[Yahoo-eng-team] [Bug 1609511] [NEW] flush_expired_tokens API fails when more than 200k tokens in the token table
Public bug reported:
When there are over 200k tokens need to be flushed, it results the
following error in mysql error.log -
2016-07-29 02:00:18 40452 [Warning] WSREP: transaction size limit (1073741824)
exceeded: 1073774592
2016-07-29 02:00:19 40452 [ERROR] WSREP: rbr write fail, data_len: 0, 2
In the current code, it triggers a series of DELETE for a batch of 1000
tokens until all the expired tokens are deleted. However, all the DELETE
transactions are not yet committed until the method exits.
For big size of transactions like that, we definitely cannot reply on
the auto-commit in the end. Instead, explicit commit should be triggered
for every single transaction.
The following is the error in keystone.log -
289518 27060 (keystone): 2016-07-29 01:15:25,397 CRITICAL log
logging_excepthook OperationalError: (_mysql_exceptions.OperationalError)
(1180, 'Got error 5 during COMMIT')
1289519 Traceback (most recent call last):
1289520 File
"/opt/stack/service/keystone-20160719T001534Z/venv/bin//keystone-manage", line
10, in
1289521 sys.exit(main())
1289522 File
"/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/keystone/cmd/manage.py",
line 47, in main
1289523 cli.main(argv=sys.argv, config_files=config_files)
1289524 File
"/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/keystone/cmd/cli.py",
line 1010, in main
1289525 CONF.command.cmd_class.main()
1289526 File
"/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/keystone/cmd/cli.py",
line 562, in main
1289527 token_manager.flush_expired_tokens()
1289528 File
"/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/keystone/token/persistence/backends/sql.py",
line 286, in flush_expired_tokens
1289529 LOG.info(_LI('Total expired tokens removed: %d'), total_removed)
1289530 File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
1289531 self.gen.next()
1289532 File
"/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/oslo_db/sqlalchemy/enginefacade.py",
line 760, in _transaction_scope
1289533 yield resource
1289534 File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
1289535 self.gen.next()
1289536 File
"/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/oslo_db/sqlalchemy/enginefacade.py",
line 495, in _session
1289537 self._end_session_transaction(self.session)
1289538 File
"/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/oslo_db/sqlalchemy/enginefacade.py",
line 516, in _end_session_transaction
1289539 session.commit()
1289540 File
"/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/orm/session.py",
line 801, in commit
1289541 self.transaction.commit()
1289542 File
"/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/orm/session.py",
line 396, in commit
1289543 t[1].commit()
1289544 File
"/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/engine/base.py",
line 1574, in commit
1289545 self._do_commit()
1289546 File
"/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/engine/base.py",
line 1605, in _do_commit
1289547 self.connection._commit_impl()
1289548 File
"/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/engine/base.py",
line 690, in _commit_impl
1289549 self._handle_dbapi_exception(e, None, None, None, None)
1289550 File
"/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/engine/base.py",
line 1337, in _handle_dbapi_exception
1289551 util.raise_from_cause(newraise, exc_info)
1289552 File
"/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/util/compat.py",
line 200, in raise_from_cause
1289553 reraise(type(exception), exception, tb=exc_tb, cause=cause)
1289554 File
"/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/engine/base.py",
line 688, in _commit_impl
1289555 self.engine.dialect.do_commit(self.connection)
1289556 File
"/opt/stack/venv/keystone-20160719T001534Z/lib/python2.7/site-packages/sqlalchemy/dialects/mysql/base.py",
line 2514, in do_commit
1289557 dbapi_connection.commit()
1289558 OperationalError: (_mysql_exceptions.OperationalError) (1180, 'Got
error 5 during COMMIT')
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1609511
Title:
flush_expired_tokens API fails when more than 200k tokens in the token
table
Status in OpenStack Identity (keystone):
New
Bug description:
When there are over 200k tokens need to be flushed, it results the
following error in mysql error.log -
2016-07-29 02:00:18 40452
[Yahoo-eng-team] [Bug 1597024] [NEW] List role_assignments?include_names=False returns Entitys' Names
Public bug reported:
When include_names=True, it shows the expected results that is with all
the names in additional to Ids. However, it makes no difference when
include_names=False. Like the following -
GET
https://localhost:35357/v3/role_assignments?user.id=44dfc2bd8f254a068d43e102a89fc355_names=False
HTTP/1.1
Accept-Encoding: gzip,deflate
X-Auth-Token: bee62e952fba4bafb09ad73cdc968eca
Accept: application/json
Host: localhost:35357
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
HTTP/1.1 200 OK
Date: Thu, 02 Jun 2016 19:53:17 GMT
Server: Apache/2.4.10 (Debian)
Vary: X-Auth-Token
x-openstack-request-id: req-37962d1f-5d31-4d91-b8c3-1c598be4c82c
Content-Length: 765
Content-Type: application/json
{"role_assignments": [{"scope": {"domain": {"id":
"b4421df800714f33ae9cdcd37704a98e", "name":
"domainname_91455-201606021353160180"}}, "role": {"id":
"2d3797efdb684f57b35e63eb7f66b30c", "name":
"update_Role_91455-201606021353160180"}, "user": {"domain": {"id":
"b4421df800714f33ae9cdcd37704a98e", "name":
"domainname_91455-201606021353160180"}, "id":
"44dfc2bd8f254a068d43e102a89fc355", "name":
"DAname_91455-201606021353160180"}, "links": {"assignment":
"https://localhost:35357/v3/domains/b4421df800714f33ae9cdcd37704a98e/users/44dfc2bd8f254a068d43e102a89fc355/roles/2d3797efdb684f57b35e63eb7f66b30c"}}],
"links": {"self":
"https://localhost:35357/v3/role_assignments?user.id=44dfc2bd8f254a068d43e102a89fc355_names=False;,
"previous": null, "next": null}}
The workaround is to not specify include_names or set include_names=0.
