yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #66646
[Bug 1643301] Re: bootstrapping keystone failed when LDAP backend is in use
This was discussed with Colleen and Kristi in IRC [0]. The following was
proposed
- write a patch so that devstack always configures sql as the identity backend
- when ldap is set as KEYSTONE_IDENTITY_BACKEND, ensure it's done in a domain-specific way
- write a patch so keystone fails gracefully with an informative warning saying `bootstrap` is only intended for sql-based deployments
Thoughts on the approach?
[0] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-08-11.log.html#t2017-08-11T20:45:37
** Also affects: devstack
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1643301
Title:
bootstrapping keystone failed when LDAP backend is in use
Status in devstack:
In Progress
Status in OpenStack Identity (keystone):
Triaged
Bug description:
"keystone-manage bootstrap" command is coded for SQL backend, it's
should be okay if admin token is always supported by keystone, but we
have a plan to remove the support of admin token since it's expose a
security risk. And the patch to remove the support of write operation
for LDAP backend is on the fly.
Based on the above consideration, we should enable the bootrapping
keystone when using LDAP backend, but it currently not work sometimes,
for example.
# keystone-manage bootstrap --bootstrap-username Dave --bootstrap-password abc123 --bootstrap-project-name admin --bootstrap-role-name admin
2016-10-27 16:26:29.845 11359 TRACE keystone return self.result(msgid,all=1,timeout=self.timeout)
2016-10-27 16:26:29.845 11359 TRACE keystone File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 497, in result
2016-10-27 16:26:29.845 11359 TRACE keystone resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
2016-10-27 16:26:29.845 11359 TRACE keystone File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 501, in result2
2016-10-27 16:26:29.845 11359 TRACE keystone resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
2016-10-27 16:26:29.845 11359 TRACE keystone File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 508, in result3
2016-10-27 16:26:29.845 11359 TRACE keystone resp_ctrl_classes=resp_ctrl_classes
2016-10-27 16:26:29.845 11359 TRACE keystone File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 515, in result4
2016-10-27 16:26:29.845 11359 TRACE keystone ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
2016-10-27 16:26:29.845 11359 TRACE keystone File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call
2016-10-27 16:26:29.845 11359 TRACE keystone result = func(*args,**kwargs)
2016-10-27 16:26:29.845 11359 TRACE keystone UNDEFINED_TYPE: {'info': 'enabled: attribute type undefined', 'desc': 'Undefined attribute type'}
To manage notifications about this bug go to:
https://bugs.launchpad.net/devstack/+bug/1643301/+subscriptions
References
