yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #32499
[Bug 1450344] [NEW] Invalid SQL Identity Assertion - Load Config from Database
Public bug reported:
I have a default domain pointing to LDAP and ServiceDomain pointing to
SQL identity backend. This kind of configuration is supported with
enabling domain specific drivers. While upgrading to Kilo to leverage
domain config from database capability, the same configuration is not
supported.
$ openstack user list --domain 5681226a68de4f7ea8a2bd247d0fc54e
ERROR: openstack Invalid domain specific configuration: Domain specific sql drivers are not supported via the Identity API. One is specified in /domains/5681226a68de4f7ea8a2bd247d0fc54e/config (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-7bc89750-60de-45f2-8c80-05777a8469da)
Notice the same domain ID in request and error message.
In identity/core.py:
def _load_config_from_database(self, domain_id, specific_config):
def _assert_not_sql_driver(domain_id, new_config):
"""Ensure this is not an sql driver.
Due to multi-threading safety concerns, we do not currently support
the setting of a specific identity driver to sql via the Identity
API.
"""
if new_config['driver'].is_sql:
reason = _('Domain specific sql drivers are not supported via '
'the Identity API. One is specified in '
'/domains/%s/config') % domain_id
raise exception.InvalidDomainConfig(reason=reason)
_assert_not_sql_driver causes such restriction, any domain with sql
identity backend is prohibited which should be restricted to at least
one.
** Affects: keystone
Importance: Undecided
Status: New
** Description changed:
I have a default domain pointing to LDAP and ServiceDomain pointing to
SQL identity backend. This kind of configuration is supported with
enabling domain specific drivers. While upgrading to Kilo to leverage
domain config from database capability, the same configuration is not
supported.
$ openstack user list --domain 5681226a68de4f7ea8a2bd247d0fc54e
ERROR: openstack Invalid domain specific configuration: Domain specific sql drivers are not supported via the Identity API. One is specified in /domains/5681226a68de4f7ea8a2bd247d0fc54e/config (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-7bc89750-60de-45f2-8c80-05777a8469da)
Notice the same domain ID in request and error message.
In identity/core.py:
def _load_config_from_database(self, domain_id, specific_config):
- def _assert_not_sql_driver(domain_id, new_config):
- """Ensure this is not an sql driver.
+ def _assert_not_sql_driver(domain_id, new_config):
+ """Ensure this is not an sql driver.
- Due to multi-threading safety concerns, we do not currently support
- the setting of a specific identity driver to sql via the Identity
- API.
+ Due to multi-threading safety concerns, we do not currently support
+ the setting of a specific identity driver to sql via the Identity
+ API.
- """
- if new_config['driver'].is_sql:
- reason = _('Domain specific sql drivers are not supported via '
- 'the Identity API. One is specified in '
- '/domains/%s/config') % domain_id
- raise exception.InvalidDomainConfig(reason=reason)
+ """
+ if new_config['driver'].is_sql:
+ reason = _('Domain specific sql drivers are not supported via '
+ 'the Identity API. One is specified in '
+ '/domains/%s/config') % domain_id
+ raise exception.InvalidDomainConfig(reason=reason)
_assert_not_sql_driver causes such restriction, any domain with sql
- identity backend is prohibited which restricted to at least one.
+ identity backend is prohibited which should be restricted to at least
+ one.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1450344
Title:
Invalid SQL Identity Assertion - Load Config from Database
Status in OpenStack Identity (Keystone):
New
Bug description:
I have a default domain pointing to LDAP and ServiceDomain pointing to
SQL identity backend. This kind of configuration is supported with
enabling domain specific drivers. While upgrading to Kilo to leverage
domain config from database capability, the same configuration is not
supported.
$ openstack user list --domain 5681226a68de4f7ea8a2bd247d0fc54e
ERROR: openstack Invalid domain specific configuration: Domain specific sql drivers are not supported via the Identity API. One is specified in /domains/5681226a68de4f7ea8a2bd247d0fc54e/config (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-7bc89750-60de-45f2-8c80-05777a8469da)
Notice the same domain ID in request and error message.
In identity/core.py:
def _load_config_from_database(self, domain_id, specific_config):
def _assert_not_sql_driver(domain_id, new_config):
"""Ensure this is not an sql driver.
Due to multi-threading safety concerns, we do not currently support
the setting of a specific identity driver to sql via the Identity
API.
"""
if new_config['driver'].is_sql:
reason = _('Domain specific sql drivers are not supported via '
'the Identity API. One is specified in '
'/domains/%s/config') % domain_id
raise exception.InvalidDomainConfig(reason=reason)
_assert_not_sql_driver causes such restriction, any domain with sql
identity backend is prohibited which should be restricted to at least
one.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1450344/+subscriptions
Follow ups
References