A bug is in the parser.
There is a parser 'def query_filter_is_true(cls, filter_value):' defined in
common/controller.py returns False when filter_value is 0; anything else return
True. Like -
if (isinstance(filter_value, six.string_types) and filter_value == '0'):
val = False
else:
val = True
So basically it just does not consider value of filter_value False is
False, only 0.
** Affects: keystone
Importance: Undecided
Assignee: Sam Leong (chio-fai-sam-leong)
Status: New
** Changed in: keystone
Assignee: (unassigned) => Sam Leong (chio-fai-sam-leong)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1597024
Title:
List role_assignments?include_names=False returns Entitys' Names
Status in OpenStack Identity (keystone):
New
Bug description:
When include_names=True, it shows the expected results that is with
all the names in additional to Ids. However, it makes no difference
when include_names=False. Like the following -
GET
https://localhost:35357/v3/role_assignments?user.id=44dfc2bd8f254a068d43e102a89fc355_names=False
HTTP/1.1
Accept-Encoding: gzip,deflate
X-Auth-Token: bee62e952fba4bafb09ad73cdc968eca
Accept: application/json
Host: localhost:35357
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
HTTP/1.1 200 OK
Date: Thu, 02 Jun 2016 19:53:17 GMT
Server: Apache/2.4.10 (Debian)
Vary: X-Auth-Token
x-openstack-request-id: req-37962d1f-5d31-4d91-b8c3-1c598be4c82c
Content-Length: 765
Content-Type: application/json
{"role_assignments": [{"scope": {"domain": {"id":
"b4421df800714f33ae9cdcd37704a98e", "name":
"domainname_91455-201606021353160180"}}, "role": {"id":
"2d3797efdb684f57b35e63eb7f66b30c", "name":
"update_Role_91455-201606021353160180"}, "user": {"domain": {"id":
"b4421df800714f33ae9cdcd37704a98e", "name":
"domainname_91455-201606021353160180"}, "id":
"44dfc2bd8f254a068d43e102a89fc355", "name":
"DAname_91455-201606021353160180"}, "links": {"assignment":
"https://localhost:35357/v3/domains/b4421df800714f33ae9cdcd37704a98e/users/44dfc2bd8f254a068d43e102a89fc355/roles/2d3797efdb684f57b35e63eb7f66b30c"}}],
"links": {"self":
"https://localhost:35357/v3/role_assignments?user.id=44dfc2bd8f254a068d43e102a89fc355_names=False;,
"previous": null, "next": null}}
The workaround is to not specify inclu
[Yahoo-eng-team] [Bug 1545202] Re: Domain info is not shown in federated token validation response
The response shows the actual group id but the domain shows 'Federated',
so that made me to be not sure if that is the intended behavior. Since
it's documented, I'm cool with that ;-)
** Changed in: keystone
Status: Incomplete => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1545202
Title:
Domain info is not shown in federated token validation response
Status in OpenStack Identity (keystone):
Invalid
Bug description:
When validating a federated token, the group id info shows in the
response but the domain info does not show, only shows 'Federated' for
both domain id and domain name.
