yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #23894
[Bug 1382822] [NEW] Adding a user to a domain fails with ldap identity and sql assignment driver
Public bug reported:
1) following is the configuration in keystone.conf. Domain specific drivers are not enabled.
[assignment]
driver = keystone.assignment.backends.sql.Assignment
[identity]
driver = keystone.identity.backends.ldap.Identity
1) Create a domain using curl.
curl -k -sX POST -H "X-Auth-Token:7f981073c17e4288adaa69291d7873bb" -H "Accept: application/json" -H "Content-Type: application/json" -H "Content-type: application/json" https://<ip>:5000/v3/domains -d '{"domain": {"description": "MaheshTest","enabled": "true","name": "MaheshTest"}}'
2) Check if the domain is created. Indeed its there.
curl -k -sX GET -H "X-Auth-Token:7f981073c17e4288adaa69291d7873bb" -H "Accept: application/json" -H "Content-Type: application/json" -H "Content-type: application/json" https://172.20.14.120:5000/v3/domains/172e2bb98f744d21b1b8124d39ef7500
{"domain": {"links": {"self": "https://192.168.101.10:5000/v3/domains/172e2bb98f744d21b1b8124d39ef7500"}, "enabled": true, "description": "MaheshTest", "name": "MaheshTest", "id": "172e2bb98f744d21b1b8124d39ef7500"}}
3) Try creating a user in this domain
curl -k -sX POST -H "X-Auth-Token:7f981073c17e4288adaa69291d7873bb" -H "Accept: application/json" -d '{"user":{"name": "mahesh_in_domain","password": "Sm4rtcl0ud!","enabled": true,"email": "mahesh@xxxxxxxxx","domain_id":"172e2bb98f744d21b1b8124d39ef7500" }}' -H "Content-type: application/json" https://172.20.14.120:5000/v3/users
The problem is this function in file /usr/lib/python2.6/site-
packages/keystone/identity/core.py, _clear_domain_id should not be
called if Domain specific drivers is not enabled, more so considering
its an experimental feature. Also i don't really understand why ldap
driver is marked as domain_aware false, that may be a candidate for a
new bug.
def create_user(self, user_id, user_ref):
user = user_ref.copy()
user['name'] = clean.user_name(user['name'])
user.setdefault('enabled', True)
user['enabled'] = clean.user_enabled(user['enabled'])
# For creating a user, the domain is in the object itself
domain_id = user_ref['domain_id']
driver = self._select_identity_driver(domain_id)
if not driver.is_domain_aware():
user = self._clear_domain_id(user)
ref = driver.create_user(user_id, user)
if not driver.is_domain_aware():
ref = self._set_domain_id(ref, domain_id)
return ref
def _clear_domain_id(self, ref):
# Clear the domain_id, and then check to ensure that if this
# was not the default domain, it is being handled by its own
# backend driver.
ref = ref.copy()
domain_id = ref.pop('domain_id', CONF.identity.default_domain_id)
if (domain_id != CONF.identity.default_domain_id and
domain_id not in self.domain_configs):
raise exception.DomainNotFound(domain_id=domain_id)
return ref
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1382822
Title:
Adding a user to a domain fails with ldap identity and sql assignment
driver
Status in OpenStack Identity (Keystone):
New
Bug description:
1) following is the configuration in keystone.conf. Domain specific drivers are not enabled.
[assignment]
driver = keystone.assignment.backends.sql.Assignment
[identity]
driver = keystone.identity.backends.ldap.Identity
1) Create a domain using curl.
curl -k -sX POST -H "X-Auth-Token:7f981073c17e4288adaa69291d7873bb" -H "Accept: application/json" -H "Content-Type: application/json" -H "Content-type: application/json" https://<ip>:5000/v3/domains -d '{"domain": {"description": "MaheshTest","enabled": "true","name": "MaheshTest"}}'
2) Check if the domain is created. Indeed its there.
curl -k -sX GET -H "X-Auth-Token:7f981073c17e4288adaa69291d7873bb" -H "Accept: application/json" -H "Content-Type: application/json" -H "Content-type: application/json" https://172.20.14.120:5000/v3/domains/172e2bb98f744d21b1b8124d39ef7500
{"domain": {"links": {"self": "https://192.168.101.10:5000/v3/domains/172e2bb98f744d21b1b8124d39ef7500"}, "enabled": true, "description": "MaheshTest", "name": "MaheshTest", "id": "172e2bb98f744d21b1b8124d39ef7500"}}
3) Try creating a user in this domain
curl -k -sX POST -H "X-Auth-Token:7f981073c17e4288adaa69291d7873bb" -H "Accept: application/json" -d '{"user":{"name": "mahesh_in_domain","password": "Sm4rtcl0ud!","enabled": true,"email": "mahesh@xxxxxxxxx","domain_id":"172e2bb98f744d21b1b8124d39ef7500" }}' -H "Content-type: application/json" https://172.20.14.120:5000/v3/users
The problem is this function in file /usr/lib/python2.6/site-
packages/keystone/identity/core.py, _clear_domain_id should not be
called if Domain specific drivers is not enabled, more so considering
its an experimental feature. Also i don't really understand why ldap
driver is marked as domain_aware false, that may be a candidate for a
new bug.
def create_user(self, user_id, user_ref):
user = user_ref.copy()
user['name'] = clean.user_name(user['name'])
user.setdefault('enabled', True)
user['enabled'] = clean.user_enabled(user['enabled'])
# For creating a user, the domain is in the object itself
domain_id = user_ref['domain_id']
driver = self._select_identity_driver(domain_id)
if not driver.is_domain_aware():
user = self._clear_domain_id(user)
ref = driver.create_user(user_id, user)
if not driver.is_domain_aware():
ref = self._set_domain_id(ref, domain_id)
return ref
def _clear_domain_id(self, ref):
# Clear the domain_id, and then check to ensure that if this
# was not the default domain, it is being handled by its own
# backend driver.
ref = ref.copy()
domain_id = ref.pop('domain_id', CONF.identity.default_domain_id)
if (domain_id != CONF.identity.default_domain_id and
domain_id not in self.domain_configs):
raise exception.DomainNotFound(domain_id=domain_id)
return ref
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1382822/+subscriptions
Follow ups
References
