Keystone + LDAP list users of a group

Bug #1831100 reported by Kris Watson on 2019-05-30
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Undecided
Unassigned

Bug Description

I have created an LDAP group 'group2' and added users to that group. When I used the ldap search can see the user in the group.

ldapsearch -x -H ldap://localhost -b cn=group2,ou=groups,dc=test,dc=org -D "cn=admin,dc=test,dc=org" -w admin "(objectClass=posixGroup)" -S "memberUid"

I then register my LDAP domain with keystone and can see the list of groups and also see the list of users but when I try to get the list of users that belong to a group I am getting a 500 Internal Server Error. The command I used was

openastack user list --domain lldap --group group2 --debug

and the error is as follows:

GET call to identity for http://127.0.0.1:35357/v3/groups/c6c5a4931e70af09259bcc2111ce569ea5cf386ceacfe485faa7a048873fb578/users?domain_id=d2c019644a344302a9302bcf004fd3e3 used request id req-a0cfd301-7d4c-4ce8-ae74-5b81c0b6a6af
Request returned failure status: 500
An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-a0cfd301-7d4c-4ce8-ae74-5b81c0b6a6af)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 400, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run
    return super(Command, self).run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/display.py", line 116, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/openstackclient/identity/v3/user.py", line 266, in take_action
    group=group,
  File "/usr/lib/python2.7/site-packages/debtcollector/renames.py", line 43, in decorator
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v3/users.py", line 136, in list
    **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 75, in func
    return f(*args, **new_kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 397, in list
    self.collection_key)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 125, in _list
    resp, body = self.client.get(url, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 304, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 463, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 189, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/osc_lib/session.py", line 40, in request
    resp = super(TimingSession, self).request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 737, in request
    raise exceptions.from_response(resp, method, url)
InternalServerError: An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-a0cfd301-7d4c-4ce8-ae74-5b81c0b6a6af)
clean_up ListUser: An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-a0cfd301-7d4c-4ce8-ae74-5b81c0b6a6af)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 134, in run
    ret_val = super(OpenStackShell, self).run(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 279, in run
    result = self.run_subcommand(remainder)
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 169, in run_subcommand
    ret_value = super(OpenStackShell, self).run_subcommand(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 400, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run
    return super(Command, self).run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/display.py", line 116, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/openstackclient/identity/v3/user.py", line 266, in take_action
    group=group,
  File "/usr/lib/python2.7/site-packages/debtcollector/renames.py", line 43, in decorator
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v3/users.py", line 136, in list
    **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 75, in func
    return f(*args, **new_kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 397, in list
    self.collection_key)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 125, in _list
    resp, body = self.client.get(url, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 304, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 463, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 189, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/osc_lib/session.py", line 40, in request
    resp = super(TimingSession, self).request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 737, in request
    raise exceptions.from_response(resp, method, url)
InternalServerError: An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-a0cfd301-7d4c-4ce8-ae74-5b81c0b6a6af)

I am using centos-release-openstack-queens (Queens version of openstack)
and openstack-keystone-13.0.1

description: updated
Adam Young (ayoung) wrote :

Please delete the client stack trace from the description and add an additional comment with the server side stack trace. There is a problem in the LDAP layer.

Kris Watson (krisawatson) wrote :
Download full text (6.6 KiB)

Here is the stacktrace from the keystone.log file:

2019-05-31 07:15:11.225 116 INFO keystone.common.wsgi [req-04c098a1-b585-4e59-9a7e-bdebae4a5ab9 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] GET http://127.0.0.1:35357/v3/domains/lldap
2019-05-31 07:15:11.232 116 WARNING keystone.common.wsgi [req-04c098a1-b585-4e59-9a7e-bdebae4a5ab9 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] Could not find domain: lldap.: DomainNotFound: Could not find domain: lldap.
2019-05-31 07:15:11.368 116 INFO keystone.common.wsgi [req-0d588141-9949-499f-8d0d-dbe59c391d62 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] GET http://127.0.0.1:35357/v3/domains?name=lldap
2019-05-31 07:15:11.508 116 INFO keystone.common.wsgi [req-f6b5a271-ff8b-4f80-bde9-530d77989f04 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] GET http://127.0.0.1:35357/v3/groups/group2
2019-05-31 07:15:11.516 116 WARNING keystone.common.wsgi [req-f6b5a271-ff8b-4f80-bde9-530d77989f04 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] Could not find group: group2.: GroupNotFound: Could not find group: group2.
2019-05-31 07:15:11.622 116 INFO keystone.common.wsgi [req-57d94bc7-b8d4-4895-a21d-d348f48ab906 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] GET http://127.0.0.1:35357/v3/groups?domain_id=d2c019644a344302a9302bcf004fd3e3&name=group2
2019-05-31 07:15:11.623 116 WARNING py.warnings [req-57d94bc7-b8d4-4895-a21d-d348f48ab906 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] /usr/lib/python2.7/site-packages/oslo_policy/policy.py:869: UserWarning: Policy identity:list_groups failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required
  warnings.warn(msg)

2019-05-31 07:15:11.790 116 INFO keystone.common.wsgi [req-9663b3c5-a9fa-4447-8cf9-ee537b2ffac8 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] GET http://127.0.0.1:35357/v3/groups/c6c5a4931e70af09259bcc2111ce569ea5cf386ceacfe485faa7a048873fb578/users?domain_id=d2c019644a344302a9302bcf004fd3e3
2019-05-31 07:15:11.809 116 WARNING py.warnings [req-9663b3c5-a9fa-4447-8cf9-ee537b2ffac8 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] /usr/lib/python2.7/site-packages/oslo_policy/policy.py:869: UserWarning: Policy identity:list_users_in_group failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required
  warnings.warn(msg)

2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi [req-9663b3c5-a9fa-4447-8cf9-ee537b2ffac8 8442b4858f1b4bcc9438ed811c0a9d8c 134ee1ca088546b2b7c4591f75a7108d - default default] : DECODING_ERROR
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsgi Traceback (most recent call last):
2019-05-31 07:15:11.812 116 ERROR keystone.common.wsg...

Read more...

Changed in keystone:
assignee: nobody → Rohan Kumar (kumarrohan346)
Colleen Murphy (krinkle) wrote :

Are you able to reproduce this on a newer version of keystone?

Do any of the users in the group have non-ascii characters in their names? What version of python-ldap is installed?

Changed in keystone:
status: New → Incomplete
Changed in keystone:
assignee: Rohan Kumar (kumarrohan346) → nobody
Launchpad Janitor (janitor) wrote :

[Expired for OpenStack Identity (keystone) because there has been no activity for 60 days.]

Changed in keystone:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers