[Bug 1820333] Re: [SRU] ldap search should not encode attributes
Corey Bryant
corey.bryant at canonical.com
Wed Mar 20 13:29:02 UTC 2019
This has been verified successfully for cosmic-proposed:
For easy reading: https://paste.ubuntu.com/p/dzKSVtdfDt/
In case the pastebin expires:
ubuntu at coreycb-bastion:~/charms/bionic/keystone-ldap/build/builds/keystone-ldap$ tox -e func27-smoke --workdir /tmp
func27-smoke installed: DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7.,amulet==1.21.0,aodhclient
==1.2.0,appdirs==1.4.3,asn1crypto==0.24.0,Babel==2.6.0,backports.os==0.1.1,blessings==1.6,bundletester==0.12.2,certifi==2019.3.9,cffi==1.12.2,chardet==3.0.4,charm-tools==2.5.1,charmhelpers==0.19.12,Cheetah3==3.2.0,cliff==2.14.1,cmd2==0.8.9,colander==1.5.1,config
parser==3.7.3,contextlib2==0.5.5,coverage==4.5.3,cryptography==2.6.1,debtcollector==1.21.0,decorator==4.3.2,dict2colander==0.2,distro==1.4.0,distro-info==0.0.0,docutils==0.14,dogpile.cache==0.7.1,entrypoints==0.3,enum34==1.1.6,extras==1.0.0,fixtures==3.0.0,flake
8==2.4.1,funcsigs==1.0.2,functools32==3.2.3.post2,future==0.17.1,futures==3.2.0,futurist==1.8.1,gnocchiclient==3.1.1,httplib2==0.12.1,idna==2.8,importlib-metadata==0.8,ipaddress==1.0.22,iso8601==0.1.12,Jinja2==2.10,jmespath==0.9.4,jsonpatch==1.23,jsonpointer==2.
0,jsonschema==2.5.1,juju-deployer==0.11.0,juju-wait==2.5.0,jujubundlelib==0.5.6,jujuclient==0.54.0,keyring==18.0.0,keystoneauth1==3.13.1,launchpadlib==1.10.6,lazr.authentication==0.1.3,lazr.restfulclient==0.14.2,lazr.uri==1.0.3,libcharmstore==0.0.9,linecache2==1
.0.0,macaroonbakery==1.2.1,MarkupSafe==1.1.1,mccabe==0.3.1,mock==2.0.0,monotonic==1.5,msgpack==0.6.1,munch==2.3.2,netaddr==0.7.19,netifaces==0.10.9,nose==1.3.7,oauth==1.0.1,oauthlib==3.0.1,openstacksdk==0.26.0,os-client-config==1.32.0,os-service-types==1.6.0,osc
-lib==1.12.1,oslo.config==6.8.1,oslo.context==2.22.1,oslo.i18n==3.23.1,oslo.log==3.42.3,oslo.serialization==2.28.2,oslo.utils==3.40.3,otherstuf==1.1.0,parse==1.11.1,path.py==11.5.0,pathlib2==2.3.3,pathspec==0.3.4,pbr==5.1.3,pep8==1.7.1,pika==0.13.1,pkg-resources
==0.0.0,prettytable==0.7.2,protobuf==3.7.0,pycparser==2.19,pyflakes==0.8.1,pyinotify==0.9.6,pymacaroons==0.13.0,PyNaCl==1.3.0,pyOpenSSL==19.0.0,pyparsing==2.3.1,pyperclip==1.7.0,pyRFC3339==1.1,python-barbicanclient==4.8.1,python-ceilometerclient==2.9.0,python-ci
nderclient==4.1.0,python-dateutil==2.8.0,python-designateclient==2.11.0,python-glanceclient==2.16.0,python-heatclient==1.17.0,python-keystoneclient==3.19.0,python-manilaclient==1.27.0,python-mimeparse==1.6.0,python-neutronclient==6.12.0,python-novaclient==13.0.0
,python-openstackclient==3.18.0,python-subunit==1.3.0,python-swiftclient==3.7.0,pytz==2018.9,pyudev==0.21.0,PyYAML==3.11,requests==2.21.0,requestsexceptions==1.4.0,rfc3986==1.2.0,ruamel.base==1.0.0,ruamel.ordereddict==0.4.13,ruamel.yaml==0.10.23,scandir==1.10.0,
