[Bug 1819453] Re: keystone-ldap TypeError: cannot concatenate 'str' and 'NoneType' object
Drew Freiberger
1819453 at bugs.launchpad.net
Tue Mar 19 15:19:58 UTC 2019
This is only confirmed on xenial Ocata.
When querying the domain, as it loops through users returned from the all user query of LDAP, it tries to create mappings in keystone for any new users.
https://github.com/openstack/keystone/blob/stable/ocata/keystone/identity/core.py#L599
This hits the method
keystone.identity.mapping_backends.sql.create_id_mapping() If the hash
of the domain and the user data exist in id_mappings, it tosses the
exception:
https://github.com/openstack/keystone/blob/stable/ocata/keystone/identity/mapping_backends/sql.py#L80
it then tries to fall back to querying the public_id of the existing
local_entity which doesn't exist and hence returns None. However, if it
would just return that public_id that just tossed as duplicate from this
line, it could work around the issue.
https://github.com/openstack/keystone/blob/stable/ocata/keystone/identity/mapping_backends/sql.py#L80
This is the duplicate being detected, why not just return that duplicate
ID rather than having to return a reverse lookup of a potentially non-
existent object.
Basically, this customer deletes entries from LDAP, then we delete them from the local_users and users tables, and sometimes forget to remove from id_mappings table as well. This is done manually because there's no way to delete a keystone user w/out the user existing in the ldap backend still. (best practice being to disable the user's accountActive flag and leave them in LDAP)
So, operator error working around one bug is creating what appears to be
a new bug when the ldap user is recreated.
When we query the id_mappings table, we found 402 entries in id_mapping
table that don't belong to the domain any longer in nonlocal_users table
or users table. So, these 402 entries could not be re-created as new
ldap users.
To reproduce:
create LDAP domain with user foo and query openstack domain so user foo gets a user entry in keystone.
remove user foo from user and nonlocal_user table in mysql database, leaving entry in id_mappings table.
Try to query domain (openstack user list --domain <ldapdom>), user foo should cause a traceback when it tries to recreate the id_mapping.
Ultimately, I believe we have to cleanup the id_mappings table, however, I believe the invalid assumption at the line below is still worth discussion:
https://github.com/openstack/keystone/blob/stable/ocata/keystone/identity/mapping_backends/sql.py#L81
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/1819453
Title:
keystone-ldap TypeError: cannot concatenate 'str' and 'NoneType'
object
Status in OpenStack Identity (keystone):
New
Status in keystone package in Ubuntu:
New
Bug description:
Proposed action:
=============
Key / value failed check error.
Should check key exists and warn user of bad users / continue
Bug presented by:
=================
openstack user list --domain customerdata
cannot concatenate 'str' and 'NoneType' objects (HTTP 400) (Request-ID: req-cc0e225d-d033-4dfa-aff8-7311389d4f58)
Trace:
======
(keystone.common.wsgi): 2019-03-11 12:30:47,154 ERROR cannot concatenate 'str' and 'NoneType' objects
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 228, in __call__
result = method(req, **params)
File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 235, in wrapper
return f(self, request, filters, **kwargs)
File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 233, in list_users
return UserV3.wrap_collection(request.context_dict, refs, hints=hints)
File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 499, in wrap_collection
cls.wrap_member(context, ref)
File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 468, in wrap_member
cls._add_self_referential_link(context, ref)
File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 464, in _add_self_referential_link
ref['links']['self'] = cls.base_url(context) + '/' + ref['id']
TypeError: cannot concatenate 'str' and 'NoneType' objects
Offending Data:
===============
@ line 233 i put LOG.debug( pprint.pformat( refs ) )
grep -b 2 "'id': None," /varlog/keystone/keystone.log
{'domain_id': u'8ce102de5ac644288f61838f5e0f46e7',
'email': u'customerdata at cusomter.com',
'id': None,
--
{'domain_id': u'8ce102de5ac644288f61838f5e0f46e7',
'email': u'customerdata at cusomter.com',
'id': None,
--
{'domain_id': u'8ce102de5ac644288f61838f5e0f46e7',
'email': u'customerdata at cusomter.com',
'id': None,
Platform:
=========
cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.5 LTS"
NAME="Ubuntu"
VERSION="16.04.5 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.5 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
verions:
========
dpkg --list | grep keystone
ii keystone 2:11.0.3-0ubuntu1~cloud0 all OpenStack identity service - Daemons
ii python-keystone 2:11.0.3-0ubuntu1~cloud0 all OpenStack identity service - Python library
ii python-keystoneauth1 2.18.0-0ubuntu2~cloud0 all authentication library for OpenStack Identity - Python 2.7
ii python-keystoneclient 1:3.10.0-0ubuntu1~cloud0 all client library for the OpenStack Keystone API - Python 2.x
ii python-keystonemiddleware 4.14.0-0ubuntu1.2~cloud0 all Middleware for OpenStack Identity (Keystone) - Python 2.x
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1819453/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list