yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1218094] Re: Multi domain code not searching domains for LDAP read only users

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1218094@xxxxxxxxxxxxxxxxxx>
Date: Fri, 07 Feb 2014 19:05:30 -0000
Reply-to: Bug 1218094 <1218094@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
https://blueprints.launchpad.net/keystone/+spec/revert-multiple-ldap-
servers

** Changed in: keystone
       Status: In Progress => Won't Fix

** Changed in: keystone
    Milestone: next => None

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1218094

Title:
  Multi domain code not searching domains for LDAP read only users

Status in OpenStack Identity (Keystone):
  Won't Fix

Bug description:
  We have the need to authenticate users from multiple read-only LDAP
  servers. I decided to differentiate the LDAP servers by configuring
  them to different domains and then use the new multi-domain backend
  keystone feature to authenticate them. The new keystone code
  successfully locates and configures multiple domains (decorator
  "domains_configured(f)" in file "keystone/identity/core.py" ), but
  this information is not applied when locating users (i.e get_user).
  The problem/bug has to do with the assumption that all users have
  entries in the common-local keystone SQL database when in fact they
  may only have entries in any one of the domain specific backends. To
  get my local test setup working, I added user search code inline to 2
  of the methods in file "keystone/identity/core.py". While my code
  samples are not a final fix, they do exemplify the problem and what it
  takes to fix it.

  I also want to mention that the keystone multi domain code reads files
  from the keystone/domains directory over and over again. Eventually
  this information should get cached to eliminate the time required to
  read files from the hard drive.

  ------------

   diff /home/swift/keystone-master_08202013/keystone/identity/core.py /usr/local/lib/python2.7/dist-packages/keystone/identity/core.py
  32d31
  <
  37d35
  <
  282,283c280,291
  <         domain_id, driver = self._get_domain_id_and_driver(domain_scope)
  <         ref = driver.get_user(user_id)
  ---
  >         # try to find domain_id/domain_scope
  >         if domain_scope is None:
  >             for domain_id in self.domain_configs:
  >                 domain_id, driver = self._get_domain_id_and_driver(domain_id)
  >               try:
  >                     ref = driver.get_user(user_id)
  >                 except exception.UserNotFound as ex:
  >                     continue
  >         else:
  >             domain_id, driver = self._get_domain_id_and_driver(domain_scope)
  >             ref = driver.get_user(user_id)
  >
  375,376c383,393
  <         domain_id, driver = self._get_domain_id_and_driver(domain_scope)
  <         group_list = driver.list_groups_for_user(user_id)
  ---
  >         if domain_scope is None:
  >             for domain_id in self.domain_configs:
  >                 domain_id, driver = self._get_domain_id_and_driver(domain_id)
  >                 try:
  >                     group_list = driver.list_groups_for_user(user_id)
  >                 except exception.UserNotFound as ex:
  >                     continue
  >         else:
  >             domain_id, driver = self._get_domain_id_and_driver(domain_scope)
  >             group_list = driver.list_groups_for_user(user_id)
  >

  -------------------

  diff /home/swift/keystone-master_08202013/keystone/common/sql/core.py /usr/local/lib/python2.7/dist-packages/keystone/common/sql/core.py
  248a249,252
  >     def __init__(self, *args, **kwargs):
  >>         super(Base, self).__init__()
  >

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1218094/+subscriptions