[openstack-dev] [Keystone] NNN_additional_attribute_mapping

Alexander V Makarov amakarov at mirantis.com
Fri Sep 5 10:25:26 UTC 2014 

Greetings!

I think I found a problem in extra attributes handling in LDAP backend.
Also I'd like to propose a solution :)

There is a bug https://bugs.launchpad.net/keystone/+bug/1336769
"LDAP additional attribute mappings do not care about model attribute"
reported by Marcos Lobo (https://launchpad.net/~marcos-fermin-lobo)

It describes a problem when server handles requests without any warning
about model data mismatches.
First of all I've noticed that all is about optional attributes and it
seems to be okay to handle them as I see fit. But in the end Marcos
states:
"I have a mistake in the keystone.conf file and everything is working
properly."

This got my attention and I've decided to check field mappings, model
validations CRUD and anything available in that direction.
I found nothing about model validation. Really, there is no means to be
sure you received valid data from LDAP backend.

Furthermore keystone.common.ldap.core.BaseLdap._ldap_res_to_model()
completely ignores extra fields mapping while translating received from
LDAP server data to model structure.
Tests correctly cover only create operation, checking model to ldap
field mapping:
keystone.tests.test_backend_ldap.LDAPIdentity.test_user_extra_attribute_mapping().
But test for retrieval only covers case when "description" mapped to
"description":
keystone.tests.test_backend_ldap.LDAPIdentity.test_user_extra_attribute_mapping_description_is_returned()

Test passes not because extra mapping works but due to the default
behaviour of generic mapping: if mapping not found pass the field as is.

I added required attribute validation to keystone.common.models.Model,
but applying it resulted in many test failures.
Further analysis revealed that there are some algorythms depending on
behaviour such as saving/retrieving model instanses without some fields
declared in a model as required.
So I had to fall back to warning instead of raising validation error.

Patch awaits review and I'm in doubt: is there a single bug, or it has
to be split.
https://review.openstack.org/#/c/118590/

Kind Regards,
Alexander Makarov,
Senior Developer,

Mirantis, Inc.
35b/3, Vorontsovskaya St., 109147, Moscow, Russia

Tel.: +7 (495) 640-49-04
Tel.: +7 (926) 204-50-60
Skype: MAKAPOB.AJIEKCAHDP

More information about the OpenStack-dev mailing list