Public bug reported: Openstack version: 2023.1 Deployment tool: kolla-ansible OS: Ubuntu 22.04
Integrating keystone with LDAP for Centralized authentication. # /etc/kolla/config/keystone/domains/keystone.eng.conf # Ansible managed [identity] driver = ldap domain_config_dir = /etc/keystone/domains domain_specific_drivers_enabled = True [assignment] driver = sql [ldap] debug_level = 4095 group_allow_create = False group_allow_delete = False group_allow_update = False group_id_attribute = cn group_member_attribute = memberof group_name_attribute = cn group_objectclass = organizationalUnit group_tree_dn = cn=groups,cn=compat,dc=example,dc=com password = XXXXXXXXXXXXXXXXXX project_allow_create = False project_allow_delete = False project_allow_update = False role_allow_create = False role_allow_delete = False role_allow_update = False suffix = dc=example,dc=com tls_cacertfile = /etc/keystone/ssl/ipa-ldap.crt tls_req_cert = allow url = ldaps://ldap.example.com use_dump_member = False use_tls = False user = uid=svc-openstack,cn=users,cn=accounts,dc=example,dc=com user_allow_create = False user_allow_delete = False user_allow_update = False user_enabled_attribute = userAccountControl user_filter = (memberof=cn=openstack-eng,cn=groups,cn=accounts,dc=example,dc=com) user_id_attribute = cn user_mail_attribute = mail user_name_attribute = uid user_objectclass = person user_pass_attribute = password user_tree_dn = cn=users,cn=accounts,dc=example,dc=com When I list all users from ldap domain I can see list of users in output # openstack user list --domain eng +------------------------------------------------------------------+----------------+ | ID | Name | +------------------------------------------------------------------+----------------+ | 5941b66ab2dd5c288b9c43af63eac64802e7fcc13f93a39341d0972623dea482 | user1 | | cbadc09bf614aae6cb02ec55a7c0339d23fb23862465006117574856f5a9ea25 | user2 | | b2c2da99373ad98a4b266fdaba5773ad8284e53b6e6d6814d739a671c57036a1 | user3 | | 76c268f25474aad5bad0035bec482ada7ceb94f82d8d46b4973091b120d1b925 | spatel | | 018019fc1b632ea62a339bd6610ef3011dc95aaae01b0b7fa4f72d836c1a816f | user4 | Same time I am seeing this error in keystone.log file. Thought I should report the errors. 2024-02-15 20:41:57.658 22 WARNING keystone.common.password_hashing [None req-01863ce5-e57b-41e9-80ec-e994166b9757 - - - - - -] Truncating password to algorithm specific maximum length 72 characters. 2024-02-15 20:42:03.209 25 WARNING keystone.common.rbac_enforcer.enforcer [None req-4f4495f7-2527-4463-84fe-1d795fcb946e f55d38aca4384bfdb32806d5ca452c66 32f16f689e8445e0bf74c59c57096b3a - - default default] Deprecated policy rules found. Use oslopolicy-policy-generator and oslopolicy-policy-upgrade to detect and resolve deprecated policies in your configuration. 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application [None req-4f4495f7-2527-4463-84fe-1d795fcb946e f55d38aca4384bfdb32806d5ca452c66 32f16f689e8445e0bf74c59c57096b3a - - default default] Could not find domain: eng.: keystone.exception.DomainNotFound: Could not find domain: eng. 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application Traceback (most recent call last): 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/core.py", line 712, in get_domain 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application project = self.driver.get_project(domain_id) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/backends/sql.py", line 49, in get_project 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self._get_project(session, project_id).to_dict() 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/backends/sql.py", line 44, in _get_project 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application raise exception.ProjectNotFound(project_id=project_id) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application keystone.exception.ProjectNotFound: Could not find project: eng. 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application During handling of the above exception, another exception occurred: 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application Traceback (most recent call last): 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask/app.py", line 1820, in full_dispatch_request 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application rv = self.dispatch_request() 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask/app.py", line 1796, in dispatch_request 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask_restful/__init__.py", line 467, in wrapper 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application resp = resource(*args, **kwargs) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask/views.py", line 107, in view 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return current_app.ensure_sync(self.dispatch_request)(**kwargs) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask_restful/__init__.py", line 582, in dispatch_request 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application resp = meth(*args, **kwargs) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/api/domains.py", line 89, in get 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self._get_domain(domain_id) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/api/domains.py", line 97, in _get_domain 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application domain = PROVIDERS.resource_api.get_domain(domain_id) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/common/manager.py", line 115, in wrapped 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application __ret_val = __f(*args, **kwargs) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/decorator.py", line 232, in fun 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return caller(func, *(extras + args), **kw) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/cache/region.py", line 1577, in get_or_create_for_user_func 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self.get_or_create( 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/cache/region.py", line 1042, in get_or_create 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application with Lock( 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/lock.py", line 185, in __enter__ 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self._enter() 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/lock.py", line 94, in _enter 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application generated = self._enter_create(value, createdtime) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/lock.py", line 178, in _enter_create 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self.creator() 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/cache/region.py", line 995, in gen_value 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application created_value = creator( 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/core.py", line 718, in get_domain 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application raise exception.DomainNotFound(domain_id=domain_id) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application keystone.exception.DomainNotFound: Could not find domain: eng. 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application 2024-02-15 20:42:08.030 23 WARNING py.warnings [None req-1d1b3838-65b0-4620-8554-eae9b43bd2d8 f55d38aca4384bfdb32806d5ca452c66 32f16f689e8445e0bf74c59c57096b3a - - default default] /var/lib/kolla/venv/lib/python3.10/site-packages/oslo_policy/policy.py:1129: UserWarning: Policy "identity:list_domains": "role:reader and system_scope:all" failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required warnings.warn(msg) ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/2053297 Title: LDAP keystone.exception.DomainNotFound: Could not find domain: Status in OpenStack Identity (keystone): New Bug description: Openstack version: 2023.1 Deployment tool: kolla-ansible OS: Ubuntu 22.04 Integrating keystone with LDAP for Centralized authentication. # /etc/kolla/config/keystone/domains/keystone.eng.conf # Ansible managed [identity] driver = ldap domain_config_dir = /etc/keystone/domains domain_specific_drivers_enabled = True [assignment] driver = sql [ldap] debug_level = 4095 group_allow_create = False group_allow_delete = False group_allow_update = False group_id_attribute = cn group_member_attribute = memberof group_name_attribute = cn group_objectclass = organizationalUnit group_tree_dn = cn=groups,cn=compat,dc=example,dc=com password = XXXXXXXXXXXXXXXXXX project_allow_create = False project_allow_delete = False project_allow_update = False role_allow_create = False role_allow_delete = False role_allow_update = False suffix = dc=example,dc=com tls_cacertfile = /etc/keystone/ssl/ipa-ldap.crt tls_req_cert = allow url = ldaps://ldap.example.com use_dump_member = False use_tls = False user = uid=svc-openstack,cn=users,cn=accounts,dc=example,dc=com user_allow_create = False user_allow_delete = False user_allow_update = False user_enabled_attribute = userAccountControl user_filter = (memberof=cn=openstack-eng,cn=groups,cn=accounts,dc=example,dc=com) user_id_attribute = cn user_mail_attribute = mail user_name_attribute = uid user_objectclass = person user_pass_attribute = password user_tree_dn = cn=users,cn=accounts,dc=example,dc=com When I list all users from ldap domain I can see list of users in output # openstack user list --domain eng +------------------------------------------------------------------+----------------+ | ID | Name | +------------------------------------------------------------------+----------------+ | 5941b66ab2dd5c288b9c43af63eac64802e7fcc13f93a39341d0972623dea482 | user1 | | cbadc09bf614aae6cb02ec55a7c0339d23fb23862465006117574856f5a9ea25 | user2 | | b2c2da99373ad98a4b266fdaba5773ad8284e53b6e6d6814d739a671c57036a1 | user3 | | 76c268f25474aad5bad0035bec482ada7ceb94f82d8d46b4973091b120d1b925 | spatel | | 018019fc1b632ea62a339bd6610ef3011dc95aaae01b0b7fa4f72d836c1a816f | user4 | Same time I am seeing this error in keystone.log file. Thought I should report the errors. 2024-02-15 20:41:57.658 22 WARNING keystone.common.password_hashing [None req-01863ce5-e57b-41e9-80ec-e994166b9757 - - - - - -] Truncating password to algorithm specific maximum length 72 characters. 