[Yahoo-eng-team] [Bug 1609511] [NEW] flush_expired_tokens API fails when more than 200k tokens in the token table
Public bug reported: When there are over 200k tokens need to be flushed, it results the following error in mysql error.log - 2016-07-29 02:00:18 40452 [Warning] WSREP: transaction size limit (1073741824) exceeded: 1073774592 2016-07-29 02:00:19 40452 [ERROR] WSREP: rbr write fail, data_len: 0, 2 In the current code, it triggers a series of DELETE for a batch of 1000 tokens until all the expired tokens are deleted. However, all the DELETE transactions are not yet committed until the method exits. For big size of transactions like that, we definitely cannot reply on the auto-commit in the end. Instead, explicit commit should be triggered for every single transaction. The following is the error in keystone.log - 289518 27060 (keystone): 2016-07-29 01:15:25,397 CRITICAL log logging_excepthook OperationalError: (_mysql_exceptions.OperationalError) (1180, 'Got error 5 during COMMIT') 1289519 Traceback (most recent call last): 1289520 File "/opt/stack/service/keystone-20160719T001534Z/venv/bin//keystone-manage", line 10, in 1289521 sys.exit(main()) 1289522 File "/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/keystone/cmd/manage.py", line 47, in main 1289523 cli.main(argv=sys.argv, config_files=config_files) 1289524 File "/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/keystone/cmd/cli.py", line 1010, in main 1289525 CONF.command.cmd_class.main() 1289526 File "/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/keystone/cmd/cli.py", line 562, in main 1289527 token_manager.flush_expired_tokens() 1289528 File "/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/keystone/token/persistence/backends/sql.py", line 286, in flush_expired_tokens 1289529 LOG.info(_LI('Total expired tokens removed: %d'), total_removed) 1289530 File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__ 1289531 self.gen.next() 1289532 File "/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/oslo_db/sqlalchemy/enginefacade.py", line 760, in _transaction_scope 1289533 yield resource 1289534 File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__ 1289535 self.gen.next() 1289536 File "/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/oslo_db/sqlalchemy/enginefacade.py", line 495, in _session 1289537 self._end_session_transaction(self.session) 1289538 File "/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/oslo_db/sqlalchemy/enginefacade.py", line 516, in _end_session_transaction 1289539 session.commit() 1289540 File "/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/orm/session.py", line 801, in commit 1289541 self.transaction.commit() 1289542 File "/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/orm/session.py", line 396, in commit 1289543 t[1].commit() 1289544 File "/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 1574, in commit 1289545 self._do_commit() 1289546 File "/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 1605, in _do_commit 1289547 self.connection._commit_impl() 1289548 File "/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 690, in _commit_impl 1289549 self._handle_dbapi_exception(e, None, None, None, None) 1289550 File "/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 1337, in _handle_dbapi_exception 1289551 util.raise_from_cause(newraise, exc_info) 1289552 File "/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/util/compat.py", line 200, in raise_from_cause 1289553 reraise(type(exception), exception, tb=exc_tb, cause=cause) 1289554 File "/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 688, in _commit_impl 1289555 self.engine.dialect.do_commit(self.connection) 1289556 File "/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/dialects/mysql/base.py", line 2514, in do_commit 1289557 dbapi_connection.commit() 1289558 OperationalError: (_mysql_exceptions.OperationalError) (1180, 'Got error 5 during COMMIT') ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1609511 Title: flush_expired_tokens API fails when more than 200k tokens in the token table Status in OpenStack Identity (keystone): New Bug description: When there are over 200k tokens need to be flushed, it results the following error in mysql error.log - 2016-07-29 02:00:18 40452
[Yahoo-eng-team] [Bug 1597024] [NEW] List role_assignments?include_names=False returns Entitys' Names
