OpenStack Identity (keystone)

Update global requirements to handle encoding issues with python2-pyldap-2.4.35

Bug #1715080 reported by prashkre
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Confirmed
Low
Unassigned
Pike
Won't Fix
Low
Unassigned

Bug Description

With LDAP as identity backend and user/group name has non-ascii characters like "arc1Össk", when a role is assigned to such user it is failing in below stacktrace. UnicodeEncodeError issue is from python2-pyldap-2.4.35 installed. This issue was fixed in python2-pyldap-2.4.36 release with changes in https://github.com/pyldap/pyldap/pull/95.

Currently stable/pike has global requirement(https://github.com/openstack/requirements/blob/stable/pike/global-requirements.txt#L195) of pyldap>=2.4.20 which needs to be changed to pyldap>=2.4.36.

For more details on the issue, please refer to below links
https://stackoverflow.com/questions/38616020/pyldap-dn-encoding-error
https://github.com/pyldap/pyldap/issues/54

2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi [req-8bc17bd4-e821-411d-b496-a75feca8448e 91476076d6686143dff68d08e87358a29daf0725c549008f9c0852d2c7ab8e42 38aa26ac274146778e655c6bcee3de68 - default default] 'ascii' codec can't encode character u'\xd6' in position 10: ordinal not in range(128): UnicodeEncodeError: 'ascii' codec can't encode character u'\xd6' in position 10: ordinal not in range(128)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi Traceback (most recent call last):
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi result = method(req, **params)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 93, in inner
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi self, f, check_function, request, None, *args, **kwargs)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 158, in protected_wrapper
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi check_function(self, request, prep_info, *args, **kwargs)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/assignment/controllers.py", line 625, in _check_grant_protection
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi ref['user'] = self.identity_api.get_user(user_id)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/manager.py", l

2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 634, in wrapper
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi return func(self, conn, *args, **kwargs)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 764, in search_s
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi attrsonly)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 773, in search_s
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 1180, in search_ext_s
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 1118, in _apply_method_s
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi return func(self,*args,**kwargs)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 766, in search_ext_s
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 762, in search_ext
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi timeout,sizelimit,
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 265, in _ldap_call
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi result = func(*args,**kwargs)
2017-08-31 07:18:32.565 10756 ERROR keystone.common.wsgi UnicodeEncodeError: 'ascii' codec can't encode character u'\xd6' in position 10: ordinal not in range(128)

Revision history for this message
Lance Bragstad (lbragstad) wrote :

I don't think global requirements is the problem here. It would appear that this is also an issue in master. Since pyldap is an optional dependency that is managed in setup.cfg, we'll need to bump it there [0]. Then we can discuss the process for backporting this to stable/pike with the stable maintenance team.

[0] https://github.com/openstack/keystone/blob/fbce49970cb005986f5e491583c07bb3644355b0/setup.cfg#L27

Changed in keystone:
status: New → Confirmed
importance: Undecided → Medium
importance: Medium → Low
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Marking this as Low since the workaround is to upgrade pyldap manually.

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

This is just something to do, update global-requirments and it is populated down. Updating global-requirements for a past release is hard to do, it is suggested that you simply propose the changes and it will be synchronized to keystone once it is approved.

Changed in keystone:
status: Confirmed → Won't Fix
Revision history for this message
Colleen Murphy (krinkle) wrote :

global-requirements isn't synced to all projects anymore, see http://lists.openstack.org/pipermail/openstack-dev/2018-March/128352.html

This is still valid for Queens and Pike (we switched ldap libs in Rocky)

Changed in keystone:
status: Won't Fix → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.