SecretStorage==2.3.1,simplejson==3.16.0,six==1.12.0,stestr==2.3.1,stevedore==1.30.1,stuf==0.9.16,subprocess32==3.5.3,Tempita==0.5.2,testresources==2.0.1,testtools==2.3.0,theblues==0.5.1,traceback2==1.4.0,translationstring==1.3,unicodecsv==0.14.1,unittest2==1.1.0
,urllib3==1.24.1,virtualenv==16.4.3,voluptuous==0.11.5,wadllib==1.3.3,warlock==1.3.0,wcwidth==0.1.7,websocket-client==0.40.0,wrapt==1.11.1,wsgi-intercept==1.8.0,zipp==0.3.3,zope.interface==4.6.0
func27-smoke runtests: PYTHONHASHSEED='0'
func27-smoke runtests: commands[0] | bundletester -vl DEBUG -r json -o func-results.json gate-basic-bionic-rocky --no-destroy
DEBUG:bundletester.utils:Updating JUJU_MODEL: "" -> "coreycb-serverstack:admin/coreycb3"
DEBUG:root:Bootstrap environment: coreycb-serverstack:admin/coreycb3
DEBUG:deployer.env:Connecting to coreycb-serverstack:admin/coreycb3...
DEBUG:jujuclient.connector:Connecting to wss://10.5.0.14:17070/model/ec71dda6-1a12-49dd-8088-a4a34ad8391c/api
DEBUG:deployer.env:Connected.
DEBUG:runner:call ['/tmp/func27-smoke/bin/charm-proof'] (cwd: /tmp/bundletester-AZT2VH/keystone-ldap)
DEBUG:runner:I: `display-name` not provided, add for custom naming in the UI
DEBUG:runner:I: config.yaml: option ldap-user has no default value
DEBUG:runner:I: config.yaml: option ldap-server has no default value
DEBUG:runner:I: config.yaml: option ssl_ca has no default value
DEBUG:runner:I: config.yaml: option ldap-password has no default value
DEBUG:runner:I: config.yaml: option domain-name has no default value
DEBUG:runner:I: config.yaml: option ldap-suffix has no default value
DEBUG:runner:I: config.yaml: option ldap-config-flags has no default value
DEBUG:runner:I: config.yaml: option tls-ca-ldap has no default value
DEBUG:runner:Exit Code: 0
DEBUG:runner:call ['/tmp/bundletester-AZT2VH/keystone-ldap/tests/gate-basic-bionic-rocky'] (cwd: /tmp/bundletester-AZT2VH/keystone-ldap)
DEBUG:runner:2019-03-20 13:12:13,866 __init__ INFO: OpenStackAmuletDeployment: init
DEBUG:runner:2019-03-20 13:12:13,872 _add_services INFO: OpenStackAmuletDeployment: adding services
DEBUG:runner:2019-03-20 13:12:13,873 _determine_branch_locations INFO: OpenStackAmuletDeployment: determine branch locations
DEBUG:runner:2019-03-20 13:12:15 Starting deployment of coreycb-serverstack:admin/coreycb3
DEBUG:runner:2019-03-20 13:12:16 Deploying applications...
DEBUG:runner:2019-03-20 13:12:16 Deploying application keystone using cs:~openstack-charmers-next/keystone-423
DEBUG:runner:2019-03-20 13:12:19 Deploying application keystone-ldap using /tmp/charmg1qOZR/bionic/keystone-ldap
DEBUG:runner:2019-03-20 13:12:22 Deploying application ldap-server using cs:~openstack-charmers/ldap-test-fixture-3
DEBUG:runner:2019-03-20 13:12:24 Deploying application percona-cluster using cs:~openstack-charmers-next/percona-cluster-331
DEBUG:runner:2019-03-20 13:12:32 Config specifies num units for subordinate: keystone-ldap
DEBUG:runner:2019-03-20 13:18:39 Adding relations...
