragstad) on 2017-05-25

Changed in keystone:
milestone:	none → pike-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-08: Fix included in openstack/keystone 12.0.0.0b2

This issue was fixed in the openstack/keystone 12.0.0.0b2 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.