OpenStack Identity (keystone)

ImportError on pam - different naming in distros vs python package

Bug #938801 reported by Ionuț Arțăriși
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Russell Bryant
OpenStack Identity (keystone) 2012.1 "essex"

Bug Description

Trying to import the pam backend in keystone on a devstack setup I did this morning reveals this:

$ python -c "import keystone.identity.backends.pam"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/opt/stack/keystone/keystone/identity/backends/pam.py", line 19, in <module>
    import pam
ImportError: No module named pam

After further investigation it seems that Ubuntu (as well as openSUSE which I also looked at) install python-pam as the uppercase 'PAM' package. The python package installed by pip on the other hand installs it as the lowercase 'pam'.

I don't know what the best solution is here. Write a "try: import pam; except ImportError: import PAM" block, or petition all distros to package a symlink from 'pam' to 'PAM' :).

Tags: pam
Joseph Heck (heckj)
Changed in keystone:
status: New → Confirmed
importance: Undecided → Medium
tags: added: pam
Revision history for this message
Russell Bryant (russellb) wrote :

I looked at this a bit in Fedora. The PyPAM package installs a Python module as PAM. However, it does not provide the same API as the pam module used in keystone.identity.backends.pam. It looks like it won't be too hard to add support for PyPAM, though.

Russell Bryant (russellb)
Changed in keystone:
assignee: nobody → Russell Bryant (russellb)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/5365

Changed in keystone:
status: Confirmed → In Progress
Revision history for this message
Russell Bryant (russellb) wrote :

This patch works for me on Fedora 16, but I would appreciate a sanity check on other distros, especially those that have a module called PAM, to see if it's actually the same one that is in Fedora.

Revision history for this message
Joseph Heck (heckj) wrote :

Russel - I think a try:except with a failure logged and raised would be right.

That's gives us an error/failure mode when its intentionally set in the conf, but unavailable on the target system

Revision history for this message
Jesse Andrews (anotherjesse) wrote :

heckj, I'm uncertain if pam works given all the changes that went into sql/ldap.

we might want to "hide" this for essex or add some coverage

Revision history for this message
Russell Bryant (russellb) wrote :

I updated the patch to update the pam backend to be "compatible" with the latest backend API. Most API calls just raise NotImplementedError, but authentication works at least.

Joseph Heck (heckj)
tags: added: essex-rc-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/5365
Committed: http://github.com/openstack/keystone/commit/e67732748c7ad4656f6ef5d9da3ff4789199bf9a
Submitter: Jenkins
Branch: master

commit e67732748c7ad4656f6ef5d9da3ff4789199bf9a
Author: Russell Bryant <email address hidden>
Date: Wed Mar 14 16:55:24 2012 -0400

    Support PyPAM in pam backend, update to latest API

    Fix bug 938801.

    This bug pointed out that some distros don't have the same pam Python
    module packaged that this backend was expecting. In my case, on Fedora,
    it's PAM and the API is not compatible with the pam module that was
    used. This patch makes the backend support PyPAM, as well as the
    original pam module that was used.

    In order to test this, I updated the pam backend to the latest backend
    API. Even though the base class will raise NotImplementedError, I
    included all functions here to make it more clear all of the things
    this backend does not do.

    Change-Id: I74144f4e63b6830c8224bc87e1662eb5df8728a0

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
tags: removed: essex-rc-potential
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → essex-rc1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: essex-rc1 → 2012.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.