OpenStack Identity (keystone)

Keystone + LDAP list users of a group

Bug #1831100 reported by Kris Watson on 2019-05-30

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Expired	Undecided	Unassigned

Bug Description

I have created an LDAP group 'group2' and added users to that group. When I used the ldap search can see the user in the group.

ldapsearch -x -H ldap://localhost -b cn=group2,ou=groups,dc=test,dc=org -D "cn=admin,dc=test,dc=org" -w admin "(objectClass=posixGroup)" -S "memberUid"

I then register my LDAP domain with keystone and can see the list of groups and also see the list of users but when I try to get the list of users that belong to a group I am getting a 500 Internal Server Error. The command I used was

openastack user list --domain lldap --group group2 --debug

and the error is as follows:

GET call to identity for http://127.0.0.1:35357/v3/groups/c6c5a4931e70af09259bcc2111ce569ea5cf386ceacfe485faa7a048873fb578/users?domain_id=d2c019644a344302a9302bcf004fd3e3 used request id req-a0cfd301-7d4c-4ce8-ae74-5b81c0b6a6af
Request returned failure status: 500
An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-a0cfd301-7d4c-4ce8-ae74-5b81c0b6a6af)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 400, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run
    return super(Command, self).run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/display.py", line 116, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/openstackclient/identity/v3/user.py", line 266, in take_action
    group=group,
  File "/usr/lib/python2.7/site-packages/debtcollector/renames.py", line 43, in decorator
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v3/users.py", line 136, in list
    **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 75, in func
    return f(*args, **new_kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 397, in list
    self.collection_key)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 125, in _list
    resp, body = self.client.get(url, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 304, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 463, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 189, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/osc_lib/session.py", line 40, in request
    resp = super(TimingSession, self).request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 737, in request
    raise exceptions.from_response(resp, method, url)
InternalServerError: An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-a0cfd301-7d4c-4ce8-ae74-5b81c0b6a6af)
clean_up ListUser: An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-a0cfd301-7d4c-4ce8-ae74-5b81c0b6a6af)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 134, in run
    ret_val = super(OpenStackShell, self).run(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 279, in run
    result = self.run_subcommand(remainder)
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 169, in run_subcommand
    ret_value = super(OpenStackShell, self).run_subcommand(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 400, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run
    return super(Command, self).run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/display.py", line 116, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/openstackclient/identity/v3/user.py", line 266, in take_action
    group=group,
  File "/usr/lib/python2.7/site-packages/debtcollector/renames.py", line 43, in decorator
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v3/users.py", line 136, in list
    **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 75, in func
    return f(*args, **new_kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 397, in list
    self.collection_key)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 125, in _list
    resp, body = self.client.get(url, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 304, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 463, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 189, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/osc_lib/session.py", line 40, in request
    resp = super(TimingSession, self).request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 737, in request
    raise exceptions.from_response(resp, method, url)
InternalServerError: An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-a0cfd301-7d4c-4ce8-ae74-5b81c0b6a6af)

I am using centos-release-openstack-queens (Queens version of openstack)
and openstack-keystone-13.0.1

See original description

Kris Watson (krisawatson) on 2019-05-30

description:

updated

Revision history for this message

Adam Young (ayoung) wrote on 2019-05-30:

Please delete the client stack trace from the description and add an additional comment with the server side stack trace. There is a problem in the LDAP layer.

Revision history for this message

Kris Watson (krisawatson) wrote on 2019-05-31:

Download full text (6.6 KiB)

Here is the stacktrace from the keystone.log file:

2019-05-31 07:15:11.225 116 INFO keystone.common.wsgi [req-04c098a1-b585-4e59-9a7e-bdebae4a5ab9 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] GET http://127.0.0.1:35357/v3/domains/lldap
2019-05-31 07:15:11.232 116 WARNING keystone.common.wsgi [req-04c098a1-b585-4e59-9a7e-bdebae4a5ab9 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] Could not find domain: lldap.: DomainNotFound: Could not find domain: lldap.
2019-05-31 07:15:11.368 116 INFO keystone.common.wsgi [req-0d588141-9949-499f-8d0d-dbe59c391d62 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] GET http://127.0.0.1:35357/v3/domains?name=lldap
2019-05-31 07:15:11.508 116 INFO keystone.common.wsgi [req-f6b5a271-ff8b-4f80-bde9-530d77989f04 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] GET http://127.0.0.1:35357/v3/groups/group2
2019-05-31 07:15:11.516 116 WARNING keystone.common.wsgi [req-f6b5a271-ff8b-4f80-bde9-530d77989f04 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] Could not find group: group2.: GroupNotFound: Could not find group: group2.
2019-05-31 07:15:11.622 116 INFO keystone.common.wsgi [req-57d94bc7-b8d4-4895-a21d-d348f48ab906 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] GET http://127.0.0.1:35357/v3/groups?domain_id=d2c019644a344302a9302bcf004fd3e3&name=group2
2019-05-31 07:15:11.623 116 WARNING py.warnings [req-57d94bc7-b8d4-4895-a21d-d348f48ab906 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] /usr/lib/python2.7/site-packages/oslo_policy/policy.py:869: UserWarning: Policy identity:list_groups failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required
warnings.warn(msg)

