suse-cloud / keystone-hybrid-backend Goto Github PK

hybrid SQL + LDAP backend for openstack keystone

Python 100.00%

keystone-hybrid-backend's Introduction

hybrid SQL and LDAP backends for OpenStack Keystone

The code in this branch has only been tested on the stable/icehouse branch of OpenStack Keystone! Check out the other git branches if you need code for different OpenStack releases.

This project provides two alternative backends for Keystone:

The Identity Backend

This allows authentication with LDAP and SQL while using the SQL backend for all the usual operations. No users or groups are copied from LDAP. LDAP users are assigned a default role and tenant when they first login if they don't already have one (user_project_metadata table). For granting roles to users (keystone user-role-add), only the user id from LDAP is inserted into the SQL backend.

Installation

Since this backend relies on both the LDAP and SQL backends, you have to configure both beforehand. Use the usual configuration options found in /etc/keystone/keystone.conf. However, from the LDAP backend's config, only the ldap.user* options will be used by the hybrid backend (so no tenant/role options).

You should try to see that user authentication works fine with the LDAP backend before trying on the hybrid backend. Also make sure that keystone user-list works using the LDAP identity backend.

Copy the hybrid_identity.py file to the keystone/identity/backends/ folder of your installation (e.g. /usr/lib/python/site-packages/keystone/identity/backends/hybrid_identity.py).

Set the identity backend to hybrid (it will use both the LDAP and the SQL backends under the hood):

[identity]
driver = keystone.identity.backends.hybrid_identity.Identity

Restart keystone.

Now you can assign custom roles to users in LDAP. Make sure you use one of the LDAP user-ids returned by the keystone user-list query.

keystone user-role-add --user-id=12345 --role-id <role-id> --tenant-id <tenant-id>

The Assignment Backend

This allows setting a default role and project for users signing in via LDAP. The default role is hacked in at runtime and added to any existing roles for the given user/project combination. This should be useful when you have a lot of LDAP users which you want to grant a default role to in OpenStack automatically only if/when they decide to use it. Since the database isn't touched, all you have to do to disable the default role is to switch off the assignment backend in keystone.conf.

It is built on top of the SQL assignment backend.

Installation

Copy hybrid_assignment.py to the keystone/identity/backends/ folder of your installation (e.g. /usr/lib/python/site-packages/keystone/assignment/backends/hybrid_assignment.py).

Set this in your keystone.conf file:

[assignment]
driver = keystone.assignment.backends.hybrid_assignment.Assignment

[ldap_hybrid]
default_roles = _member_
default_project = demo
default_domain = default

Where default_roles takes a comma separated list of strings. The corresponding objects should already exist in the database!

Restart keystone.

keystone-hybrid-backend's People

Contributors

Stargazers

Watchers

keystone-hybrid-backend's Issues

local variable 'res' referenced before assignment

Hi,

There is another issue. This one is in hybrid_assignment.py while executing 'keystone user-role-list --user ttest':

ERROR keystone.common.wsgi [-] local variable 'res' referenced before assignment
TRACE keystone.common.wsgi Traceback (most recent call last):
TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 207, in call
TRACE keystone.common.wsgi result = method(context, *_params)
TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/assignment/controllers.py", line 204, in get_user_roles
TRACE keystone.common.wsgi user_id, tenant_id)
TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/assignment/core.py", line 180, in get_roles_for_user_and_project
TRACE keystone.common.wsgi user_role_list = _get_user_project_roles(user_id, project_ref)
TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/assignment/core.py", line 161, in _get_user_project_roles
TRACE keystone.common.wsgi tenant_id=project_ref['id'])
TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 78, in _wrapper
TRACE keystone.common.wsgi return f(_args, **kw)
TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/assignment/backends/hybrid_assignment.py", line 42, in _get_metadata
TRACE keystone.common.wsgi return res
TRACE keystone.common.wsgi UnboundLocalError: local variable 'res' referenced before assignment
TRACE keystone.common.wsgi

I've set the DEFAULT_ROLE='member' to get any LDAP account assitgned to this role, as we don't have a 'Member' role here. The tenant DEFAULT_PROJECT='openstack' exists.

b/r
Hendrik

utf8 decode issue

I'm on a fork of your code, but it's essentially the same. When I upgraded my nodes from Icehouse 2014.1.1 to 2014.1.2.1 (Ubuntu) I had auth failures with the identity module for LDAP based interactions. I verified my ldap config and connectivity. I ended up tracking the cause down to a large change in keystone/common/core/ldap.py that was backported. This change causes a UnicodeDecodeError exception to bubble up to the driver.

This is the change in master:

commit cbf805161b84f13f459a19bfd46220c4f298b264
Author: John Dennis [email protected]
Date: Sat Mar 22 13:54:04 2014 -0400

Properly handle unicode & utf-8 in LDAP

The backport is this (from Ubuntu changelog)
[935fd60] Encode/Decode LDAP parameters to/from UTF-8

So far I've not made much progress into this except to see that the call to _id_to_dn is failing even though the bind looks okay to me. I don't have any great theories except that the search is returning something strange from my LDAP box (although I have no evidence of this yet). I didn't have much time to dig into it today. Has anyone else seen this with Icehouse 1.2.1?

(Note I managed to not save the error out to a file and have since re-done my node with 1.1, sorry for that)

move constants from hybrid_assignment to keystone.conf

It would be nice to have the constants from the hybrid assignment backend in keystone.conf in the [assignment] section so the user doesn't have to edit two files when installing and we don't hold configuration options in /usr/lib .

Using Unscoped Token to get a Scoped Token Fails for LDAP Users

When an LDAP user uses an unscoped keystone token and a project name to get a scoped token, keystone returns HTTP 500 and logs this exception:

[-] 'domain_id'
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 212, in call
result = method(context, **params)
File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 101, in authenticate
core.validate_auth_info(self, user_ref, tenant_ref)
File "/usr/lib/python2.7/dist-packages/keystone/token/core.py", line 78, in validate_auth_info
user_ref['domain_id'])
KeyError: 'domain_id'

If I repeat this for an SQL user, it works as expected.

To repeat this issue:

from novaclient.v1_1 import client as nc
from keystoneclient.v2_0 import client as kc
from keystoneclient.auth.identity import v2
from keystoneclient import session as sess

username = "admin"
password = "password"
project_name = "admin"
auth_url = "http://127.0.0.1:5000/v2.0/"

auth = v2.Password(auth_url=auth_url, username=username, password=password)
session = sess.Session(auth=auth)
ks = kc.Client(session=session)
ks.users.list() # fails because unscoped

auth_scoped = v2.Password(auth_url=auth_url, username=username, password=password, tenant_name=project_name)
session_scoped = sess.Session(auth=auth_scoped)
ks_full = kc.Client(session=session_scoped)
ks_full.users.list() # works

auth_from_token = v2.Token(auth_url=auth_url, token=session.get_token(), tenant_name=project_name)
session_from_token = sess.Session(auth=auth_from_token)
ksfk = kc.Client(session=session_from_token)
ksfk.users.list() # Works for SQL users, fails for LDAP users.

Repeat this code for an LDAP user and the last line will fail with:

keystoneclient.openstack.common.apiclient.exceptions.AuthorizationFailure: Authentication failure: An unexpected error prevented the server from fulfilling your request. (HTTP 500)

get_session missing

Hi,

I just tried to use this but when trying to authenticate, I get :

2014-08-11 11:07:08.097 50942 ERROR keystone.common.wsgi [-] 'Identity' object has no attribute 'get_session'
2014-08-11 11:07:08.097 50942 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-08-11 11:07:08.097 50942 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 207, in __call__
2014-08-11 11:07:08.097 50942 TRACE keystone.common.wsgi     result = method(context, **params)
2014-08-11 11:07:08.097 50942 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/controllers.py", line 98, in authenticate
2014-08-11 11:07:08.097 50942 TRACE keystone.common.wsgi     context, auth)
2014-08-11 11:07:08.097 50942 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/token/controllers.py", line 272, in _authenticate_local
2014-08-11 11:07:08.097 50942 TRACE keystone.common.wsgi     password=password)
2014-08-11 11:07:08.097 50942 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/notifications.py", line 253, in wrapper
2014-08-11 11:07:08.097 50942 TRACE keystone.common.wsgi     result = f(wrapped_self, context, user_id, *args, **kwargs)
2014-08-11 11:07:08.097 50942 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 189, in wrapper
2014-08-11 11:07:08.097 50942 TRACE keystone.common.wsgi     return f(self, *args, **kwargs)
2014-08-11 11:07:08.097 50942 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 281, in authenticate
2014-08-11 11:07:08.097 50942 TRACE keystone.common.wsgi     ref = driver.authenticate(user_id, password)
2014-08-11 11:07:08.097 50942 TRACE keystone.common.wsgi   File "/usr/lib/python2.6/site-packages/keystone/identity/backends/hybrid_identity.py", line 45, in authenticate
2014-08-11 11:07:08.097 50942 TRACE keystone.common.wsgi     session = self.get_session()
2014-08-11 11:07:08.097 50942 TRACE keystone.common.wsgi AttributeError: 'Identity' object has no attribute 'get_session'

We're using Icehouse, if that helps ? Not a good programmer, but if I can help to fix that, let me know.

Thanks!
Alex

Grizzly Multi Domain changes causing issues

With the introduction of multi domains the hybrid backend fails to work. Would be interested to know if this might be fixed in the future.

'module' object has no attribute 'Role'

kilo openstack release does not work.

on devel branch.

$ keystone user-list

2015-07-14 19:10:37.345 960 DEBUG keystone.identity.backends.hybrid_identity [-] Authenticated user with SQL. authenticate /usr/lib/python2.7/site-packages/keystone/identity/backends/hybrid_identity.py:76
2015-07-14 19:10:37.459 960 ERROR keystone.common.wsgi [-] 'module' object has no attribute 'Role'
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi Traceback (most recent call last):
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 239, in __call__
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi     result = method(context, **params)
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/token/controllers.py", line 101, in authenticate
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi     context, auth)
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/token/controllers.py", line 309, in _authenticate_local
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi     user_id, tenant_id)
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/token/controllers.py", line 387, in _get_project_roles_and_ref
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi     user_id, tenant_id)
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/assignment/core.py", line 167, in get_roles_for_user_and_project
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi     user_role_list = _get_user_project_roles(user_id, project_ref)
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/assignment/core.py", line 142, in _get_user_project_roles
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi     tenant_id=project_ref['id'])
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/assignment/backends/hybrid_assignment.py", line 40, in _get_metadata
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi     roles.append({'id': self.default_role})
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/assignment/backends/hybrid_assignment.py", line 56, in default_role
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi     role = session.query(sql_assign.Role).filter_by(
2015-07-14 19:10:37.459 960 TRACE keystone.common.wsgi AttributeError: 'module' object has no attribute 'Role'

please open a master or kilo branch

Code changes are needed for Kilo, can you make a branch for it?

Identity does not work with dashboard

Is there a version of the identity hybrid that works with juno? Currenlty the dashboard will log in if I have driver set to ldap, but not with the hybrid. Command line works fine with keystone (but does require the os-token) to list users/tenants/roles etc. Also, there is still an issue with roles on the assignment -- the user is validated but then refused login to dashboard because they have no roles or projects assigned to them.

Keystone user-create Fails in Icehouse 2014.1.2 using Keystone API v2

Creating a new user fails using the hybdrid identity driver with an internal server error. This appears in keystone.log:

2014-09-04 14:53:37.568 307640 ERROR keystone.common.wsgi - (1048, "Column 'domain_id' cannot be null") 'INSERT INTO user (id, name, domain_id, password, enabled, extra, default_project_id) VALUES (%s, %s, %s, %s, %s, %s, %s)' ('df9c35a18240488296f0c611d0a6b1a0', 'hybrid-2', None, None, 1, '{"email": null}', 'e7904c3941e84b22a11d14d77dcc0f2b')
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 212, in call
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi result = method(context, *_params)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 147, in create_user
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi self.identity_api.create_user(user_id, user_ref))
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/notifications.py", line 74, in wrapper
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi result = f(_args, *_kwargs)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 189, in wrapper
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi return f(self, *args, *_kwargs)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 305, in create_user
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi ref = driver.create_user(user_id, user)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 392, in wrapper
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi return method(_args, *_kwargs)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/sql.py", line 125, in create_user
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi session.add(user_ref)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 447, in exit
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi self.rollback()
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/util/langhelpers.py", line 58, in exit
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi compat.reraise(exc_type, exc_value, exc_tb)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 444, in exit
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi self.commit()
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 354, in commit
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi self._prepare_impl()
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 334, in _prepare_impl
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi self.session.flush()
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/openstack/common/db/sqlalchemy/session.py", line 439, in _wrap
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi return f(self, _args, *_kwargs)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/openstack/common/db/sqlalchemy/session.py", line 705, in flush
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi return super(Session, self).flush(_args, *_kwargs)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 1818, in flush
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi self._flush(objects)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 1936, in _flush
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi transaction.rollback(_capture_exception=True)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/util/langhelpers.py", line 58, in exit
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi compat.reraise(exc_type, exc_value, exc_tb)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 1900, in _flush
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi flush_context.execute()
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/unitofwork.py", line 372, in execute
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi rec.execute(self)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/unitofwork.py", line 525, in execute
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi uow
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py", line 64, in save_obj
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi table, insert)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/persistence.py", line 541, in _emit_insert_statements
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi execute(statement, multiparams)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 662, in execute
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi params)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 761, in _execute_clauseelement
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi compiled_sql, distilled_params
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 874, in _execute_context
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi context)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1024, in _handle_dbapi_exception
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi exc_info
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/util/compat.py", line 196, in raise_from_cause
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi reraise(type(exception), exception, tb=exc_tb)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 867, in _execute_context
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi context)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/sqlalchemy/engine/default.py", line 324, in do_execute
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi cursor.execute(statement, parameters)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/MySQLdb/cursors.py", line 174, in execute
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi self.errorhandler(self, exc, value)
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi raise errorclass, errorvalue
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi OperationalError: (OperationalError) (1048, "Column 'domain_id' cannot be null") 'INSERT INTO user (id, name, domain_id, password, enabled, extra, default_project_id) VALUES (%s, %s, %s, %s, %s, %s, %s)' ('df9c35a18240488296f0c611d0a6b1a0', 'hybrid-2', None, None, 1, '{"email": null}', 'e7904c3941e84b22a11d14d77dcc0f2b')
2014-09-04 14:53:37.568 307640 TRACE keystone.common.wsgi