HTTP/1.1 200 OK
Date: Fri, 12 Feb 2016 21:24:16 GMT
Server: Apache/2.4.10 (Debian)
X-Subject-Token: b6c115ce0aed425baf3e8ed104da945d
Vary: X-Auth-Token
x-openstack-request-id: req-6c1a9a92-f3f9-48a2-8767-61001c77cadd
Content-Length: 419
Content-Type: application/json
{"token": {"methods": ["saml2"], "expires_at":
"2016-02-13T01:20:20.037092Z", "extras": {}, "user": {"OS-FEDERATION":
{"identity_provider": {"id": "ks_fed1_idp"}, "protocol": {"id":
"saml2"}, "groups": [{"id": "357f50fed4cc4f00804cd8da821426ea"}]},
"domain": {"id": "Federated", "name": "Federated"}, "id": "admin",
"name": "admin"}, "audit_ids": ["gCNZNyOAQfughh3tPMyEhQ"],
"issued_at": "2016-02-12T21:20:20.037127Z"}}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1545202/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1545202] [NEW] Domain info is not shown in federated token validation response
Public bug reported:
When validating a federated token, the group id info shows in the
response but the domain info does not show, only shows 'Federated' for
both domain id and domain name.
HTTP/1.1 200 OK
Date: Fri, 12 Feb 2016 21:24:16 GMT
Server: Apache/2.4.10 (Debian)
X-Subject-Token: b6c115ce0aed425baf3e8ed104da945d
Vary: X-Auth-Token
x-openstack-request-id: req-6c1a9a92-f3f9-48a2-8767-61001c77cadd
Content-Length: 419
Content-Type: application/json
{"token": {"methods": ["saml2"], "expires_at":
"2016-02-13T01:20:20.037092Z", "extras": {}, "user": {"OS-FEDERATION":
{"identity_provider": {"id": "ks_fed1_idp"}, "protocol": {"id":
"saml2"}, "groups": [{"id": "357f50fed4cc4f00804cd8da821426ea"}]},
"domain": {"id": "Federated", "name": "Federated"}, "id": "admin",
"name": "admin"}, "audit_ids": ["gCNZNyOAQfughh3tPMyEhQ"], "issued_at":
"2016-02-12T21:20:20.037127Z"}}
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1545202
Title:
Domain info is not shown in federated token validation response
Status in OpenStack Identity (keystone):
New
Bug description:
When validating a federated token, the group id info shows in the
response but the domain info does not show, only shows 'Federated' for
both domain id and domain name.
HTTP/1.1 200 OK
Date: Fri, 12 Feb 2016 21:24:16 GMT
Server: Apache/2.4.10 (Debian)
X-Subject-Token: b6c115ce0aed425baf3e8ed104da945d
Vary: X-Auth-Token
x-openstack-request-id: req-6c1a9a92-f3f9-48a2-8767-61001c77cadd
Content-Length: 419
Content-Type: application/json
{"token": {"methods": ["saml2"], "expires_at":
"2016-02-13T01:20:20.037092Z", "extras": {}, "user": {"OS-FEDERATION":
{"identity_provider": {"id": "ks_fed1_idp"}, "protocol": {"id":
"saml2"}, "groups": [{"id": "357f50fed4cc4f00804cd8da821426ea"}]},
"domain": {"id": "Federated", "name": "Federated"}, "id": "admin",
"name": "admin"}, "audit_ids": ["gCNZNyOAQfughh3tPMyEhQ"],
"issued_at": "2016-02-12T21:20:20.037127Z"}}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1545202/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1474162] [NEW] ldap unicode issue when doing a show user
Public bug reported: In stable/kilo release, when the username contains non ascii charaters, showing the user from ldap with the following command - openstack user show --domain=ad Test Accent Communiquè will throw an exception. And this has been addressed in the Master branch, so what needs to be done is just to backport the changes to stable/kilo. I tested the changes in the Master branch and works fine. This is similar to https://bugs.launchpad.net/keystone/+bug/1419187 (keystone.common.wsgi): 2015-07-10 21:25:26,351 INFO wsgi __call__ GET /domains?name=ad (keystone.common.wsgi): 2015-07-10 21:25:26,385 ERROR wsgi __call__ 'ascii' codec can't encode character u'\xe8' in position 21: ordinal not in range(128) Traceback (most recent call last): File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/keystone/common/wsgi.py, line 452, in __call__ response = request.get_response(self.application) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/request.py, line 1317, in send application, catch_exc_info=False) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/request.py, line 1281, in call_application app_iter = application(self.environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/routes/middleware.py, line 136, in __call__ response = self.app(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/routes/middleware.py, line 136, in __call__ response = self.app(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/routes/middleware.py, line 136, in __call__ response = self.app(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/routes/middleware.py, line 136, in __call__ response = self.app(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/routes/middleware.py, line 136, in __call__ response = self.app(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/routes/middleware.py, line 136, in __call__ response = self.app(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/routes/middleware.py, line 136, in __call__ response = self.app(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/routes/middleware.py, line 136, in __call__ response = self.app(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py, line 144, in __call__ return resp(environ, start_response) File /opt/stack/service/keystone/venv/lib/python2.7/site-packages/webob/dec.py,