Public bug reported: When include_names=True, it shows the expected results that is with all the names in additional to Ids. However, it makes no difference when include_names=False. Like the following - GET https://localhost:35357/v3/role_assignments?user.id=44dfc2bd8f254a068d43e102a89fc355_names=False HTTP/1.1 Accept-Encoding: gzip,deflate X-Auth-Token: bee62e952fba4bafb09ad73cdc968eca Accept: application/json Host: localhost:35357 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.1.1 (java 1.5) HTTP/1.1 200 OK Date: Thu, 02 Jun 2016 19:53:17 GMT Server: Apache/2.4.10 (Debian) Vary: X-Auth-Token x-openstack-request-id: req-37962d1f-5d31-4d91-b8c3-1c598be4c82c Content-Length: 765 Content-Type: application/json {"role_assignments": [{"scope": {"domain": {"id": "b4421df800714f33ae9cdcd37704a98e", "name": "domainname_91455-201606021353160180"}}, "role": {"id": "2d3797efdb684f57b35e63eb7f66b30c", "name": "update_Role_91455-201606021353160180"}, "user": {"domain": {"id": "b4421df800714f33ae9cdcd37704a98e", "name": "domainname_91455-201606021353160180"}, "id": "44dfc2bd8f254a068d43e102a89fc355", "name": "DAname_91455-201606021353160180"}, "links": {"assignment": "https://localhost:35357/v3/domains/b4421df800714f33ae9cdcd37704a98e/users/44dfc2bd8f254a068d43e102a89fc355/roles/2d3797efdb684f57b35e63eb7f66b30c"}}], "links": {"self": "https://localhost:35357/v3/role_assignments?user.id=44dfc2bd8f254a068d43e102a89fc355_names=False;, "previous": null, "next": null}} The workaround is to not specify include_names or set include_names=0. A bug is in the parser. There is a parser 'def query_filter_is_true(cls, filter_value):' defined in common/controller.py returns False when filter_value is 0; anything else return True. Like - if (isinstance(filter_value, six.string_types) and filter_value == '0'): val = False else: val = True So basically it just does not consider value of filter_value False is False, only 0. ** Affects: keystone Importance: Undecided Assignee: Sam Leong (chio-fai-sam-leong) Status: New ** Changed in: keystone Assignee: (unassigned) => Sam Leong (chio-fai-sam-leong) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1597024 Title: List role_assignments?include_names=False returns Entitys' Names Status in OpenStack Identity (keystone): New Bug description: When include_names=True, it shows the expected results that is with all the names in additional to Ids. However, it makes no difference when include_names=False. Like the following - GET https://localhost:35357/v3/role_assignments?user.id=44dfc2bd8f254a068d43e102a89fc355_names=False HTTP/1.1 Accept-Encoding: gzip,deflate X-Auth-Token: bee62e952fba4bafb09ad73cdc968eca Accept: application/json Host: localhost:35357 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.1.1 (java 1.5) HTTP/1.1 200 OK Date: Thu, 02 Jun 2016 19:53:17 GMT Server: Apache/2.4.10 (Debian) Vary: X-Auth-Token x-openstack-request-id: req-37962d1f-5d31-4d91-b8c3-1c598be4c82c Content-Length: 765 Content-Type: application/json {"role_assignments": [{"scope": {"domain": {"id": "b4421df800714f33ae9cdcd37704a98e", "name": "domainname_91455-201606021353160180"}}, "role": {"id": "2d3797efdb684f57b35e63eb7f66b30c", "name": "update_Role_91455-201606021353160180"}, "user": {"domain": {"id": "b4421df800714f33ae9cdcd37704a98e", "name": "domainname_91455-201606021353160180"}, "id": "44dfc2bd8f254a068d43e102a89fc355", "name": "DAname_91455-201606021353160180"}, "links": {"assignment": "https://localhost:35357/v3/domains/b4421df800714f33ae9cdcd37704a98e/users/44dfc2bd8f254a068d43e102a89fc355/roles/2d3797efdb684f57b35e63eb7f66b30c"}}], "links": {"self": "https://localhost:35357/v3/role_assignments?user.id=44dfc2bd8f254a068d43e102a89fc355_names=False;, "previous": null, "next": null}} The workaround is to not specify inclu
[Yahoo-eng-team] [Bug 1545202] Re: Domain info is not shown in federated token validation response
The response shows the actual group id but the domain shows 'Federated', so that made me to be not sure if that is the intended behavior. Since it's documented, I'm cool with that ;-) ** Changed in: keystone Status: Incomplete => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1545202 Title: Domain info is not shown in federated token validation response Status in OpenStack Identity (keystone): Invalid Bug description: When validating a federated token, the group id info shows in the response but the domain info does not show, only shows 'Federated' for both domain id and domain name. HTTP/1.1 200 OK Date: Fri, 12 Feb 2016 21:24:16 GMT Server: Apache/2.4.10 (Debian) X-Subject-Token: b6c115ce0aed425baf3e8ed104da945d Vary: X-Auth-Token x-openstack-request-id: req-6c1a9a92-f3f9-48a2-8767-61001c77cadd Content-Length: 419 Content-Type: application/json {"token": {"methods": ["saml2"], "expires_at": "2016-02-13T01:20:20.037092Z", "extras": {}, "user": {"OS-FEDERATION": {"identity_provider": {"id": "ks_fed1_idp"}, "protocol": {"id": "saml2"}, "groups": [{"id": "357f50fed4cc4f00804cd8da821426ea"}]}, "domain": {"id": "Federated", "name": "Federated"}, "id": "admin", "name": "admin"}, "audit_ids": ["gCNZNyOAQfughh3tPMyEhQ"], "issued_at": "2016-02-12T21:20:20.037127Z"}} To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1545202/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1545202] [NEW] Domain info is not shown in federated token validation response
