yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1417774] [NEW] LDAP groups role assignment not reported

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Mariusz Kruk <kruk@xxxxxxxxxxxxxx>
Date: Tue, 03 Feb 2015 21:31:24 -0000
Reply-to: Bug 1417774 <1417774@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

The bug seems similar in appearance to #1285065, but the cause seems different than the one described there.
What I'm having configured:

group_objectclass=groupOfNames
group_id_attribute=cn
group_name_attribute=ou
group_member_attribute=member
group_desc_attribute=description

What I'm expecting (after adding appropriate entries to the directory, of course):
# keystone user-role-list --tenant-id testProject --user-id myuser
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+-------+--------------+-------------+
|                id                |  name |   user_id    |  tenant_id  |
+----------------------------------+-------+--------------+-------------+
| 780bd000a6d84f329c3ba361f0dfa4a4 | admin | myuser | testProject |
+----------------------------------+-------+--------------+-------------+

What I'm getting:
# keystone user-role-list --tenant-id testProject --user-id myuser
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
[nothing here]

Adding LOG.debug() in various parts of the source code led me to the
conclusion that someone had made some strange assumption about group
object DN and while comparing it in assignment/backends/ldap.py thrown
in some strange "case unification" in form of a upper() call without
caring to think how the other side of the check looks.

The function get_group_project_roles() makes role_list based on
comparison between group_dns  list and groups which are used in role
assignment. I assume that someone made this comparison based on his LDAP
directory structure in which some entries/attributes were named all-
uppercase, but in real life DN's can be any case
(cn=user,ou=users,dc=example and cn=UsEr,ou=Users,dc=example are the
same object).

So the right solution here, I believe will be to make sure that the list in which we will later be looking for upper-cased group DN is itself upper-cased.
In other words in get_group_project_roles() method we should change 
        group_dns = [self.group._id_to_dn(group_id) for group_id in groups]
to
        group_dns = [self.group._id_to_dn(group_id).upper() for group_id in groups]

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1417774

Title:
  LDAP groups role assignment not reported

Status in OpenStack Identity (Keystone):
  New

Bug description:
  The bug seems similar in appearance to #1285065, but the cause seems different than the one described there.
  What I'm having configured:

  group_objectclass=groupOfNames
  group_id_attribute=cn
  group_name_attribute=ou
  group_member_attribute=member
  group_desc_attribute=description

  What I'm expecting (after adding appropriate entries to the directory, of course):
  # keystone user-role-list --tenant-id testProject --user-id myuser
  WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
  +----------------------------------+-------+--------------+-------------+
  |                id                |  name |   user_id    |  tenant_id  |
  +----------------------------------+-------+--------------+-------------+
  | 780bd000a6d84f329c3ba361f0dfa4a4 | admin | myuser | testProject |
  +----------------------------------+-------+--------------+-------------+

  What I'm getting:
  # keystone user-role-list --tenant-id testProject --user-id myuser
  WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
  [nothing here]

  Adding LOG.debug() in various parts of the source code led me to the
  conclusion that someone had made some strange assumption about group
  object DN and while comparing it in assignment/backends/ldap.py thrown
  in some strange "case unification" in form of a upper() call without
  caring to think how the other side of the check looks.

  The function get_group_project_roles() makes role_list based on
  comparison between group_dns  list and groups which are used in role
  assignment. I assume that someone made this comparison based on his
  LDAP directory structure in which some entries/attributes were named
  all-uppercase, but in real life DN's can be any case
  (cn=user,ou=users,dc=example and cn=UsEr,ou=Users,dc=example are the
  same object).

  So the right solution here, I believe will be to make sure that the list in which we will later be looking for upper-cased group DN is itself upper-cased.
  In other words in get_group_project_roles() method we should change 
          group_dns = [self.group._id_to_dn(group_id) for group_id in groups]
  to
          group_dns = [self.group._id_to_dn(group_id).upper() for group_id in groups]

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1417774/+subscriptions

Follow ups

[Bug 1417774] Re: LDAP groups role assignment not reported
From: Launchpad Bug Tracker, 2015-04-12
[Bug 1417774] [NEW] LDAP groups role assignment not reported
From: Mariusz Kruk, 2015-02-03

References

[Bug 1417774] [NEW] LDAP groups role assignment not reported
From: Mariusz Kruk, 2015-02-03