[Openstack] Possible Bug: Support domain-specific Identity Backends

Miller, Mark M (EB SW Cloud - R&D - Corvallis) mark.m.miller at hp.com
Wed Aug 21 23:32:53 UTC 2013 

Hello,

I am trying to test multiple split LDAP frontends based off of multiple domains (i.e. one LDAP server per domain).  I have the identity and ldap sections of file "keystone.conf" configured as follows:

keystone.conf:


[identity]
# driver = keystone.identity.backends.sql.Identity
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains

# This references the domain to use for all Identity API v2 requests (which are
# not aware of domains). A domain with this ID will be created for you by
# keystone-manage db_sync in migration 008.  The domain referenced by this ID
# cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.
# There is nothing special about this domain, other than the fact that it must
# exist to order to maintain support for your v2 clients.
default_domain_id = default

[ldap]

I have 2 domains (Default and MyDomain) and in the domains directory I have 2 files with identical content named "keystone.Default.conf" and "keystone.MyDomain.conf".

[identity]
driver = keystone.identity.backends.ldap.Identity

[ldap]
# url = "ldap://ldap.hp.com:389"
url = "ldaps://ldap.hp.com:636"
user = "cn=CloudOSKeystoneDev, ou=Applications, o=hp.com"
password = "secretword"
suffix = "o=hp.com"

# suffix = cn=example,cn=com
use_dumb_member = False
allow_subtree_delete = False
# dumb_member = cn=dumb,dc=example,dc=com

# Maximum results per page; a value of zero ('0') disables paging (default)
page_size = 0

# The LDAP dereferencing option for queries. This can be either 'never',
# 'searching', 'always', 'finding' or 'default'. The 'default' option falls
# back to using default dereferencing configured by your ldap.conf.
alias_dereferencing = never

# The LDAP scope for queries, this can be either 'one'
# (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree)
query_scope = sub

user_tree_dn = ou=People,o=hp.com
user_filter = "(hpStatus=Active)"
user_objectclass = hpPerson
user_domain_id_attribute = Groups
user_id_attribute = uid
user_name_attribute = cn
user_mail_attribute = mail
user_pass_attribute = userPassword
user_enabled_mask = 0
# user_enabled_attribute =
# user_enabled_default =
user_attribute_ignore = tenant_id,tenants
user_allow_create = False
user_allow_update = False
user_allow_delete = False
user_enabled_emulation = False
user_enabled_emulation_dn = Noneuse_tls = False

use_tls = False
tls_cacertfile =  "/etc/keystone/ssl/certs/hpca2ssG2_ns.cer"
tls_req_cert = demand

I also have a role assigned to user mark.m.miller at hp.com<mailto:mark.m.miller at hp.com> for project "myapp" in domain "MyDomain" and can get a token with the following JSON script:

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "domain": {
                        "name": "MyDomain"
                    },
                    "id": "mark.m.miller at hp.com",
                    "password": "secretword"
                }
            }
        },
        "scope": {
            "project": {
                "domain": {
                    "name": "MyDomain"
                },
                "name": "myapp"
            }
        }
    }
}

If I change the domain name  to "Default" in the JSON script above I get an unauthorized response as expected. Now I wanted to make sure that the Keystone code was indeed accessing the correct configuration file in directory "/etc/keystone/domains" so I changed the contents of the file "keystone.Default.conf" to:

[identity]
driver = keystone.identity.backends.sql.Identity

[ldap]

In order to force Keystone to use an SQL Identity backend for the default domain. When I do I get the following error for the token request above (Note: the INFO log lines with "********" in them were added by me):

