Public bug reported:
Openstack version: 2023.1
Deployment tool: kolla-ansible
OS: Ubuntu 22.04
Integrating keystone with LDAP for Centralized authentication.
# /etc/kolla/config/keystone/domains/keystone.eng.conf
# Ansible managed
[identity]
driver = ldap
domain_config_dir = /etc/keystone/domains
domain_specific_drivers_enabled = True
[assignment]
driver = sql
[ldap]
debug_level = 4095
group_allow_create = False
group_allow_delete = False
group_allow_update = False
group_id_attribute = cn
group_member_attribute = memberof
group_name_attribute = cn
group_objectclass = organizationalUnit
group_tree_dn = cn=groups,cn=compat,dc=example,dc=com
password = XXXXXXXXXXXXXXXXXX
project_allow_create = False
project_allow_delete = False
project_allow_update = False
role_allow_create = False
role_allow_delete = False
role_allow_update = False
suffix = dc=example,dc=com
tls_cacertfile = /etc/keystone/ssl/ipa-ldap.crt
tls_req_cert = allow
url = ldaps://ldap.example.com
use_dump_member = False
use_tls = False
user = uid=svc-openstack,cn=users,cn=accounts,dc=example,dc=com
user_allow_create = False
user_allow_delete = False
user_allow_update = False
user_enabled_attribute = userAccountControl
user_filter =
(memberof=cn=openstack-eng,cn=groups,cn=accounts,dc=example,dc=com)
user_id_attribute = cn
user_mail_attribute = mail
user_name_attribute = uid
user_objectclass = person
user_pass_attribute = password
user_tree_dn = cn=users,cn=accounts,dc=example,dc=com
When I list all users from ldap domain I can see list of users in output
# openstack user list --domain eng
+------------------------------------------------------------------+----------------+
| ID | Name
|
+------------------------------------------------------------------+----------------+
| 5941b66ab2dd5c288b9c43af63eac64802e7fcc13f93a39341d0972623dea482 | user1
|
| cbadc09bf614aae6cb02ec55a7c0339d23fb23862465006117574856f5a9ea25 | user2
|
| b2c2da99373ad98a4b266fdaba5773ad8284e53b6e6d6814d739a671c57036a1 | user3
|
| 76c268f25474aad5bad0035bec482ada7ceb94f82d8d46b4973091b120d1b925 | spatel
|
| 018019fc1b632ea62a339bd6610ef3011dc95aaae01b0b7fa4f72d836c1a816f | user4
|
Same time I am seeing this error in keystone.log file. Thought I should
report the errors.
2024-02-15 20:41:57.658 22 WARNING keystone.common.password_hashing [None
req-01863ce5-e57b-41e9-80ec-e994166b9757 - - - - - -] Truncating password to
algorithm specific maximum length 72 characters.
2024-02-15 20:42:03.209 25 WARNING keystone.common.rbac_enforcer.enforcer [None
req-4f4495f7-2527-4463-84fe-1d795fcb946e f55d38aca4384bfdb32806d5ca452c66
32f16f689e8445e0bf74c59c57096b3a - - default default] Deprecated policy rules
found. Use oslopolicy-policy-generator and oslopolicy-policy-upgrade to detect
and resolve deprecated policies in your configuration.
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application [None
req-4f4495f7-2527-4463-84fe-1d795fcb946e f55d38aca4384bfdb32806d5ca452c66
32f16f689e8445e0bf74c59c57096b3a - - default default] Could not find domain:
eng.: keystone.exception.DomainNotFound: Could not find domain: eng.
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application Traceback
(most recent call last):
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/core.py",
line 712, in get_domain
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application project
= self.driver.get_project(domain_id)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/backends/sql.py",
line 49, in get_project
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return
self._get_project(session, project_id).to_dict()
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/backends/sql.py",
line 44, in _get_project
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application raise
exception.ProjectNotFound(project_id=project_id)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
keystone.exception.ProjectNotFound: Could not find project: eng.
