[Bug 1798184] Fix merged to keystone (stable/rocky)
OpenStack Infra
1798184 at bugs.launchpad.net
Wed Mar 20 17:18:47 UTC 2019
Reviewed: https://review.openstack.org/613648
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a2e7ccb4b32140f122c0beee0f3fcc1109db36bf
Submitter: Zuul
Branch: stable/rocky
commit a2e7ccb4b32140f122c0beee0f3fcc1109db36bf
Author: Corey Bryant <corey.bryant at canonical.com>
Date: Tue Oct 16 16:19:15 2018 -0400
PY3: switch to using unicode text values
In Python 3, python-ldap no longer allows bytes for some fields (DNs,
RDNs, attribute names, queries). Instead, text values are represented
as str, the Unicode text type. Compatibility support is provided for
Python 2 by setting bytes_mode=False [1].
Update the keystone LDAP backend to adhere to this behavior by using
bytes_mode=False for Python 2 and dropping UTF-8 encoding and decoding
fields that are now represented as text in python-ldap.
[1] More details about byte/str usage in python-ldap can be found at:
http://www.python-ldap.org/en/latest/bytes_mode.html#bytes-mode
Note that at a minimum python-ldappool 2.3.1 is required. For more
details see Depends-On's below.
Change-Id: Ifdd0644cd7042407a008c85c0b2c40a971c90bc3
Closes-Bug: #1798184
Depends-On: https://review.openstack.org/611401
Depends-On: https://review.openstack.org/613632
Depends-On: https://review.openstack.org/614052
(cherry picked from commit eca0829c4c65e6b64f08023ce2d5a55dc329248f)
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/1798184
Title:
[SRU] PY3: python3-ldap does not allow bytes for DN/RDN/field names
Status in Ubuntu Cloud Archive:
Fix Released
Status in Ubuntu Cloud Archive rocky series:
Fix Released
Status in Ubuntu Cloud Archive stein series:
Fix Released
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) rocky series:
Fix Committed
Status in OpenStack Identity (keystone) stein series:
Fix Released
Status in ldappool:
Fix Released
Status in keystone package in Ubuntu:
Fix Released
Status in python-ldappool package in Ubuntu:
Fix Released
Status in keystone source package in Cosmic:
Fix Committed
Status in python-ldappool source package in Cosmic:
Fix Committed
Status in keystone source package in Disco:
Fix Released
Status in python-ldappool source package in Disco:
Fix Released
Bug description:
[Impact]
Keystone LDAP backend doesn't work for PY3.
Under Python 2, python-ldap uses bytes by default. Under Python 3 this
is removed and bytes aren't allowed for DN/RDN/field names.
More details are here: http://www.python-ldap.org/en/latest/bytes_mode.html#bytes-mode
and here: https://github.com/python-ldap/python-ldap/blob/python-ldap-3.1.0/Lib/ldap/ldapobject.py#L111
== initial traceback ==
Here's the initial traceback from the failure:
https://paste.ubuntu.com/p/67THZb2m5m/
The last bit of the error is:
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 314, in _ldap_call
result = func(*args,**kwargs)
TypeError: simple_bind() argument 1 must be str or None, not bytes
A closer look at func shows:
func=<built-in method simple_bind of LDAP object at 0x7f9d0177b760>
args=(b'cn=admin,dc=test,dc=com', b'crapper', None, None)
== keystone ldap backend use of python-ldap ==
In simple_bind_s() of keystone's ldap backend, who and cred are
encoded as byte strings:
https://github.com/openstack/keystone/blob/14.0.0/keystone/identity/backends/ldap/common.py#L885
but that appears to no longer be valid use of python-ldap for py3.
[Test Case]
Run charm-keystone-ldap functional tests for OpenStack Rocky or above.
[Regression Potential]
The only regression potential would be for PY2 code paths. PY3 code paths never worked for keystone's LDAP backend. The approach to the patch have purposefully minimized amount of code required and therefore regression potential for PY2. Note that Rocky for Ubuntu supports PY2 but as of Stein Ubuntu has dropped PY2 support.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1798184/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list