← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1454309] [NEW] Keystone v3 user/tenant lookup by name via OpenStack CLI client fails

 

Public bug reported:

When using the openstack CLI client to look up users/tenants by name
(e.g., openstack user show admin or openstack openstack project show
AdminTenant), it fails with a 500 and the following traceback:

2015-05-12 09:27:22.483530 2015-05-12 09:27:22.483 31012 DEBUG keystone.common.ldap.core [-] LDAP search: base=ou=People,dc=local,dc=lan scope=2 filterstr=(&(&None(sn=admin))(objectClass=inetOrgPerson)) attrs=['cn', 'userPassword', 'enabled', 'sn', 'mail'] attrsonly=0 search_s /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:931
2015-05-12 09:27:22.483677 2015-05-12 09:27:22.483 31012 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:904
2015-05-12 09:27:22.485831 2015-05-12 09:27:22.483 31012 ERROR keystone.common.wsgi [-] {'desc': 'Bad search filter'}
2015-05-12 09:27:22.485874 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi Traceback (most recent call last):
2015-05-12 09:27:22.485881 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 239, in __call__
2015-05-12 09:27:22.485885 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     result = method(context, **params)
2015-05-12 09:27:22.485897 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 202, in wrapper
2015-05-12 09:27:22.485901 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     return f(self, context, filters, **kwargs)
2015-05-12 09:27:22.485904 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 223, in list_users
2015-05-12 09:27:22.485908 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     hints=hints)
2015-05-12 09:27:22.485911 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 52, in wrapper
2015-05-12 09:27:22.485915 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
2015-05-12 09:27:22.485919 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 342, in wrapper
2015-05-12 09:27:22.485922 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
2015-05-12 09:27:22.485926 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 353, in wrapper
2015-05-12 09:27:22.485930 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
2015-05-12 09:27:22.485933 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 791, in list_users
2015-05-12 09:27:22.485937 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     ref_list = driver.list_users(hints)
2015-05-12 09:27:22.485941 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 82, in list_users
2015-05-12 09:27:22.485944 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     return self.user.get_all_filtered(hints)
2015-05-12 09:27:22.485948 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 269, in get_all_filtered
2015-05-12 09:27:22.485951 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     return [self.filter_attributes(user) for user in self.get_all(query)]
2015-05-12 09:27:22.485964 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 1863, in get_all
2015-05-12 09:27:22.485968 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     for x in self._ldap_get_all(ldap_filter)
2015-05-12 09:27:22.485972 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 1467, in _ldap_get_all
2015-05-12 09:27:22.485975 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     attrs)
2015-05-12 09:27:22.485979 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 944, in search_s
2015-05-12 09:27:22.485983 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     attrlist_utf8, attrsonly)
2015-05-12 09:27:22.485986 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 541, in search_s
2015-05-12 09:27:22.485995 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     attrlist, attrsonly)
2015-05-12 09:27:22.485999 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 552, in search_s
2015-05-12 09:27:22.486002 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
2015-05-12 09:27:22.486009 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 545, in search_ext_s
2015-05-12 09:27:22.486013 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
2015-05-12 09:27:22.486017 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 541, in search_ext
2015-05-12 09:27:22.486036 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     timeout,sizelimit,
2015-05-12 09:27:22.486040 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 99, in _ldap_call
2015-05-12 09:27:22.486044 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     result = func(*args,**kwargs)
2015-05-12 09:27:22.486047 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi FILTER_ERROR: {'desc': 'Bad search filter'}
2015-05-12 09:27:22.486050 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi 

The LDAP filter string is being composed in a way that causes None to be
substituted in at one point:
(&(&None(sn=admin))(objectClass=inetOrgPerson))

I traced it through the code and found that the problem method is
keystone.common.ldap.core.BaseLdap.filter_query (line 1674 of
keystone/common/ldap/core.py on the stable/kilo branch). The method
argument query is None by default, which ends up being substituted into
the query string later on. Changing the default value of query to an
empty string causes things to function as expected.

(I am waiting on internal permission to contribute code, so I haven't
created a PR for this at this time.)

