[Yahoo-eng-team] [Bug 1497461] Re: Fernet tokens fail for some users with LDAP identity backend

Fri, 16 Oct 2015 13:06:47 -0700 

** Also affects: keystone/kilo
   Importance: Undecided
       Status: New

** Also affects: keystone/liberty
   Importance: Undecided
       Status: New

** Changed in: keystone/kilo
       Status: New => Triaged

** Changed in: keystone/kilo
   Importance: Undecided => High

** Changed in: keystone/liberty
   Importance: Undecided => High

** Changed in: keystone/liberty
       Status: New => In Progress

** Changed in: keystone/liberty
     Assignee: (unassigned) => Eric Brown (ericwb)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1497461

Title:
  Fernet tokens fail for some users with LDAP identity backend

Status in Keystone:
  Fix Committed
Status in Keystone kilo series:
  Triaged
Status in Keystone liberty series:
  In Progress

Bug description:
  The following bug fixed most situations where when using Fernet + LDAP 
identify backend.
          https://bugs.launchpad.net/keystone/+bug/1459382

  However, some users have trouble, resulting in a UserNotFound exception in 
the logs with a UUID.  Here's the error:
  2015-09-18 20:04:47.313 12979 WARNING keystone.common.wsgi [-] Could not find 
user: 457269632042726f776e203732363230

  So the issue is this.  The user DN query + filter will return my user as:
     CN=Eric Brown 
72620,OU=PAO_Users,OU=PaloAlto_California_USA,OU=NALA,OU=SITES,OU=Engineering,DC=vmware,DC=com

  Therefore, I have to use CN as the user id attribute.  My user id
  would therefore be "Eric Brown 72620".  The fernet token_formatters.py
  attempts to convert this user id into a UUID.  And in my case that is
  successful.  It results in UUID of 457269632042726f776e203732363230.
  Of course, a user id of 457269632042726f776e203732363230 doesn't exist
  in LDAP, so as a result I get a UserNotFound.  So I don't understand
  why the convert_uuid_bytes_to_hex is ever used in the case of LDAP
  backend.

  For other users, the token_formatters.convert_uuid_bytes_to_hex()
  raises a ValueError and everything works.  Here's an example that
  illustrates the behavior

  >>> import uuid
  >>> uuid_obj = uuid.UUID(bytes='Eric Brown 72620')
  >>> uuid_obj.hex
  '457269632042726f776e203732363230'

  >>> import uuid
  >>> uuid_obj = uuid.UUID(bytes='Your Mama')
  Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
    File "/usr/lib/python2.7/uuid.py", line 144, in __init__
      raise ValueError('bytes is not a 16-char string')
  ValueError: bytes is not a 16-char string



  Here's the complete traceback (after adding some additional debug):

  2015-09-18 20:04:47.312 12979 WARNING keystone.common.wsgi [-] EWB Traceback 
(most recent call last):
    File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 449, 
in __call__
      response = self.process_request(request)
    File "/usr/lib/python2.7/dist-packages/keystone/middleware/core.py", line 
238, in process_request
      auth_context = self._build_auth_context(request)
    File "/usr/lib/python2.7/dist-packages/keystone/middleware/core.py", line 
218, in _build_auth_context
      token_data=self.token_provider_api.validate_token(token_id))
    File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 
198, in validate_token
      token = self._validate_token(unique_id)
    File "/usr/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1013, 
in decorate
      should_cache_fn)
    File "/usr/lib/python2.7/dist-packages/dogpile/cache/region.py", line 640, 
in get_or_create
      async_creator) as value:
    File "/usr/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 158, 
in __enter__
      return self._enter()
    File "/usr/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 98, 
in _enter
      generated = self._enter_create(createdtime)
    File "/usr/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 149, 
in _enter_create
      created = self.creator()
    File "/usr/lib/python2.7/dist-packages/dogpile/cache/region.py", line 612, 
in gen_value
      created_value = creator()
    File "/usr/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1009, 
in creator
      return fn(*arg, **kw)
    File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 
261, in _validate_token
      return self.driver.validate_v3_token(token_id)
    File 
"/usr/lib/python2.7/dist-packages/keystone/token/providers/fernet/core.py", 
line 258, in validate_v3_token
      audit_info=audit_ids)
    File "/usr/lib/python2.7/dist-packages/keystone/token/providers/common.py", 
line 441, in get_token_data
      self._populate_user(token_data, user_id, trust)
    File "/usr/lib/python2.7/dist-packages/keystone/token/providers/common.py", 
line 275, in _populate_user
      user_ref = self.identity_api.get_user(user_id)
    File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 
342, in wrapper
      return f(self, *args, **kwargs)
    File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 
353, in wrapper
      return f(self, *args, **kwargs)
    File "/usr/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1013, 
in decorate
      should_cache_fn)
    File "/usr/lib/python2.7/dist-packages/dogpile/cache/region.py", line 640, 
in get_or_create
      async_creator) as value:
    File "/usr/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 158, 
in __enter__
      return self._enter()
    File "/usr/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 98, 
in _enter
      generated = self._enter_create(createdtime)
    File "/usr/lib/python2.7/dist-packages/dogpile/core/dogpile.py", line 149, 
in _enter_create
      created = self.creator()
    File "/usr/lib/python2.7/dist-packages/dogpile/cache/region.py", line 612, 
in gen_value
      created_value = creator()
    File "/usr/lib/python2.7/dist-packages/dogpile/cache/region.py", line 1009, 
in creator
      return fn(*arg, **kw)
    File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 
753, in get_user
      ref = driver.get_user(entity_id)
    File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", 
line 79, in get_user
      return self.user.get_filtered(user_id)
    File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap.py", 
line 264, in get_filtered
      user = self.get(user_id)
    File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 
1859, in get
      ref = super(EnabledEmuMixIn, self).get(object_id, ldap_filter)
    File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 
1489, in get
      raise self._not_found(object_id)
  UserNotFound: Could not find user: 457269632042726f776e203732363230

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1497461/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to