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application During
handling of the above exception, another exception occurred:
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application Traceback
(most recent call last):
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/flask/app.py", line 1820, in
full_dispatch_request
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application rv =
self.dispatch_request()
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/flask/app.py", line 1796, in
dispatch_request
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return
self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/flask_restful/__init__.py",
line 467, in wrapper
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application resp =
resource(*args, **kwargs)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/flask/views.py", line 107, in
view
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return
current_app.ensure_sync(self.dispatch_request)(**kwargs)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/flask_restful/__init__.py",
line 582, in dispatch_request
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application resp =
meth(*args, **kwargs)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/api/domains.py",
line 89, in get
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return
self._get_domain(domain_id)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/api/domains.py",
line 97, in _get_domain
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application domain =
PROVIDERS.resource_api.get_domain(domain_id)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/common/manager.py",
line 115, in wrapped
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
__ret_val = __f(*args, **kwargs)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/decorator.py", line 232, in
fun
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return
caller(func, *(extras + args), **kw)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/cache/region.py",
line 1577, in get_or_create_for_user_func
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return
self.get_or_create(
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/cache/region.py",
line 1042, in get_or_create
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application with
Lock(
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/lock.py", line 185,
in __enter__
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return
self._enter()
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/lock.py", line 94, in
_enter
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
generated = self._enter_create(value, createdtime)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/lock.py", line 178,
in _enter_create
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return
self.creator()
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/cache/region.py",
line 995, in gen_value
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
created_value = creator(
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/core.py",
line 718, in get_domain
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application raise
exception.DomainNotFound(domain_id=domain_id)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
keystone.exception.DomainNotFound: Could not find domain: eng.
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
2024-02-15 20:42:08.030 23 WARNING py.warnings [None
req-1d1b3838-65b0-4620-8554-eae9b43bd2d8 f55d38aca4384bfdb32806d5ca452c66
32f16f689e8445e0bf74c59c57096b3a - - default default]
/var/lib/kolla/venv/lib/python3.10/site-packages/oslo_policy/policy.py:1129:
UserWarning: Policy "identity:list_domains": "role:reader and system_scope:all"
failed scope check. The token used to make the request was project scoped but
the policy requires ['system'] scope. This behavior may change in the future
where using the intended scope is required
warnings.warn(msg)
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2053297
Title:
LDAP keystone.exception.DomainNotFound: Could not find domain:
Status in OpenStack Identity (keystone):
New
Bug description:
Openstack version: 2023.1
Deployment tool: kolla-ansible
OS: Ubuntu 22.04
Integrating keystone with LDAP for Centralized authentication.
# /etc/kolla/config/keystone/domains/keystone.eng.conf
# Ansible managed
[identity]
driver = ldap
domain_config_dir = /etc/keystone/domains
domain_specific_drivers_enabled = True
[assignment]
driver = sql
[ldap]
debug_level = 4095
group_allow_create = False
group_allow_delete = False
group_allow_update = False
group_id_attribute = cn
group_member_attribute = memberof
group_name_attribute = cn
group_objectclass = organizationalUnit
group_tree_dn = cn=groups,cn=compat,dc=example,dc=com
password = XXXXXXXXXXXXXXXXXX
project_allow_create = False
project_allow_delete = False
project_allow_update = False
role_allow_create = False
role_allow_delete = False
role_allow_update = False
suffix = dc=example,dc=com
tls_cacertfile = /etc/keystone/ssl/ipa-ldap.crt
tls_req_cert = allow
url = ldaps://ldap.example.com
use_dump_member = False
use_tls = False
user = uid=svc-openstack,cn=users,cn=accounts,dc=example,dc=com
user_allow_create = False
user_allow_delete = False
user_allow_update = False
user_enabled_attribute = userAccountControl
user_filter =
(memberof=cn=openstack-eng,cn=groups,cn=accounts,dc=example,dc=com)
user_id_attribute = cn
user_mail_attribute = mail
user_name_attribute = uid
user_objectclass = person
user_pass_attribute = password
user_tree_dn = cn=users,cn=accounts,dc=example,dc=com
When I list all users from ldap domain I can see list of users in output
# openstack user list --domain eng
+------------------------------------------------------------------+----------------+
| ID | Name
|
+------------------------------------------------------------------+----------------+
| 5941b66ab2dd5c288b9c43af63eac64802e7fcc13f93a39341d0972623dea482 | user1
|
| cbadc09bf614aae6cb02ec55a7c0339d23fb23862465006117574856f5a9ea25 | user2
|
| b2c2da99373ad98a4b266fdaba5773ad8284e53b6e6d6814d739a671c57036a1 | user3
|
| 76c268f25474aad5bad0035bec482ada7ceb94f82d8d46b4973091b120d1b925 | spatel
|
| 018019fc1b632ea62a339bd6610ef3011dc95aaae01b0b7fa4f72d836c1a816f | user4
|
Same time I am seeing this error in keystone.log file. Thought I
should report the errors.