2024-02-15 20:42:03.209 25 WARNING keystone.common.rbac_enforcer.enforcer [None req-4f4495f7-2527-4463-84fe-1d795fcb946e f55d38aca4384bfdb32806d5ca452c66 32f16f689e8445e0bf74c59c57096b3a - - default default] Deprecated policy rules found. Use oslopolicy-policy-generator and oslopolicy-policy-upgrade to detect and resolve deprecated policies in your configuration. 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application [None req-4f4495f7-2527-4463-84fe-1d795fcb946e f55d38aca4384bfdb32806d5ca452c66 32f16f689e8445e0bf74c59c57096b3a - - default default] Could not find domain: eng.: keystone.exception.DomainNotFound: Could not find domain: eng. 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application Traceback (most recent call last): 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/core.py", line 712, in get_domain 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application project = self.driver.get_project(domain_id) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/backends/sql.py", line 49, in get_project 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self._get_project(session, project_id).to_dict() 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/backends/sql.py", line 44, in _get_project 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application raise exception.ProjectNotFound(project_id=project_id) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application keystone.exception.ProjectNotFound: Could not find project: eng. 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application During handling of the above exception, another exception occurred: 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application Traceback (most recent call last): 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask/app.py", line 1820, in full_dispatch_request 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application rv = self.dispatch_request() 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask/app.py", line 1796, in dispatch_request 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask_restful/__init__.py", line 467, in wrapper 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application resp = resource(*args, **kwargs) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask/views.py", line 107, in view 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return current_app.ensure_sync(self.dispatch_request)(**kwargs) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask_restful/__init__.py", line 582, in dispatch_request 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application resp = meth(*args, **kwargs) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/api/domains.py", line 89, in get 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self._get_domain(domain_id) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/api/domains.py", line 97, in _get_domain 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application domain = PROVIDERS.resource_api.get_domain(domain_id) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/common/manager.py", line 115, in wrapped 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application __ret_val = __f(*args, **kwargs) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/decorator.py", line 232, in fun 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return caller(func, *(extras + args), **kw) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/cache/region.py", line 1577, in get_or_create_for_user_func 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self.get_or_create( 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/cache/region.py", line 1042, in get_or_create 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application with Lock( 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/lock.py", line 185, in __enter__ 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self._enter() 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/lock.py", line 94, in _enter 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application generated = self._enter_create(value, createdtime) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/lock.py", line 178, in _enter_create 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return self.creator() 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/cache/region.py", line 995, in gen_value 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application created_value = creator( 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/core.py", line 718, in get_domain 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application raise exception.DomainNotFound(domain_id=domain_id) 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application keystone.exception.DomainNotFound: Could not find domain: eng. 2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application 2024-02-15 20:42:08.030 23 WARNING py.warnings [None req-1d1b3838-65b0-4620-8554-eae9b43bd2d8 f55d38aca4384bfdb32806d5ca452c66 32f16f689e8445e0bf74c59c57096b3a - - default default] /var/lib/kolla/venv/lib/python3.10/site-packages/oslo_policy/policy.py:1129: UserWarning: Policy "identity:list_domains": "role:reader and system_scope:all" failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required warnings.warn(msg) To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/2053297/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp