Hi Hans, Thanks for the heads up on this. Let me take a closer look and make sure we have this addressed (and tested for) in the upstream code base.
I think I know where this came from. I'll check to make sure we don't already have a bug on this and/or if you have an open bug in launchpad. If this is still outstanding I'll make sure we prioritize getting this cleaned up appropriately. Having Fernet (non-persistent tokens) as a solid option for Keystone deployment is really important to us (the upstream team) since it solves a major scaling issue with Keystone. --Morgan Sent via mobile > On May 27, 2015, at 05:46, Hans Feldt <[email protected]> wrote: > > Hi, > > When playing with some keystone deployment alternatives I stumble on a > keystone issue: > >> 2015-05-27 12:11:52.946 57 DEBUG keystone.common.ldap.core [-] LDAP search: >> base=ou=Groups,dc=acme,dc=org scope=1 >> filterstr=(&(&(objectClass=groupOfNames)(member=uid=john,ou=Users,dc=acme,dc=org))(objectClass=groupOfNames)) >> attrs=['ou', 'cn', 'description'] attrsonly=0 search_s >> /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:931 >> 2015-05-27 12:11:52.946 57 DEBUG keystone.common.ldap.core [-] LDAP unbind >> unbind_s /usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py:904 >> 2015-05-27 12:11:52.946 57 DEBUG keystone.identity.core [-] ID Mapping - >> Domain ID: default, Default Driver: True, Domains: False, UUIDs: False, >> Compatible IDs: True _set_domain_id_and_mapping >> /usr/lib/python2.7/dist-packages/keystone/identity/core.py:492 >> 2015-05-27 12:11:52.955 57 ERROR >> keystone.token.providers.fernet.token_formatters [-] john >> 2015-05-27 12:11:52.955 57 ERROR keystone.common.wsgi [-] badly formed >> hexadecimal UUID string >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi Traceback (most recent >> call last): >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi File >> "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 239, in >> __call__ >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi result = >> method(context, **params) >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi File >> "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 397, >> in authenticate_for_token >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi >> parent_audit_id=token_audit_id) >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi File >> "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 344, in >> issue_v3_token >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi parent_audit_id) >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi File >> "/usr/lib/python2.7/dist-packages/keystone/token/providers/fernet/core.py", >> line 198, in issue_v3_token >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi >> federated_info=federated_dict) >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi File >> "/usr/lib/python2.7/dist-packages/keystone/token/providers/fernet/token_formatters.py", >> line 133, in create_token >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi audit_ids) >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi File >> "/usr/lib/python2.7/dist-packages/keystone/token/providers/fernet/token_formatters.py", >> line 416, in assemble >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi b_user_id = >> cls.convert_uuid_hex_to_bytes(user_id) >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi File >> "/usr/lib/python2.7/dist-packages/keystone/token/providers/fernet/token_formatters.py", >> line 239, in convert_uuid_hex_to_bytes >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi uuid_obj = >> uuid.UUID(uuid_string) >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi File >> "/usr/lib/python2.7/uuid.py", line 134, in __init__ >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi raise >> ValueError('badly formed hexadecimal UUID string') >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi ValueError: badly >> formed hexadecimal UUID string >> 2015-05-27 12:11:52.955 57 TRACE keystone.common.wsgi >> 2015-05-27 12:11:52.958 57 INFO eventlet.wsgi.server [-] 172.17.0.26 - - >> [27/May/2015 12:11:52] "POST /v3/auth/tokens HTTP/1.1" 500 490 0.029590 > > Switching to UUID tokens it works. Switching to SQL Identity backend and > fernet tokens works. > > The combination of LDAP identity backend and fernet tokens gives me the above > log for any request with name/password. Reproducable always. > > I have a very minimalistic "cloud" setup with only 2 or 3 docker containers. > One with the SQL DB, one for Keystone and optionally one for LDAP. > > I use Ubuntu 15.04 as base image for my containers that includes Kilo. I've > patched keystone with the following changeset to make it work (with LDAP): > > commit 2c6db4a3bb9e1718744b0e5b03af050fd2866182 > Author: Edmund Rhudy <[email protected]> > Date: Thu May 21 12:42:40 2015 -0400 > > Make sure LDAP filter is constructed correctly > > Thanks, > Hans > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : [email protected] > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
