Bug #1862606 “LDAP support broken if UTF8 characters in DN (pyth...” : Bugs : OpenStack Identity (keystone)

Revision history for this message

Rafal Ramocki (rafal-ramocki) wrote on 2020-02-10:

#1

Download full text (8.0 KiB)

And exception:

2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi Traceback (most recent call last):
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 148, in __call__
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi result = method(req, **params)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 102, in authenticate_for_token
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi app_cred_id=app_cred_id, parent_audit_id=token_audit_id)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/manager.py", line 116, in wrapped
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi __ret_val = __f(*args, **kwargs)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/token/provider.py", line 252, in issue_token
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi token.mint(token_id, issued_at)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/models/token_model.py", line 533, in mint
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi self._validate_domain_scope()
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/models/token_model.py", line 478, in _validate_domain_scope
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi if self.domain_scoped and not self.roles:
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/models/token_model.py", line 418, in roles
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi roles = self._get_domain_roles()
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/models/token_model.py", line 373, in _get_domain_roles
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi self.user_id, self.domain_id
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/manager.py", line 116, in wrapped
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi __ret_val = __f(*args, **kwargs)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/cache/region.py", line 1220, in decorate
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi should_cache_fn)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/cache/region.py", line 825, in get_or_create
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi async_creator) as value:
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/lock.py", line 154, in __enter__
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi return self._enter()
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/dogpile/lock.py", line 94, in _enter
2020-02-10 10:39:4...

And exception:

2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi Traceback (most recent call last):
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 148, in __call__
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     result = method(req, **params)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 102, in authenticate_for_token
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     app_cred_id=app_cred_id, parent_audit_id=token_audit_id)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/manager.py", line 116, in wrapped
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     __ret_val = __f(*args, **kwargs)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/token/provider.py", line 252, in issue_token
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     token.mint(token_id, issued_at)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/models/token_model.py", line 533, in mint
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     self._validate_domain_scope()
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/models/token_model.py", line 478, in _validate_domain_scope
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     if self.domain_scoped and not self.roles:
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/models/token_model.py", line 418, in roles
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     roles = self._get_domain_roles()
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/models/token_model.py", line 373, in _get_domain_roles
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     self.user_id, self.domain_id
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/manager.py", line 116, in wrapped
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     __ret_val = __f(*args, **kwargs)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/dogpile/cache/region.py", line 1220, in decorate
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     should_cache_fn)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/dogpile/cache/region.py", line 825, in get_or_create
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     async_creator) as value:
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/dogpile/lock.py", line 154, in __enter__
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     return self._enter()
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/dogpile/lock.py", line 94, in _enter
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     generated = self._enter_create(createdtime)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/dogpile/lock.py", line 145, in _enter_create
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     created = self.creator()
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/dogpile/cache/region.py", line 792, in gen_value
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     created_value = creator()
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/dogpile/cache/region.py", line 1216, in creator
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     return fn(*arg, **kw)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/assignment/core.py", line 162, in get_roles_for_user_and_domain
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     user_id=user_id, domain_id=domain_id, effective=True)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/manager.py", line 116, in wrapped
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     __ret_val = __f(*args, **kwargs)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/assignment/core.py", line 1012, in list_role_assignments
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     strip_domain_roles)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/assignment/core.py", line 867, in _list_effective_role_assignments
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     group_ids = self._get_group_ids_for_user_id(user_id)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/assignment/core.py", line 87, in _get_group_ids_for_user_id
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     x in PROVIDERS.identity_api.list_groups_for_user(user_id)]
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/manager.py", line 116, in wrapped
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     __ret_val = __f(*args, **kwargs)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 416, in wrapper
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     return f(self, *args, **kwargs)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 426, in wrapper
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     return f(self, *args, **kwargs)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 1321, in list_groups_for_user
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     ref_list = driver.list_groups_for_user(entity_id, hints)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/core.py", line 118, in list_groups_for_user
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     return self.group.list_user_groups_filtered(user_dn, hints)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/core.py", line 436, in list_user_groups_filtered
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     return self.get_all_filtered(hints, query)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/core.py", line 487, in get_all_filtered
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     for group in self.get_all(query, hints)]
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 1575, in get_all
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     for x in self._ldap_get_all(hints, ldap_filter)]
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/driver_hints.py", line 42, in wrapper
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     return f(self, hints, *args, **kwargs)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 1507, in _ldap_get_all
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi     self.id_attr)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi UnicodeDecodeError: 'ascii' codec can't decode byte 0xc5 in position 15: ordinal not in range(128)
2020-02-10 10:39:49.948 18007 ERROR keystone.common.wsgi

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-10: Fix proposed to keystone (master)

#2

Fix proposed to branch: master
Review: https://review.opendev.org/706791

Changed in keystone:
assignee:	nobody → Rafal (rafal-ramocki-b)
status:	New → In Progress

Revision history for this message

Rafal (rafal-ramocki-b) wrote on 2020-02-19:

#3

During work on keystone it appeared that bug is only releated when use_pool=True in keystone (default). It seams that #1798184 was partial and may not work for pooled connections.

Rafal (rafal-ramocki-b) on 2020-02-20

Changed in ldappool:
assignee:	nobody → Rafal (rafal-ramocki-b)

Revision history for this message

Rafal (rafal-ramocki-b) wrote on 2020-02-20:

#4

I've proposed a fix to ldappool. Please review it:

https://review.opendev.org/#/c/708699/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-01-21: Change abandoned on keystone (master)

#5

Change abandoned by "Gage Hugo <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/keystone/+/706791
Reason: Abandoning since there hasn't been any recent activity, if anyone wants to continue this work, please feel free to restore this or create a new change.

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	In Progress	Undecided	Rafal
	ldappool	In Progress	Undecided	Rafal

OpenStack Identity (keystone)

LDAP support broken if UTF8 characters in DN (python2)

Bug Description

Other bug subscribers

Remote bug watches