Reviewed: https://review.opendev.org/c/openstack/keystone/+/819477 Committed: https://opendev.org/openstack/keystone/commit/1e0cd90191663c100c165d4c6a2b1ca796b5af25 Submitter: "Zuul (22348)" Branch: master
commit 1e0cd90191663c100c165d4c6a2b1ca796b5af25 Author: Grzegorz Grasza <[email protected]> Date: Fri Nov 26 15:28:27 2021 +0100 Fix issue with LDAP backend returning bytes instead of string When connecting to some LDAP server software, the ldap client returns bytes instances instead of the expected strings. This can result in either being transparently converted to strings, when the data is inserted via sqlalchemy into the database, or could be used as input to other functions, and/or cached, which causes unexpected results. Closes-Bug: #1952458 Resolves: rhbz#1964872 Change-Id: I77148641715efe09e3adc2e9432e66e50fb444b4 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1952458 Title: create_id_mapping method caches bytes with LDAP backend Status in OpenStack Identity (keystone): Fix Released Bug description: When connecting to some LDAP servers, the LDAP library returns bytes data instead of strings, resulting in unexpected errors, ex: a call to /v3/projects/x/groups/y/roles/z results in keystone.exception.GroupNotFound: Could not find group: b'Q'. After adding more debug logs it was determined that get_id_mapping returns the LDAP group name as binary type. get_id_mapping is memoized (@MEMOIZE_ID_MAPPING), the cache is filled not only during the "memoization" but also inside the create_id_mapping method: def create_id_mapping(self, local_entity, public_id=None): public_id = self.driver.create_id_mapping(local_entity, public_id) if MEMOIZE_ID_MAPPING.should_cache(public_id): self._get_public_id.set(public_id, self, local_entity['domain_id'], local_entity['local_id'], local_entity['entity_type']) self.get_id_mapping.set(local_entity, self, public_id) return public_id What is cached is the input dictionary, which is passed into the function, instead of what the SQL backend returns. The sql backend transparently converts bytes when inserting data into the database, and always returns strings when the data is read. The intersection of the above causes the unexpected behavior with transient errors. The local_id is returned as bytes from the LDAP backend, but it's difficult to trace exactly where, without access to the environment with this specific LDAP software. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1952458/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