Public bug reported: When validating a federated token, the group id info shows in the response but the domain info does not show, only shows 'Federated' for both domain id and domain name. HTTP/1.1 200 OK Date: Fri, 12 Feb 2016 21:24:16 GMT Server: Apache/2.4.10 (Debian) X-Subject-Token: b6c115ce0aed425baf3e8ed104da945d Vary: X-Auth-Token x-openstack-request-id: req-6c1a9a92-f3f9-48a2-8767-61001c77cadd Content-Length: 419 Content-Type: application/json {"token": {"methods": ["saml2"], "expires_at": "2016-02-13T01:20:20.037092Z", "extras": {}, "user": {"OS-FEDERATION": {"identity_provider": {"id": "ks_fed1_idp"}, "protocol": {"id": "saml2"}, "groups": [{"id": "357f50fed4cc4f00804cd8da821426ea"}]}, "domain": {"id": "Federated", "name": "Federated"}, "id": "admin", "name": "admin"}, "audit_ids": ["gCNZNyOAQfughh3tPMyEhQ"], "issued_at": "2016-02-12T21:20:20.037127Z"}} ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1545202 Title: Domain info is not shown in federated token validation response Status in OpenStack Identity (keystone): New Bug description: When validating a federated token, the group id info shows in the response but the domain info does not show, only shows 'Federated' for both domain id and domain name. HTTP/1.1 200 OK Date: Fri, 12 Feb 2016 21:24:16 GMT Server: Apache/2.4.10 (Debian) X-Subject-Token: b6c115ce0aed425baf3e8ed104da945d Vary: X-Auth-Token x-openstack-request-id: req-6c1a9a92-f3f9-48a2-8767-61001c77cadd Content-Length: 419 Content-Type: application/json {"token": {"methods": ["saml2"], "expires_at": "2016-02-13T01:20:20.037092Z", "extras": {}, "user": {"OS-FEDERATION": {"identity_provider": {"id": "ks_fed1_idp"}, "protocol": {"id": "saml2"}, "groups": [{"id": "357f50fed4cc4f00804cd8da821426ea"}]}, "domain": {"id": "Federated", "name": "Federated"}, "id": "admin", "name": "admin"}, "audit_ids": ["gCNZNyOAQfughh3tPMyEhQ"], "issued_at": "2016-02-12T21:20:20.037127Z"}} To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1545202/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1474162] [NEW] ldap unicode issue when doing a show user
Public bug reported: In stable/kilo release, when the username contains non ascii charaters, showing the user from ldap with the following command - openstack user show --domain=ad Test Accent Communiquè will throw an exception. And this has been addressed in the Master branch, so what needs to be done is just to backport the changes to stable/kilo. I tested the changes in the Master branch and works fine. This is similar to https://bugs.launchpad.net/keystone/+bug/1419187 (keystone.common.wsgi): 2015-07-10 21:25:26,351 INFO wsgi __call__ GET /domains?name=ad (keystone.common.wsgi): 2015-07-10 21:25:26,385 ERROR wsgi __call__ 'ascii' codec can't encode character u'\xe8' in position 21: ordinal not in range(128) Traceback (most recent call last): File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/wsgi.py, line 452, in __call__ response = request.get_response(self.application) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/request.py, line 1317, in send application, catch_exc_info=False) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/request.py, line 1281, in call_application app_iter = application(self.environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/routes/middleware.py, line 136, in __call__ response = self.app(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/routes/middleware.py, line 136, in __call__ response = self.app(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/routes/middleware.py, line 136, in __call__ response = self.app(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/routes/middleware.py, line 136, in __call__ response = self.app(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/routes/middleware.py, line 136, in __call__ response = self.app(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/routes/middleware.py, line 136, in __call__ response = self.app(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/routes/middleware.py, line 136, in __call__ response = self.app(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/routes/middleware.py, line 136, in __call__ response = self.app(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py,
[Yahoo-eng-team] [Bug 1342274] Re: auth_token middleware in keystoneclient is deprecated
