yahoo-eng-team team mailing list archive

[OpenStack Infra <1952458@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/c/openstack/keystone/+/819477
Committed: https://opendev.org/openstack/keystone/commit/1e0cd90191663c100c165d4c6a2b1ca796b5af25
Submitter: "Zuul (22348)"
Branch:    master

commit 1e0cd90191663c100c165d4c6a2b1ca796b5af25
Author: Grzegorz Grasza <xek@xxxxxxxxxx>
Date:   Fri Nov 26 15:28:27 2021 +0100

    Fix issue with LDAP backend returning bytes instead of string
    
    When connecting to some LDAP server software, the ldap client returns
    bytes instances instead of the expected strings. This can result in
    either being transparently converted to strings, when the data is
    inserted via sqlalchemy into the database, or could be used as
    input to other functions, and/or cached, which causes unexpected
    results.
    
    Closes-Bug: #1952458
    Resolves: rhbz#1964872
    Change-Id: I77148641715efe09e3adc2e9432e66e50fb444b4


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1952458

Title:
  create_id_mapping method caches bytes with LDAP backend

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  When connecting to some LDAP servers, the LDAP library returns bytes
  data instead of strings, resulting in unexpected errors, ex:

  a call to

  /v3/projects/x/groups/y/roles/z

  results in keystone.exception.GroupNotFound: Could not find group:
  b'Q'.

  After adding more debug logs it was determined that get_id_mapping
  returns the LDAP group name as binary type. get_id_mapping is memoized
  (@MEMOIZE_ID_MAPPING), the cache is filled not only during the
  "memoization" but also inside the create_id_mapping method:

      def create_id_mapping(self, local_entity, public_id=None):
          public_id = self.driver.create_id_mapping(local_entity, public_id)
          if MEMOIZE_ID_MAPPING.should_cache(public_id):
              self._get_public_id.set(public_id, self,
                                      local_entity['domain_id'],
                                      local_entity['local_id'],
                                      local_entity['entity_type'])
              self.get_id_mapping.set(local_entity, self, public_id)
          return public_id

  What is cached is the input dictionary, which is passed into the function, instead of what the SQL backend returns.
  The sql backend transparently converts bytes when inserting data into the database, and always returns strings when the data is read.
  The intersection of the above causes the unexpected behavior with transient errors.

  The local_id is returned as bytes from the LDAP backend, but it's
  difficult to trace exactly where, without access to the environment
  with this specific LDAP software.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1952458/+subscriptions