[Openstack] [keystone] ldap id backend + fernet token issue, Kilo

Morgan Fainberg morgan.fainberg at gmail.com
Wed May 27 17:04:48 UTC 2015


Hi Hans,

Thanks for the heads up on this. Let me take a closer look and make sure we have this addressed (and tested for) in the upstream code base. 

I think I know where this came from. I'll check to make sure we don't already have a bug on this and/or if you have an open bug in launchpad. If this is still outstanding I'll make sure we prioritize getting this cleaned up appropriately. Having Fernet (non-persistent tokens) as a solid option for Keystone deployment is really important to us (the upstream team) since it solves a major scaling issue with Keystone. 

--Morgan

Sent via mobile

> On May 27, 2015, at 05:46, Hans Feldt <hans.feldt at ericsson.com> wrote:
> 
> Hi,
> 
> When playing with some keystone deployment alternatives I stumble on a keystone issue:
> 
>> 2015-05-27 12:11:52.946 57 DEBUG keystone.common.ldap.core [-] LDAP search: base=ou=Groups,dc=acme,dc=org scope=1 filterstr=(&(&(objectClass=groupOfNames)(member=uid=john,ou=Users,dc=acme,dc=org))(objectClass=groupOfNames)) attrs=['ou', 'cn', 'description'] attrsonly=0 search_s /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:931
>> 2015-05-27 12:11:52.946 57 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:904
>> 2015-05-27 12:11:52.946 57 DEBUG keystone.identity.core [-] ID Mapping - Domain ID: default, Default Driver: True, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_id_and_mapping /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492
>> 2015-05-27 12:11:52.955 57 ERROR keystone.token.providers.fernet.token_formatters [-] john
>> 2015-05-27 12:11:52.955 57 ERROR keystone.common.wsgi [-] badly formed hexadecimal UUID string
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi Traceback (most recent call last):
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 239, in __call__
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi     result = method(context, **params)
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 397, in authenticate_for_token
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi     parent_audit_id=token_audit_id)
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 344, in issue_v3_token
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi     parent_audit_id)
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/providers/fernet/core.py", line 198, in issue_v3_token
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi     federated_info=federated_dict)
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/providers/fernet/token_formatters.py", line 133, in create_token
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi     audit_ids)
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/providers/fernet/token_formatters.py", line 416, in assemble
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi     b_user_id = cls.convert_uuid_hex_to_bytes(user_id)
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/token/providers/fernet/token_formatters.py", line 239, in convert_uuid_hex_to_bytes
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi     uuid_obj = uuid.UUID(uuid_string)
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/uuid.py", line 134, in __init__
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi     raise ValueError('badly formed hexadecimal UUID string')
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi ValueError: badly formed hexadecimal UUID string
>> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi
>> 2015-05-27 12:11:52.958 57 INFO eventlet.wsgi.server [-] 172.17.0.26 - - [27/May/2015 12:11:52] "POST /v3/auth/tokens HTTP/1.1" 500 490 0.029590
> 
> Switching to UUID tokens it works. Switching to SQL Identity backend and fernet tokens works.
> 
> The combination of LDAP identity backend and fernet tokens gives me the above log for any request with name/password. Reproducable always.
> 
> I have a very minimalistic "cloud" setup with only 2 or 3 docker containers. One with the SQL DB, one for Keystone and optionally one for LDAP.
> 
> I use Ubuntu 15.04 as base image for my containers that includes Kilo. I've patched keystone with the following changeset to make it work (with LDAP):
> 
> commit 2c6db4a3bb9e1718744b0e5b03af050fd2866182
> Author: Edmund Rhudy <erhudy at bloomberg.net>
> Date:   Thu May 21 12:42:40 2015 -0400
> 
>    Make sure LDAP filter is constructed correctly
> 
> Thanks,
> Hans
> 
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




More information about the Openstack mailing list