[Yahoo-eng-team] [Bug 1342274] Re: auth_token middleware in keystoneclient is deprecated
** Also affects: barbican Importance: Undecided Status: New ** Changed in: barbican Status: New = In Progress ** Changed in: barbican Assignee: (unassigned) = Sam Leong (chio-fai-sam-leong) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1342274 Title: auth_token middleware in keystoneclient is deprecated Status in OpenStack Key Management (Barbican): In Progress Status in OpenStack Telemetry (Ceilometer): In Progress Status in Cinder: In Progress Status in Designate: In Progress Status in OpenStack Image Registry and Delivery Service (Glance): Fix Committed Status in Orchestration API (Heat): In Progress Status in OpenStack Bare Metal Provisioning Service (Ironic): In Progress Status in OpenStack Message Queuing Service (Marconi): In Progress Status in OpenStack Neutron (virtual network service): Fix Released Status in OpenStack Compute (Nova): Fix Released Status in Python client library for Keystone: Fix Committed Status in OpenStack Data Processing (Sahara, ex. Savanna): In Progress Status in OpenStack Object Storage (Swift): In Progress Status in Openstack Database (Trove): Fix Released Bug description: The auth_token middleware in keystoneclient is deprecated and will only get security updates. Projects should use the auth_token middleware in keystonemiddleware. To manage notifications about this bug go to: https://bugs.launchpad.net/barbican/+bug/1342274/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1342274] Re: auth_token middleware in keystoneclient is deprecated
** Also affects: designate Importance: Undecided Status: New ** Changed in: designate Assignee: (unassigned) = Sam Leong (chio-fai-sam-leong) ** Changed in: designate Status: New = In Progress -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1342274 Title: auth_token middleware in keystoneclient is deprecated Status in OpenStack Telemetry (Ceilometer): In Progress Status in Cinder: In Progress Status in Designate: In Progress Status in OpenStack Image Registry and Delivery Service (Glance): Fix Committed Status in Orchestration API (Heat): In Progress Status in OpenStack Bare Metal Provisioning Service (Ironic): In Progress Status in OpenStack Message Queuing Service (Marconi): In Progress Status in OpenStack Neutron (virtual network service): Fix Committed Status in OpenStack Compute (Nova): Fix Committed Status in Python client library for Keystone: Fix Committed Status in OpenStack Data Processing (Sahara, ex. Savanna): In Progress Status in Openstack Database (Trove): In Progress Bug description: The auth_token middleware in keystoneclient is deprecated and will only get security updates. Projects should use the auth_token middleware in keystonemiddleware. To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1342274/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1342274] Re: auth_token middleware in keystoneclient is deprecated
** Also affects: marconi Importance: Undecided Status: New ** Changed in: marconi Status: New = In Progress ** Changed in: marconi Assignee: (unassigned) = Sam Leong (chio-fai-sam-leong) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1342274 Title: auth_token middleware in keystoneclient is deprecated Status in OpenStack Telemetry (Ceilometer): In Progress Status in Cinder: In Progress Status in OpenStack Image Registry and Delivery Service (Glance): Fix Committed Status in Orchestration API (Heat): In Progress Status in OpenStack Bare Metal Provisioning Service (Ironic): In Progress Status in OpenStack Message Queuing Service (Marconi): In Progress Status in OpenStack Neutron (virtual network service): Fix Committed Status in OpenStack Compute (Nova): Fix Committed Status in Python client library for Keystone: Fix Committed Status in OpenStack Data Processing (Sahara, ex. Savanna): In Progress Status in Openstack Database (Trove): New Bug description: The auth_token middleware in keystoneclient is deprecated and will only get security updates. Projects should use the auth_token middleware in keystonemiddleware. To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1342274/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1336088] [NEW] Disabling a domain does not disable the previous issued tokens in that domain
Public bug reported: Tokens are still valid although the domain has already been disable. Steps to reproduce. 1. create domain domainA 2. create user userA under domain domainA 3. authenticate to get a token tokenA for user userA 4. disable domainA 6. validate tokenA and it is still a valid token which is supposed to be invalid. Looks like the fix would be when disabling the domain, all the un- expired tokens for this domain should also be disable. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1336088 Title: Disabling a domain does not disable the previous issued tokens in that domain Status in OpenStack Identity (Keystone): New Bug description: Tokens are still valid although the domain has already been disable. Steps to reproduce. 1. create domain domainA 2. create user userA under domain domainA 3. authenticate to get a token tokenA for user userA 4. disable domainA 6. validate tokenA and it is still a valid token which is supposed to be invalid. Looks like the fix would be when disabling the domain, all the un- expired tokens for this domain should also be disable. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1336088/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1329891] [NEW] Keystone Not Able to Add Users to AD/Ldap and OpenLdap