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1454309

Title:
  Keystone v3 user/tenant lookup by name via OpenStack CLI client fails

Status in OpenStack Identity (Keystone):
  New

Bug description:
  When using the openstack CLI client to look up users/tenants by name
  (e.g., openstack user show admin or openstack openstack project show
  AdminTenant), it fails with a 500 and the following traceback:

  2015-05-12 09:27:22.483530 2015-05-12 09:27:22.483 31012 DEBUG keystone.common.ldap.core [-] LDAP search: base=ou=People,dc=local,dc=lan scope=2 filterstr=(&(&None(sn=admin))(objectClass=inetOrgPerson)) attrs=['cn', 'userPassword', 'enabled', 'sn', 'mail'] attrsonly=0 search_s /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:931
  2015-05-12 09:27:22.483677 2015-05-12 09:27:22.483 31012 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:904
  2015-05-12 09:27:22.485831 2015-05-12 09:27:22.483 31012 ERROR keystone.common.wsgi [-] {'desc': 'Bad search filter'}
  2015-05-12 09:27:22.485874 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi Traceback (most recent call last):
  2015-05-12 09:27:22.485881 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 239, in __call__
  2015-05-12 09:27:22.485885 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     result = method(context, **params)
  2015-05-12 09:27:22.485897 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/controller.py", line 202, in wrapper
  2015-05-12 09:27:22.485901 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     return f(self, context, filters, **kwargs)
  2015-05-12 09:27:22.485904 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 223, in list_users
  2015-05-12 09:27:22.485908 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     hints=hints)
  2015-05-12 09:27:22.485911 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 52, in wrapper
  2015-05-12 09:27:22.485915 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
  2015-05-12 09:27:22.485919 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 342, in wrapper
  2015-05-12 09:27:22.485922 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
  2015-05-12 09:27:22.485926 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 353, in wrapper
  2015-05-12 09:27:22.485930 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
  2015-05-12 09:27:22.485933 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 791, in list_users
  2015-05-12 09:27:22.485937 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     ref_list = driver.list_users(hints)
  2015-05-12 09:27:22.485941 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 82, in list_users
  2015-05-12 09:27:22.485944 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     return self.user.get_all_filtered(hints)
  2015-05-12 09:27:22.485948 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", line 269, in get_all_filtered
  2015-05-12 09:27:22.485951 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     return [self.filter_attributes(user) for user in self.get_all(query)]
  2015-05-12 09:27:22.485964 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 1863, in get_all
  2015-05-12 09:27:22.485968 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     for x in self._ldap_get_all(ldap_filter)
  2015-05-12 09:27:22.485972 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 1467, in _ldap_get_all
  2015-05-12 09:27:22.485975 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     attrs)
  2015-05-12 09:27:22.485979 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 944, in search_s
  2015-05-12 09:27:22.485983 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     attrlist_utf8, attrsonly)
  2015-05-12 09:27:22.485986 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 541, in search_s
  2015-05-12 09:27:22.485995 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     attrlist, attrsonly)
  2015-05-12 09:27:22.485999 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 552, in search_s
  2015-05-12 09:27:22.486002 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
  2015-05-12 09:27:22.486009 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 545, in search_ext_s
  2015-05-12 09:27:22.486013 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
  2015-05-12 09:27:22.486017 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 541, in search_ext
  2015-05-12 09:27:22.486036 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     timeout,sizelimit,
  2015-05-12 09:27:22.486040 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 99, in _ldap_call
  2015-05-12 09:27:22.486044 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi     result = func(*args,**kwargs)
  2015-05-12 09:27:22.486047 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi FILTER_ERROR: {'desc': 'Bad search filter'}
  2015-05-12 09:27:22.486050 2015-05-12 09:27:22.483 31012 TRACE keystone.common.wsgi 

  The LDAP filter string is being composed in a way that causes None to
  be substituted in at one point:
  (&(&None(sn=admin))(objectClass=inetOrgPerson))

  I traced it through the code and found that the problem method is
  keystone.common.ldap.core.BaseLdap.filter_query (line 1674 of
  keystone/common/ldap/core.py on the stable/kilo branch). The method
  argument query is None by default, which ends up being substituted
  into the query string later on. Changing the default value of query to
  an empty string causes things to function as expected.

  (I am waiting on internal permission to contribute code, so I haven't
  created a PR for this at this time.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1454309/+subscriptions


Follow ups

References