** Also affects: barbican Importance: Undecided Status: New ** Changed in: barbican Status: New = In Progress ** Changed in: barbican Assignee: (unassigned) = Sam Leong (chio-fai-sam-leong) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1342274 Title: auth_token middleware in keystoneclient is deprecated Status in OpenStack Key Management (Barbican): In Progress Status in OpenStack Telemetry (Ceilometer): In Progress Status in Cinder: In Progress Status in Designate: In Progress Status in OpenStack Image Registry and Delivery Service (Glance): Fix Committed Status in Orchestration API (Heat): In Progress Status in OpenStack Bare Metal Provisioning Service (Ironic): In Progress Status in OpenStack Message Queuing Service (Marconi): In Progress Status in OpenStack Neutron (virtual network service): Fix Released Status in OpenStack Compute (Nova): Fix Released Status in Python client library for Keystone: Fix Committed Status in OpenStack Data Processing (Sahara, ex. Savanna): In Progress Status in OpenStack Object Storage (Swift): In Progress Status in Openstack Database (Trove): Fix Released Bug description: The auth_token middleware in keystoneclient is deprecated and will only get security updates. Projects should use the auth_token middleware in keystonemiddleware. To manage notifications about this bug go to: https://bugs.launchpad.net/barbican/+bug/1342274/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1342274] Re: auth_token middleware in keystoneclient is deprecated
** Also affects: designate Importance: Undecided Status: New ** Changed in: designate Assignee: (unassigned) = Sam Leong (chio-fai-sam-leong) ** Changed in: designate Status: New = In Progress -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1342274 Title: auth_token middleware in keystoneclient is deprecated Status in OpenStack Telemetry (Ceilometer): In Progress Status in Cinder: In Progress Status in Designate: In Progress Status in OpenStack Image Registry and Delivery Service (Glance): Fix Committed Status in Orchestration API (Heat): In Progress Status in OpenStack Bare Metal Provisioning Service (Ironic): In Progress Status in OpenStack Message Queuing Service (Marconi): In Progress Status in OpenStack Neutron (virtual network service): Fix Committed Status in OpenStack Compute (Nova): Fix Committed Status in Python client library for Keystone: Fix Committed Status in OpenStack Data Processing (Sahara, ex. Savanna): In Progress Status in Openstack Database (Trove): In Progress Bug description: The auth_token middleware in keystoneclient is deprecated and will only get security updates. Projects should use the auth_token middleware in keystonemiddleware. To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1342274/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1342274] Re: auth_token middleware in keystoneclient is deprecated
** Also affects: marconi Importance: Undecided Status: New ** Changed in: marconi Status: New = In Progress ** Changed in: marconi Assignee: (unassigned) = Sam Leong (chio-fai-sam-leong) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1342274 Title: auth_token middleware in keystoneclient is deprecated Status in OpenStack Telemetry (Ceilometer): In Progress Status in Cinder: In Progress Status in OpenStack Image Registry and Delivery Service (Glance): Fix Committed Status in Orchestration API (Heat): In Progress Status in OpenStack Bare Metal Provisioning Service (Ironic): In Progress Status in OpenStack Message Queuing Service (Marconi): In Progress Status in OpenStack Neutron (virtual network service): Fix Committed Status in OpenStack Compute (Nova): Fix Committed Status in Python client library for Keystone: Fix Committed Status in OpenStack Data Processing (Sahara, ex. Savanna): In Progress Status in Openstack Database (Trove): New Bug description: The auth_token middleware in keystoneclient is deprecated and will only get security updates. Projects should use the auth_token middleware in keystonemiddleware. To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1342274/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1336088] [NEW] Disabling a domain does not disable the previous issued tokens in that domain
Public bug reported: Tokens are still valid although the domain has already been disable. Steps to reproduce. 1. create domain domainA 2. create user userA under domain domainA 3. authenticate to get a token tokenA for user userA 4. disable domainA 6. validate tokenA and it is still a valid token which is supposed to be invalid. Looks like the fix would be when disabling the domain, all the un- expired tokens for this domain should also be disable. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1336088 Title: Disabling a domain does not disable the previous issued tokens in that domain Status in OpenStack Identity (Keystone): New Bug description: Tokens are still valid although the domain has already been disable. Steps to reproduce. 1. create domain domainA 2. create user userA under domain domainA 3. authenticate to get a token tokenA for user userA 4. disable domainA 6. validate tokenA and it is still a valid token which is supposed to be invalid. Looks like the fix would be when disabling the domain, all the un- expired tokens for this domain should also be disable. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1336088/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1329891] [NEW] Keystone Not Able to Add Users to AD/Ldap and OpenLdap