2024-02-15 20:41:57.658 22 WARNING keystone.common.password_hashing [None
req-01863ce5-e57b-41e9-80ec-e994166b9757 - - - - - -] Truncating password to
algorithm specific maximum length 72 characters.
2024-02-15 20:42:03.209 25 WARNING keystone.common.rbac_enforcer.enforcer
[None req-4f4495f7-2527-4463-84fe-1d795fcb946e f55d38aca4384bfdb32806d5ca452c66
32f16f689e8445e0bf74c59c57096b3a - - default default] Deprecated policy rules
found. Use oslopolicy-policy-generator and oslopolicy-policy-upgrade to detect
and resolve deprecated policies in your configuration.
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application [None
req-4f4495f7-2527-4463-84fe-1d795fcb946e f55d38aca4384bfdb32806d5ca452c66
32f16f689e8445e0bf74c59c57096b3a - - default default] Could not find domain:
eng.: keystone.exception.DomainNotFound: Could not find domain: eng.
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application Traceback
(most recent call last):
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/core.py",
line 712, in get_domain
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
project = self.driver.get_project(domain_id)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/backends/sql.py",
line 49, in get_project
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return
self._get_project(session, project_id).to_dict()
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/backends/sql.py",
line 44, in _get_project
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application raise
exception.ProjectNotFound(project_id=project_id)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
keystone.exception.ProjectNotFound: Could not find project: eng.
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application During
handling of the above exception, another exception occurred:
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application Traceback
(most recent call last):
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/flask/app.py", line 1820, in
full_dispatch_request
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application rv =
self.dispatch_request()
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/flask/app.py", line 1796, in
dispatch_request
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return
self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/flask_restful/__init__.py",
line 467, in wrapper
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application resp =
resource(*args, **kwargs)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/flask/views.py", line 107, in
view
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return
current_app.ensure_sync(self.dispatch_request)(**kwargs)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/flask_restful/__init__.py",
line 582, in dispatch_request
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application resp =
meth(*args, **kwargs)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/api/domains.py",
line 89, in get
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return
self._get_domain(domain_id)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/api/domains.py",
line 97, in _get_domain
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application domain
= PROVIDERS.resource_api.get_domain(domain_id)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/common/manager.py",
line 115, in wrapped
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
__ret_val = __f(*args, **kwargs)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/decorator.py", line 232, in
fun
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return
caller(func, *(extras + args), **kw)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/cache/region.py",
line 1577, in get_or_create_for_user_func
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return
self.get_or_create(
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/cache/region.py",
line 1042, in get_or_create
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application with
Lock(
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/lock.py", line 185,
in __enter__
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return
self._enter()
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/lock.py", line 94, in
_enter
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
generated = self._enter_create(value, createdtime)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/lock.py", line 178,
in _enter_create
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application return
self.creator()
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/dogpile/cache/region.py",
line 995, in gen_value
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
created_value = creator(
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application File
"/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/resource/core.py",
line 718, in get_domain
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application raise
exception.DomainNotFound(domain_id=domain_id)
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
keystone.exception.DomainNotFound: Could not find domain: eng.
2024-02-15 20:42:03.225 25 ERROR keystone.server.flask.application
2024-02-15 20:42:08.030 23 WARNING py.warnings [None
req-1d1b3838-65b0-4620-8554-eae9b43bd2d8 f55d38aca4384bfdb32806d5ca452c66
32f16f689e8445e0bf74c59c57096b3a - - default default]
/var/lib/kolla/venv/lib/python3.10/site-packages/oslo_policy/policy.py:1129:
UserWarning: Policy "identity:list_domains": "role:reader and system_scope:all"
failed scope check. The token used to make the request was project scoped but
the policy requires ['system'] scope. This behavior may change in the future
where using the intended scope is required
warnings.warn(msg)
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2053297/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