2013-08-21 16:21:38    DEBUG [routes.middleware] Matched POST /auth/tokens
2013-08-21 16:21:38    DEBUG [routes.middleware] Route path: '{path_info:.*}', defaults: {'controller': <keystone.contrib.s3.core.S3Extension object at 0x3ccb810>}
2013-08-21 16:21:38    DEBUG [routes.middleware] Match dict: {'controller': <keystone.contrib.s3.core.S3Extension object at 0x3ccb810>, 'path_info': '/auth/tokens'}
2013-08-21 16:21:38    DEBUG [routes.middleware] Matched POST /auth/tokens
2013-08-21 16:21:38    DEBUG [routes.middleware] Route path: '{path_info:.*}', defaults: {'controller': <keystone.common.wsgi.ComposingRouter object at 0x3cd5550>}
2013-08-21 16:21:38    DEBUG [routes.middleware] Match dict: {'controller': <keystone.common.wsgi.ComposingRouter object at 0x3cd5550>, 'path_info': '/auth/tokens'}
2013-08-21 16:21:38    DEBUG [routes.middleware] Matched POST /auth/tokens
2013-08-21 16:21:38    DEBUG [routes.middleware] Route path: '/auth/tokens', defaults: {'action': u'authenticate_for_token', 'controller': <keystone.auth.controllers.Auth object at 0x3ccb410>}
2013-08-21 16:21:38    DEBUG [routes.middleware] Match dict: {'action': u'authenticate_for_token', 'controller': <keystone.auth.controllers.Auth object at 0x3ccb410>}
2013-08-21 16:21:38     INFO [keystone.identity.core] ***************  class Manager, method:__init__ **************
2013-08-21 16:21:38,570 INFO sqlalchemy.engine.base.Engine SELECT domain.id AS domain_id, domain.name AS domain_name, domain.enabled AS domain_enabled, domain.extra AS domain_extra
FROM domain
WHERE domain.name = %s
2013-08-21 16:21:38     INFO [sqlalchemy.engine.base.Engine] SELECT domain.id AS domain_id, domain.name AS domain_name, domain.enabled AS domain_enabled, domain.extra AS domain_extra
FROM domain
WHERE domain.name = %s
2013-08-21 16:21:38,571 INFO sqlalchemy.engine.base.Engine ('MyDomain',)
2013-08-21 16:21:38     INFO [sqlalchemy.engine.base.Engine] ('MyDomain',)
2013-08-21 16:21:38,574 INFO sqlalchemy.engine.base.Engine SELECT project.id AS project_id, project.name AS project_name, project.domain_id AS project_domain_id, project.description AS project_description, project.enabled AS project_enabled, project.extra AS project_extra
FROM project
WHERE project.name = %s AND project.domain_id = %s
2013-08-21 16:21:38     INFO [sqlalchemy.engine.base.Engine] SELECT project.id AS project_id, project.name AS project_name, project.domain_id AS project_domain_id, project.description AS project_description, project.enabled AS project_enabled, project.extra AS project_extra
FROM project
WHERE project.name = %s AND project.domain_id = %s
2013-08-21 16:21:38,575 INFO sqlalchemy.engine.base.Engine ('myapp', '464bdc5784a446378a85f99a25d216b4')
2013-08-21 16:21:38     INFO [sqlalchemy.engine.base.Engine] ('myapp', '464bdc5784a446378a85f99a25d216b4')
2013-08-21 16:21:38     INFO [keystone.identity.core] ***************  class Manager, method:__init__ **************
2013-08-21 16:21:38,580 INFO sqlalchemy.engine.base.Engine SELECT domain.id AS domain_id, domain.name AS domain_name, domain.enabled AS domain_enabled, domain.extra AS domain_extra
FROM domain
WHERE domain.name = %s
2013-08-21 16:21:38     INFO [sqlalchemy.engine.base.Engine] SELECT domain.id AS domain_id, domain.name AS domain_name, domain.enabled AS domain_enabled, domain.extra AS domain_extra
FROM domain
WHERE domain.name = %s
2013-08-21 16:21:38,581 INFO sqlalchemy.engine.base.Engine ('Default',)
2013-08-21 16:21:38     INFO [sqlalchemy.engine.base.Engine] ('Default',)
2013-08-21 16:21:38    ERROR [keystone.common.wsgi] object.__init__() takes no parameters
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 237, in __call__
    result = method(context, **params)
  File "/usr/local/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 287, in authenticate_for_token
    self.authenticate(context, auth_info, auth_context)
  File "/usr/local/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 344, in authenticate
    auth_context)
  File "/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/password.py", line 103, in authenticate
    user_info = UserAuthInfo(auth_payload)
  File "/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/password.py", line 34, in __init__
    self._validate_and_normalize_auth_data(auth_payload)
  File "/usr/local/lib/python2.7/dist-packages/keystone/auth/plugins/password.py", line 87, in _validate_and_normalize_auth_data
    user_ref = self.identity_api.get_user(user_id)
  File "/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py", line 170, in wrapper
    self.driver, self.assignment_api)
  File "/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py", line 126, in setup_domain_drivers
    names[1])
  File "/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py", line 106, in _load_config
    self._load_driver(assignment_api, domain)
  File "/usr/local/lib/python2.7/dist-packages/keystone/identity/core.py", line 83, in _load_driver
    domain_config['cfg'].identity.driver, domain_config['cfg']))
  File "/usr/local/lib/python2.7/dist-packages/keystone/openstack/common/importutils.py", line 40, in import_object
    return import_class(import_str)(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystone/common/dependency.py", line 51, in wrapper
    self.__wrapped_init__(*args, **kwargs)
TypeError: object.__init__() takes no parameters
2013-08-21 16:21:38     INFO [access] 15.253.57.88 - - [21/Aug/2013:23:21:38 +0000] "POST https://havanatest:35357/v3/auth/tokens HTTP/1.0" 400 100

Mark

From: Dolph Mathews [mailto:dolph.mathews at gmail.com]
Sent: Monday, August 19, 2013 4:33 PM
To: openstack at lists.openstack.org
Subject: [Openstack] Fwd: [keystone] Support domain-specific Identity Backends


On Mon, Aug 19, 2013 at 6:09 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) <mark.m.miller at hp.com<mailto:mark.m.miller at hp.com>> wrote:
Hello Dolph,

We have recently been looking for a way to access multiple LDAP servers from a single Keystone server. It looks like the code you just finished provides this functionality. Am I correct?

I assume you're referring to this blueprint:

  https://blueprints.launchpad.net/keystone/+spec/multiple-ldap-servers

Which was implemented in a commit by henry nash:

  https://review.openstack.org/#/c/39530/

If so, do you have any sample configuration files that demonstrate how it is implemented?

The change in itself describes basic impact on configuration:

  https://review.openstack.org/#/c/39530/21/doc/source/configuration.rst

Subsequent doc work is being tracked against openstack-manuals:

  https://bugs.launchpad.net/openstack-manuals/+bug/1209255


Regards,

Mark Miller




--

-Dolph



--

-Dolph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130821/c3025872/attachment.html>

More information about the Openstack mailing list