Public bug reported: I tried to add uses to AD/Ldap through keystone with the following curl command - curl -s -k -H 'X-Auth-Token: ADMIN' -H 'Content-Type: application/json' -d '{user: {name: test7, password: Devtest123}}' http://localhost:35357/v3/users Keystone showed the following stack trace - __init__ /home/leonchio/dev/keystone/keystone/common/ldap/core.py:713 2014-06-13 10:40:50.064 1420 DEBUG keystone.common.ldap.core [-] LDAP bind: dn=CN=Administrator,CN=Users,DC=vlan44,DC=domain simple_bind_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:773 ('## values ## %s', {'password': '{SSHA}BFn5qzp/hJjhJMea9JWrmHymXrNQyjkn', 'enabled': True, 'id': '1c81387f5aea40329bc9f77c90109c66', 'name': u'test7'}) 2014-06-13 10:40:50.066 1420 DEBUG keystone.common.ldap.core [-] LDAP add: dn=cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain, attrs=[('objectClass', [u'person', u'user']), ('userPassword', ['']), ('enabled', [u'TRUE']), ('cn', [u'test7'])] add_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:793 2014-06-13 10:40:50.068 1420 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:779 2014-06-13 10:40:50.068 1420 ERROR keystone.common.wsgi [-] {'info': 2081: NameErr: DSID-03050CDA, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:\n\t'cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain'\n, 'desc': 'Invalid DN syntax'} 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi Traceback (most recent call last): 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File /home/leonchio/dev/keystone/keystone/common/wsgi.py, line 207, in __call__ 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi result = method(context, **params) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File /home/leonchio/dev/keystone/keystone/common/controller.py, line 152, in inner 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return f(self, context, *args, **kwargs) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File /home/leonchio/dev/keystone/keystone/identity/controllers.py, line 276, in create_user 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi ref = self.identity_api.create_user(ref['id'], ref) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File /home/leonchio/dev/keystone/keystone/notifications.py, line 74, in wrapper 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi result = f(*args, **kwargs) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File /home/leonchio/dev/keystone/keystone/identity/core.py, line 189, in wrapper 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return f(self, *args, **kwargs) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File /home/leonchio/dev/keystone/keystone/identity/core.py, line 299, in create_user 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi ref = driver.create_user(user_id, user) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File /home/leonchio/dev/keystone/keystone/identity/backends/ldap.py, line 91, in create_user 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi user_ref = self.user.create(user) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File /home/leonchio/dev/keystone/keystone/identity/backends/ldap.py, line 231, in create 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi values = super(UserApi, self).create(values) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File /home/leonchio/dev/keystone/keystone/common/ldap/core.py, line 996, in create 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return super(EnabledEmuMixIn, self).create(values) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File /home/leonchio/dev/keystone/keystone/common/ldap/core.py, line 566, in create 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi conn.add_s(self._id_to_dn(values['id']), attrs) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File /home/leonchio/dev/keystone/keystone/common/ldap/core.py, line 797, in add_s 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return self.conn.add_s(dn_utf8, ldap_attrs_utf8) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File /usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py, line 194, in add_s 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return self.result(msgid,all=1,timeout=self.timeout) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File /usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py, line 422, in result 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi res_type,res_data,res_msgid = self.result2(msgid,all,timeout) 2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File /usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py, line 426, in result2 2014-06-13 10:40:50.068 1420 TRACE