DEBUG:runner:2019-03-20 13:18:39 Adding relation keystone:shared-db <-> percona-cluster:shared-db
DEBUG:runner:2019-03-20 13:18:39 Adding relation keystone:domain-backend <-> keystone-ldap:domain-backend
DEBUG:runner:2019-03-20 13:21:25 Deployment complete in 549.48 seconds
DEBUG:runner:2019-03-20 13:21:51,086 _configure_services INFO: OpenStackAmuletDeployment: configure services
DEBUG:runner:2019-03-20 13:21:51,818 __init__ INFO: Waiting on extended status checks...
DEBUG:runner:2019-03-20 13:21:51,818 _auto_wait_for_status INFO: Waiting for extended status on units for 5400s...
DEBUG:runner:2019-03-20 13:21:51,818 _auto_wait_for_status DEBUG: Default extended status wait match: contains READY (case-insensitive)
DEBUG:runner:2019-03-20 13:21:51,819 _auto_wait_for_status DEBUG: Excluding services from extended status match: ['mysql', 'mongodb']
DEBUG:runner:2019-03-20 13:21:51,819 _auto_wait_for_status DEBUG: Waiting up to 5400s for extended status on services: ['keystone-ldap', 'keystone', 'ldap-server', 'percona-cluster']
DEBUG:runner:2019-03-20 13:22:49,064 _auto_wait_for_status INFO: OK
DEBUG:runner:2019-03-20 13:23:13,066 get_default_keystone_session DEBUG: Authenticating keystone admin...
DEBUG:runner:Exit Code: 0
DEBUG:bundletester.utils:Updating JUJU_MODEL: "coreycb-serverstack:admin/coreycb3" -> ""
_______________________________________________________________________________________ summary ________________________________________________________________________________________
func27-smoke: commands succeeded
congratulations :)
where tox.ini has:
[testenv:func27-smoke]
# Run a specific test as an Amulet smoke test (expected to always pass)
basepython = python2.7
commands =
bundletester -vl DEBUG -r json -o func-results.json gate-basic-bionic-rocky --no-destroy
and I've enabled cosmic-proposed for the keystone unit prior to tests
running:
ubuntu at juju-d8391c-coreycb3-0:~$ apt policy keystone
keystone:
Installed: 2:14.0.1-0ubuntu3
Candidate: 2:14.0.1-0ubuntu3
Version table:
*** 2:14.0.1-0ubuntu3 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 Packages
100 /var/lib/dpkg/status
2:14.0.1-0ubuntu1~cloud0 500
500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-updates/rocky/main amd64 Packages
2:13.0.2-0ubuntu1 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
2:13.0.0-0ubuntu1 500
500 http://nova.clouds.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
** Tags removed: verification-needed verification-needed-cosmic
** Tags added: verification-done verification-done-cosmic
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/1820333
Title:
[SRU] ldap search should not encode attributes
Status in Ubuntu Cloud Archive:
Fix Committed
Status in Ubuntu Cloud Archive rocky series:
Fix Committed
Status in OpenStack Identity (keystone):
Fix Released
Status in keystone package in Ubuntu:
Fix Released
Status in keystone source package in Cosmic:
Fix Committed
Bug description:
[Impact]
Listing user fails with LDAP backend fails
------------------------------------------
$ openstack user list --debug --domain userdomain
Request returned failure status: 400
('attrs_from_List(): expected string in list', b'mail') (HTTP 400) (Request-ID: req-914f8010-3ed2-4200-a394-5b1bc5158b98)
Traceback (most recent call last):
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/cliff/app.py", line 401, in run_subcommand
result = cmd.run(parsed_args)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/osc_lib/command/command.py", line 41, in run
return super(Command, self).run(parsed_args)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/cliff/display.py", line 116, in run
column_names, data = self.take_action(parsed_args)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/openstackclient/identity/v3/user.py", line 266, in take_action
group=group,
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/debtcollector/renames.py", line 43, in decorator
return wrapped(*args, **kwargs)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/keystoneclient/v3/users.py", line 136, in list