2019-05-31 07:15:11.790 116 INFO keystone.common.wsgi [req-9663b3c5-a9fa-4447-8cf9-ee537b2ffac8 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] GET http://127.0.0.1:35357/v3/groups/c6c5a4931e70af09259bcc2111ce569ea5cf386ceacfe485faa7a048873fb578/users?domain_id=d2c019644a344302a9302bcf004fd3e3
2019-05-31 07:15:11.809 116 WARNING py.warnings [req-9663b3c5-a9fa-4447-8cf9-ee537b2ffac8 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] /usr/lib/python2.7/site-packages/oslo_policy/policy.py:869: UserWarning: Policy identity:list_users_in_group failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required
warnings.warn(msg)

Here is the stacktrace from the keystone.log file:

2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi [req-9663b3c5-a9fa-4447-8cf9-ee537b2ffac8 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] : DECODING_ERROR
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi Traceback (most recent call last):
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 226, in __call__
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi     result = method(req, **params)
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 126, in wrapper
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi     return f(self, request, filters, **kwargs)
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/controllers.py", line 81, in list_users_in_group
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi     group_id, hints=hints
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/manager.py", line 116, in wrapped
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi     __ret_val = __f(*args, **kwargs)
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 416, in wrapper
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi     return f(self, *args, **kwargs)
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 426, in wrapper
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi     return f(self, *args, **kwargs)
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 1364, in list_users_in_group
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi     ref_list = driver.list_users_in_group(entity_id, hints)
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/core.py", line 129, in list_users_in_group
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi     for user_id in self._transform_group_member_ids(group_members):
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/core.py", line 123, in _transform_group_member_ids
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi     user_id = self.user._dn_to_id(user_key)
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 1286, in _dn_to_id
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi     return utf8_decode(ldap.dn.str2dn(utf8_encode(dn))[0][0][1])
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi   File "/usr/lib64/python2.7/site-packages/ldap/dn.py", line 53, in str2dn
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi     return ldap.functions._ldap_function_call(None,_ldap.str2dn,dn,flags)
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi   File "/usr/lib64/python2.7/site-packages/ldap/functions.py", line 63, in _ldap_function_call
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi     result = func(*args,**kwargs)
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi DECODING_ERROR
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi
2019-05-31 07:15:14.865 117 INFO keystone.common.wsgi [req-36281b58-b8a0-40ce-aaa9-eb33ce162e64 - - - - -] GET http://10.1.246.155:5000/v2.0/
2019-05-31 07:15:24.859 117 INFO keystone.common.wsgi [req-0267cd28-d3c1-4a9d-b2d0-d9fcc37233b2 - - - - -] GET http://10.1.246.155:5000/v2.0/
2019-05-31 07:15:34.859 117 INFO keystone.common.wsgi [req-a74caf11-ac10-4b22-bd70-e48f9124edc5 - - - - -] GET http://10.1.246.155:5000/v2.0/

Rohan Kumar (kumarrohan346) on 2019-07-04

Changed in keystone:
assignee:	nobody → Rohan Kumar (kumarrohan346)

Revision history for this message

Colleen Murphy (krinkle) wrote on 2019-07-15:

Are you able to reproduce this on a newer version of keystone?

Do any of the users in the group have non-ascii characters in their names? What version of python-ldap is installed?

Changed in keystone:
status:	New → Incomplete

Rohan Kumar (kumarrohan346) on 2019-07-24

Changed in keystone:
assignee:	Rohan Kumar (kumarrohan346) → nobody

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-09-23:

[Expired for OpenStack Identity (keystone) because there has been no activity for 60 days.]

Changed in keystone:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.