Public bug reported:
I tried to add uses to AD/Ldap through keystone with the following curl command
-
curl -s -k -H 'X-Auth-Token: ADMIN' -H 'Content-Type: application/json' -d
'{user: {name: test7, password: Devtest123}}'
http://localhost:35357/v3/users
Keystone showed the following stack trace -
__init__ /home/leonchio/dev/keystone/keystone/common/ldap/core.py:713
2014-06-13 10:40:50.064 1420 DEBUG keystone.common.ldap.core [-] LDAP bind:
dn=CN=Administrator,CN=Users,DC=vlan44,DC=domain simple_bind_s
/home/leonchio/dev/keystone/keystone/common/ldap/core.py:773
('## values ## %s', {'password':
'{SSHA}BFn5qzp/hJjhJMea9JWrmHymXrNQyjkn', 'enabled': True, 'id':
'1c81387f5aea40329bc9f77c90109c66', 'name': u'test7'})
2014-06-13 10:40:50.066 1420 DEBUG keystone.common.ldap.core [-] LDAP add:
dn=cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain,
attrs=[('objectClass', [u'person', u'user']), ('userPassword', ['']),
('enabled', [u'TRUE']), ('cn', [u'test7'])] add_s
/home/leonchio/dev/keystone/keystone/common/ldap/core.py:793
2014-06-13 10:40:50.068 1420 DEBUG keystone.common.ldap.core [-] LDAP unbind
unbind_s /home/leonchio/dev/keystone/keystone/common/ldap/core.py:779
2014-06-13 10:40:50.068 1420 ERROR keystone.common.wsgi [-] {'info': 2081:
NameErr: DSID-03050CDA, problem 2003 (BAD_ATT_SYNTAX), data 0, best match
of:\n\t'cn=1c81387f5aea40329bc9f77c90109c66,cn=Users,dc=vlan44,dc=domain'\n,
'desc': 'Invalid DN syntax'}
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi Traceback (most recent
call last):
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File
/home/leonchio/dev/keystone/keystone/common/wsgi.py, line 207, in __call__
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi result =
method(context, **params)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File
/home/leonchio/dev/keystone/keystone/common/controller.py, line 152, in inner
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return f(self,
context, *args, **kwargs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File
/home/leonchio/dev/keystone/keystone/identity/controllers.py, line 276, in
create_user
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi ref =
self.identity_api.create_user(ref['id'], ref)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File
/home/leonchio/dev/keystone/keystone/notifications.py, line 74, in wrapper
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi result = f(*args,
**kwargs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File
/home/leonchio/dev/keystone/keystone/identity/core.py, line 189, in wrapper
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return f(self,
*args, **kwargs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File
/home/leonchio/dev/keystone/keystone/identity/core.py, line 299, in
create_user
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi ref =
driver.create_user(user_id, user)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File
/home/leonchio/dev/keystone/keystone/identity/backends/ldap.py, line 91, in
create_user
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi user_ref =
self.user.create(user)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File
/home/leonchio/dev/keystone/keystone/identity/backends/ldap.py, line 231, in
create
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi values =
super(UserApi, self).create(values)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File
/home/leonchio/dev/keystone/keystone/common/ldap/core.py, line 996, in create
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return
super(EnabledEmuMixIn, self).create(values)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File
/home/leonchio/dev/keystone/keystone/common/ldap/core.py, line 566, in create
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi
conn.add_s(self._id_to_dn(values['id']), attrs)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File
/home/leonchio/dev/keystone/keystone/common/ldap/core.py, line 797, in add_s
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return
self.conn.add_s(dn_utf8, ldap_attrs_utf8)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File
/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py, line 194, in add_s
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi return
self.result(msgid,all=1,timeout=self.timeout)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File
/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py, line 422, in result
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi
res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
2014-06-13 10:40:50.068 1420 TRACE keystone.common.wsgi File
/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py, line 426, in
result2
2014-06-13 10:40:50.068 1420 TRACE
