yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1684994] [NEW] POST v3/auth/tokens API is returning unexpected 500 error when ldap credentials are incorrect

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: prashkre <1684994@xxxxxxxxxxxxxxxxxx>
Date: Thu, 20 Apr 2017 18:36:54 -0000
Reply-to: Bug 1684994 <1684994@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

When keystone is configured with ldap server as identity backend, if incorrect credentials were configured under [ldap] section [1] of domains conf file, then POST request on /v3/auth/tokens API with users in ldap is returning unexpected 500 error [0] with stacktrace[2] shown below. 
Instead of unexpected error user should be given a proper message about invalid credentials configured.

[0]
{"error": {"message": "An unexpected error prevented the server from fulfilling your request.", "code": 500, "title": "Internal Server Error"}}

[1]
[ldap]
url = ldap://9.9.9.9
user = cn=root
password = <<incorrect password>>

[2]Stacktrace: 
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi [req-7b62d1db-64bd-4961-819e-0815bc355636 02b49a455f5c9d9561881683c0f09919c5ab38a6eeed6de5c4ae3523df2dc706 36b96caa022742a1b74692b29bd044a7 - 3ae481350a504cbdaf35e18b8753d002 3ae481350a504cbdaf35e18b8753d002] {'desc': 'Invalid credentials'}
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi Traceback (most recent call last):
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     result = method(req, **params)
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 235, in wrapper
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     return f(self, request, filters, **kwargs)
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/controllers.py", line 230, in list_users
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     refs = self.identity_api.list_users(domain_scope=domain, hints=hints)
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/manager.py", line 123, in wrapped
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     __ret_val = __f(*args, **kwargs)
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 413, in wrapper
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     return f(self, *args, **kwargs)
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 423, in wrapper
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     return f(self, *args, **kwargs)
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 1027, in list_users
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     ref_list = self._handle_federated_attributes_in_hints(driver, hints)
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 1010, in _handle_federated_attributes_in_hints
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     return driver.list_users(hints)
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/core.py", line 88, in list_users
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     return self.user.get_all_filtered(hints)
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/core.py", line 353, in get_all_filtered
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     for user in self.get_all(query, hints)]
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/core.py", line 345, in get_all
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     hints=hints)
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 1872, in get_all
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     return super(EnabledEmuMixIn, self).get_all(ldap_filter, hints)
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 1518, in get_all
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     for x in self._ldap_get_all(hints, ldap_filter)]
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/driver_hints.py", line 42, in wrapper
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     return f(self, hints, *args, **kwargs)
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 1474, in _ldap_get_all
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     with self.get_connection() as conn:
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 1280, in get_connection
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     conn.simple_bind_s(user, password)
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 915, in simple_bind_s
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     clientctrls=clientctrls)
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 762, in simple_bind_s
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     with self._get_pool_connection() as conn:
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib64/python2.7/contextlib.py", line 17, in __enter__
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     return self.gen.next()
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/ldappool/__init__.py", line 291, in connection
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     conn = self._get_connection(bind, passwd)
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/ldappool/__init__.py", line 244, in _get_connection
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     conn = self._create_connector(bind, passwd)
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/ldappool/__init__.py", line 221, in _create_connector
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     raise exc
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}
2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi
2017-04-20 09:09:13.177 12300 DEBUG keystone.middleware.auth [req-ab1bbb86-490f-44e9-9c34-57c24b6af1fb - - - - -] Authenticating user token process_request /usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py:401

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1684994

Title:
  POST v3/auth/tokens API is returning unexpected 500 error when ldap
  credentials are incorrect

Status in OpenStack Identity (keystone):
  New

Bug description:
  When keystone is configured with ldap server as identity backend, if incorrect credentials were configured under [ldap] section [1] of domains conf file, then POST request on /v3/auth/tokens API with users in ldap is returning unexpected 500 error [0] with stacktrace[2] shown below. 
  Instead of unexpected error user should be given a proper message about invalid credentials configured.

