[Bug 1998789] Re: [SRU] PooledLDAPHandler.result3 does not release pool connection back when an exception is raised
Mustafa Kemal Gilor
1998789 at bugs.launchpad.net
Thu Oct 5 07:52:05 UTC 2023
** Patch added: "uca_focal_victoria.debdiff"
https://bugs.launchpad.net/keystone/+bug/1998789/+attachment/5706976/+files/uca_focal_victoria.debdiff
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1998789
Title:
[SRU] PooledLDAPHandler.result3 does not release pool connection back
when an exception is raised
Status in Ubuntu Cloud Archive:
New
Status in Ubuntu Cloud Archive ussuri series:
New
Status in Ubuntu Cloud Archive victoria series:
New
Status in Ubuntu Cloud Archive wallaby series:
New
Status in Ubuntu Cloud Archive xena series:
New
Status in Ubuntu Cloud Archive yoga series:
New
Status in Ubuntu Cloud Archive zed series:
New
Status in OpenStack Identity (keystone):
Fix Released
Status in keystone package in Ubuntu:
New
Status in keystone source package in Focal:
New
Status in keystone source package in Jammy:
New
Bug description:
[Impact]
This SRU is a backport of
https://review.opendev.org/c/openstack/keystone/+/866723 to the
respective Ubuntu and UCA releases. The patch is merged to the all
respective upstream branches (master & stable/[u,v,w,x,y,z]).
This SRU intends to fix a denial-of-service bug that happens when
keystone uses pooled ldap connections. In pooled ldap connection mode,
keystone borrows a connection from the pool, do the LDAP operation and
release it back to the pool. But, if an exception or error happens
while the LDAP connection is still borrowed, Keystone fails to release
the connection back to the pool, hogging it forever. If this happens
for all the pooled connections, the connection pool will be exhausted
and Keystone will no longer be able to perform LDAP operations.
The fix corrects this behavior by allowing the connection to release
back to the pool even if an exception/error happens during the LDAP
operation.
[Test Case]
- Deploy an LDAP server of your choice
- Fill it with many data so the search takes more than `pool_connection_timeout` seconds
- Define a keystone domain with the LDAP driver with following options:
[ldap]
use_pool = True
page_size = 100
pool_connection_timeout = 3
pool_retry_max = 3
pool_size = 10
- Point the domain to the LDAP server
- Try to login to the OpenStack dashboard, or try to do anything that uses the LDAP user
- Observe the /var/log/apache2/keystone_error.log, it should contain ldap.TIMEOUT() stack traces followed by `ldappool.MaxConnectionReachedError` stack traces
To confirm the fix, repeat the scenario and observe that the
"/var/log/apache2/keystone_error.log" does not contain
`ldappool.MaxConnectionReachedError` stack traces and LDAP operation
in motion is successful (e.g. OpenStack Dashboard login)
[Regression Potential]
The patch is quite trivial and should not affect any deployment in a negative way. The LDAP pool functionality can be disabled by setting "use_pool=False" in case of any regression.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1998789/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list