**kwargs)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/keystoneclient/base.py", line 86, in func
return f(*args, **new_kwargs)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/keystoneclient/base.py", line 444, in list
list_resp = self._list(url_query, self.collection_key)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/keystoneclient/base.py", line 141, in _list
resp, body = self.client.get(url, **kwargs)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/keystoneauth1/adapter.py", line 351, in get
return self.request(url, 'GET', **kwargs)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/keystoneauth1/adapter.py", line 510, in request
resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/keystoneauth1/adapter.py", line 213, in request
return self.session.request(url, method, **kwargs)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/keystoneauth1/session.py", line 869, in request
raise exceptions.from_response(resp, method, url)
keystoneauth1.exceptions.http.BadRequest: ('attrs_from_List(): expected string in list', b'mail') (HTTP 400) (Request-ID: req-914f8010-3ed2-4200-a394-5b1bc5158b98)
clean_up ListUser: ('attrs_from_List(): expected string in list', b'mail') (HTTP 400) (Request-ID: req-914f8010-3ed2-4200-a394-5b1bc5158b98)
Traceback (most recent call last):
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/osc_lib/shell.py", line 136, in run
ret_val = super(OpenStackShell, self).run(argv)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/cliff/app.py", line 281, in run
result = self.run_subcommand(remainder)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/osc_lib/shell.py", line 176, in run_subcommand
ret_value = super(OpenStackShell, self).run_subcommand(argv)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/cliff/app.py", line 401, in run_subcommand
result = cmd.run(parsed_args)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/osc_lib/command/command.py", line 41, in run
return super(Command, self).run(parsed_args)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/cliff/display.py", line 116, in run
column_names, data = self.take_action(parsed_args)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/openstackclient/identity/v3/user.py", line 266, in take_action
group=group,
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/debtcollector/renames.py", line 43, in decorator
return wrapped(*args, **kwargs)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/keystoneclient/v3/users.py", line 136, in list
**kwargs)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/keystoneclient/base.py", line 86, in func
return f(*args, **new_kwargs)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/keystoneclient/base.py", line 444, in list
list_resp = self._list(url_query, self.collection_key)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/keystoneclient/base.py", line 141, in _list
resp, body = self.client.get(url, **kwargs)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/keystoneauth1/adapter.py", line 351, in get
return self.request(url, 'GET', **kwargs)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/keystoneauth1/adapter.py", line 510, in request
resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/keystoneauth1/adapter.py", line 213, in request
return self.session.request(url, method, **kwargs)
File "/home/ubuntu/charm-test-infra/.tox/clients/lib/python3.6/site-packages/keystoneauth1/session.py", line 869, in request
raise exceptions.from_response(resp, method, url)
keystoneauth1.exceptions.http.BadRequest: ('attrs_from_List(): expected string in list', b'mail') (HTTP 400) (Request-ID: req-914f8010-3ed2-4200-a394-5b1bc5158b98)
END return value: 1
/var/log/keystone/keystone.log
------------------------------
(keystone.common.wsgi): 2019-03-15 15:26:15,385 ERROR ('attrs_from_List(): expected string in list', b'mail')
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/keystone/common/wsgi.py", line 148, in __call__
result = method(req, **params)
File "/usr/lib/python3/dist-packages/keystone/common/controller.py", line 103, in wrapper
return f(self, request, filters, **kwargs)
File "/usr/lib/python3/dist-packages/keystone/identity/controllers.py", line 71, in list_users