  [0]
  {"error": {"message": "An unexpected error prevented the server from fulfilling your request.", "code": 500, "title": "Internal Server Error"}}

  [1]
  [ldap]
  url = ldap://9.9.9.9
  user = cn=root
  password = <<incorrect password>>

  [2]Stacktrace: 
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi [req-7b62d1db-64bd-4961-819e-0815bc355636 02b49a455f5c9d9561881683c0f09919c5ab38a6eeed6de5c4ae3523df2dc706 36b96caa022742a1b74692b29bd044a7 - 3ae481350a504cbdaf35e18b8753d002 3ae481350a504cbdaf35e18b8753d002] {'desc': 'Invalid credentials'}
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi Traceback (most recent call last):
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 228, in __call__
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     result = method(req, **params)
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/controller.py", line 235, in wrapper
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     return f(self, request, filters, **kwargs)
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/controllers.py", line 230, in list_users
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     refs = self.identity_api.list_users(domain_scope=domain, hints=hints)
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/manager.py", line 123, in wrapped
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     __ret_val = __f(*args, **kwargs)
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 413, in wrapper
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     return f(self, *args, **kwargs)
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 423, in wrapper
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     return f(self, *args, **kwargs)
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 1027, in list_users
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     ref_list = self._handle_federated_attributes_in_hints(driver, hints)
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/core.py", line 1010, in _handle_federated_attributes_in_hints
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     return driver.list_users(hints)
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/core.py", line 88, in list_users
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     return self.user.get_all_filtered(hints)
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/core.py", line 353, in get_all_filtered
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     for user in self.get_all(query, hints)]
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/core.py", line 345, in get_all
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     hints=hints)
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 1872, in get_all
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     return super(EnabledEmuMixIn, self).get_all(ldap_filter, hints)
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 1518, in get_all
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     for x in self._ldap_get_all(hints, ldap_filter)]
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/driver_hints.py", line 42, in wrapper
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     return f(self, hints, *args, **kwargs)
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 1474, in _ldap_get_all
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     with self.get_connection() as conn:
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 1280, in get_connection
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     conn.simple_bind_s(user, password)
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 915, in simple_bind_s
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     clientctrls=clientctrls)
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py", line 762, in simple_bind_s
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     with self._get_pool_connection() as conn:
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib64/python2.7/contextlib.py", line 17, in __enter__
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     return self.gen.next()
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/ldappool/__init__.py", line 291, in connection
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     conn = self._get_connection(bind, passwd)
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/ldappool/__init__.py", line 244, in _get_connection
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     conn = self._create_connector(bind, passwd)
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/ldappool/__init__.py", line 221, in _create_connector
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi     raise exc
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}
  2017-04-20 09:09:08.304 12300 ERROR keystone.common.wsgi
  2017-04-20 09:09:13.177 12300 DEBUG keystone.middleware.auth [req-ab1bbb86-490f-44e9-9c34-57c24b6af1fb - - - - -] Authenticating user token process_request /usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py:401

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1684994/+subscriptions
Follow ups

[Bug 1684994] Re: POST v3/auth/tokens API is returning unexpected 500 error when ldap credentials are incorrect
From: OpenStack Infra, 2017-07-03
[Bug 1684994] Re: POST v3/auth/tokens API is returning unexpected 500 error when ldap credentials are incorrect
From: Matthew Edmonds, 2017-04-28
[Bug 1684994] Re: POST v3/auth/tokens API is returning unexpected 500 error when ldap credentials are incorrect
From: Boris Bobrov, 2017-04-28
[Bug 1684994] Re: POST v3/auth/tokens API is returning unexpected 500 error when ldap credentials are incorrect
From: Matthew Edmonds, 2017-04-28
[Bug 1684994] Re: POST v3/auth/tokens API is returning unexpected 500 error when ldap credentials are incorrect
From: Boris Bobrov, 2017-04-21