OpenStack Identity (keystone)

Keystone should handle ldap.SIZELIMIT_EXCEEDED error

Series pike
Bug #1712415

Bug #1712415 reported by prashkre on 2017-08-22

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
OpenStack Identity (keystone)	Fix Released	Low	prashkre	OpenStack Identity (keystone) queens-2
Pike	Fix Committed	Low	Unassigned
Queens	Fix Released	Low	prashkre	OpenStack Identity (keystone) queens-2

Bug Description

With ldap as identity backend server configured to keystone, GET users/groups API is abruptly failing in below stacktrace without proper error handling when ldap search results(users/groups) count is more than default sizelimit configured on ldap server.

The size limit is of course as configured at the LDAP server and the configuration is beyond the control of OpenStack/keystone. However, keystone should have better error handling in this ldap flow so that such errors return an appropriate message. (Full stack trace can be found in the attachment)

result = func(*args,**kwargs)
2017-08-04 11:44:46.368 102104 ERROR keystone.common.wsgi SIZELIMIT_EXCEEDED: {'desc': u'Size limit exceeded'}

See original description

Tags:

Revision history for this message

Divya K Konoor (dikonoor) wrote on 2017-08-23:

Full stacktrace Edit (7.2 KiB, text/plain)

Changed in keystone:
assignee:	nobody → Divya K Konoor (dikonoor)
description:	updated

Divya K Konoor (dikonoor) on 2017-08-23

summary:

- Handle ldap.SIZELIMIT_EXCEEDED error
+ Keystone should handle ldap.SIZELIMIT_EXCEEDED error

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-08-23:

I'd like to recreate this locally, but it certainly sounds like something keystone can check for gracefully.

tags:	added: ldap
Changed in keystone:
status:	New → Triaged
importance:	Undecided → Low

prashkre (prashkre) on 2017-10-09

Changed in keystone:
assignee:	Divya K Konoor (dikonoor) → prashkre (prashkre)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-13: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/511822

Changed in keystone:
status:	Triaged → In Progress

Lance Bragstad (lbragstad) on 2017-10-13

tags:

added: user-experience

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-24: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/511822
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f776fc18383fcfdc97932eaaab261a0b85e0ef68
Submitter: Zuul
Branch: master

commit f776fc18383fcfdc97932eaaab261a0b85e0ef68
Author: prashkre <email address hidden>
Date: Fri Oct 13 17:31:39 2017 +0530

Handle ldap size limit exeeded exception

    LDAP servers have sizelimit configuration to limit the number of
    user/group objects that can be returned for an LDAP query. This
    change catches the size limit exceeded exception when users/groups
    returned from ldap search query exceeds the configured limit and
    responds with an appropriate error message instead of default
    500 error message.

Change-Id: I9949bb7d458b4b037616c701e0e4d362bfa36473
Closes-Bug: #1712415

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-25: Fix proposed to keystone (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/514885

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-31: Fix merged to keystone (stable/pike)

Reviewed: https://review.openstack.org/514885
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d07677aba54362a4a3aa2d165b155105ffe30d73
Submitter: Zuul
Branch: stable/pike

commit d07677aba54362a4a3aa2d165b155105ffe30d73
Author: prashkre <email address hidden>
Date: Fri Oct 13 17:31:39 2017 +0530

Handle ldap size limit exeeded exception

    Change-Id: I9949bb7d458b4b037616c701e0e4d362bfa36473
    Closes-Bug: #1712415
    (cherry picked from commit f776fc18383fcfdc97932eaaab261a0b85e0ef68)