domain_scope=domain, hints=hints
File "/usr/lib/python3/dist-packages/keystone/common/manager.py", line 116, in wrapped
__ret_val = __f(*args, **kwargs)
File "/usr/lib/python3/dist-packages/keystone/identity/core.py", line 416, in wrapper
return f(self, *args, **kwargs)
File "/usr/lib/python3/dist-packages/keystone/identity/core.py", line 426, in wrapper
return f(self, *args, **kwargs)
File "/usr/lib/python3/dist-packages/keystone/identity/core.py", line 1061, in list_users
ref_list = self._handle_shadow_and_local_users(driver, hints)
File "/usr/lib/python3/dist-packages/keystone/identity/core.py", line 1044, in _handle_shadow_and_local_users
return driver.list_users(hints) + fed_res
File "/usr/lib/python3/dist-packages/keystone/identity/backends/ldap/core.py", line 87, in list_users
return self.user.get_all_filtered(hints)
File "/usr/lib/python3/dist-packages/keystone/identity/backends/ldap/core.py", line 327, in get_all_filtered
for user in self.get_all(query, hints)]
File "/usr/lib/python3/dist-packages/keystone/identity/backends/ldap/core.py", line 319, in get_all
hints=hints)
File "/usr/lib/python3/dist-packages/keystone/identity/backends/ldap/common.py", line 1888, in get_all
return super(EnabledEmuMixIn, self).get_all(ldap_filter, hints)
File "/usr/lib/python3/dist-packages/keystone/identity/backends/ldap/common.py", line 1590, in get_all
for x in self._ldap_get_all(hints, ldap_filter)]
File "/usr/lib/python3/dist-packages/keystone/common/driver_hints.py", line 42, in wrapper
return f(self, hints, *args, **kwargs)
File "/usr/lib/python3/dist-packages/keystone/identity/backends/ldap/common.py", line 1543, in _ldap_get_all
attrs)
File "/usr/lib/python3/dist-packages/keystone/identity/backends/ldap/common.py", line 976, in search_s
attrlist_utf8, attrsonly)
File "/usr/lib/python3/dist-packages/keystone/identity/backends/ldap/common.py", line 654, in wrapper
return func(self, conn, *args, **kwargs)
File "/usr/lib/python3/dist-packages/keystone/identity/backends/ldap/common.py", line 803, in search_s
attrsonly)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 858, in search_s
return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1264, in search_ext_s
return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1202, in _apply_method_s
return func(self,*args,**kwargs)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 851, in search_ext_s
msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 847, in search_ext
timeout,sizelimit,
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 319, in _ldap_call
result = func(*args,**kwargs)
TypeError: ('attrs_from_List(): expected string in list', b'mail')
---------------------------------------------
In search_s() we're still encoding attrlist (note similar behavior in
paged_search_s):
attrlist_utf8 = list(map(utf8_encode, attrlist))
Looking closer at the attribute list these all appear to be attribute
names and that also appears to be how LDAP searches generally work;
they specify attribute names they want to return, not values:
[b'enabled', b'sn', b'userPassword', b'cn', b'description', b'mail']
In Python 3 (and Python2 with bytes_mode=False) python-ldap no longer
allows bytes for some fields (DNs, RDNs, attribute names, queries).
Instead, text values are represented as str, the Unicode text type.
A prior patch to Keystone's LDAP backend (see commit
eca0829c4c65e6b64f08023ce2d5a55dc329248f) enabled this support but
missed the above lines of code.
Changing the above line of code to not utf8 encode the attrlist fixes
the problem for me.
[Test Case]
Run charm-keystone-ldap functional tests for OpenStack Rocky or above.
Upstream unit tests are also run.
[Regression Potential]
The only regression potential would be for PY2 code paths. PY3 code paths never worked for keystone's LDAP backend. The approach to the patch have purposefully minimized amount of code required and therefore regression potential for PY2. Note that Rocky for Ubuntu supports PY2 but as of Stein Ubuntu has dropped PY2 support.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1820333/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list