The issue comes from self.domain_aware = False being set in the hybrid driver (I don't know enough yet to understand why). In keystone/identity/core.py create_user() that variable is looked up and domain_id is stripped from the create request, which is causing that conflict in MySQL.
Creating a user with the sql identity driver works as expected.

I'm using only the identity hybrid driver.
keystone: 2014.1.2
hybrid_identity: master from September 2nd.

Authentication success when password is None

Dear all,

I believe that there is a serious security issue in the method authenticate of the hybrid_identity module . When a user is not found in sql and the password is None or '', the authentication will succeed in every case, because get_connection internally does not call simple_bind when the password is not set, and thus raises no exception in this case.

Therefore, get_connection should not be called when the password is not set.

any use for debian packaging?

My fork has some debian packaging in it which I've been using, but I know this is driven by SUSE. Is there any value in me doing a PR for the debian stuff into here?

fix assignment backend for Icehouse

The code in hybrid_assignment.py needs to be updated for the Icehouse branch. Currently it doesn't get called and the users don't get assigned the default role/tenant.

Update: hybrid_assignment.py was removed from the icehouse branch until it is fixed, but it can be found in the havana branch.

doesn't work with juno rc2

When using this with the juno rc2 I'm getting some stracktraces, I'll see what I can dig up and update it here.

2014-10-15 14:05:05.011 20936 DEBUG keystone.identity.backends.hybrid_identity [-] Called get_user_by_name Matt, default get_user_by_name /usr/lib/python2.7/dist-packages/keystone/identity/backends/hybrid_identity.py:120
2014-10-15 14:05:05.170 20936 ERROR keystone.common.wsgi [-] tuple index out of range
2014-10-15 14:05:05.170 20936 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-10-15 14:05:05.170 20936 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 223, in call
2014-10-15 14:05:05.170 20936 TRACE keystone.common.wsgi result = method(context, **params)
2014-10-15 14:05:05.170 20936 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 100, in authenticate
2014-10-15 14:05:05.170 20936 TRACE keystone.common.wsgi context, auth)
2014-10-15 14:05:05.170 20936 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 298, in _authenticate_local
2014-10-15 14:05:05.170 20936 TRACE keystone.common.wsgi raise exception.Unauthorized(e.args[0])
2014-10-15 14:05:05.170 20936 TRACE keystone.common.wsgi IndexError: tuple index out of range

Please submit this to the main OpenStack Keystone project

Enough people have requested it and are using it that it should at least be submitted, and the review process begun.

domain_id failure when authenticating as ldap user

Hi there,

I've upgraded to the latest commit of keystone-hybrid-backend in icehouse branch and I'm no longer able to authenticate as an ldap user (sql user still works). The error message in the log file indicates a key error with domain_id [1]. This appears to have been introduced by the fix for issue #12. When I commented out these two lines [2], ldap authentication resumed working.

My ldap users authenticate to the default domain, although I do have a second domain created for heat per the recommendation here: https://wiki.openstack.org/wiki/ReleaseNotes/Icehouse#Stack_domain_users. I'm guessing having multiple domains enabled, while assuming ldap authentication does not require a domain as mentioned in the comments, is what is causing the domain_id error.

Any thoughts?

Thanks,

John

[1]:

2014-09-25 17:44:50.612 30353 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.7/site-packages/keystone/common/ldap/core.py:777
2014-09-25 17:44:50.616 30353 ERROR keystone.common.wsgi [-] 'domain_id'
2014-09-25 17:44:50.616 30353 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-09-25 17:44:50.616 30353 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 212, in call
2014-09-25 17:44:50.616 30353 TRACE keystone.common.wsgi result = method(context, **params)
2014-09-25 17:44:50.616 30353 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/token/controllers.py", line 101, in authenticate
2014-09-25 17:44:50.616 30353 TRACE keystone.common.wsgi core.validate_auth_info(self, user_ref, tenant_ref)
2014-09-25 17:44:50.616 30353 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/token/core.py", line 78, in validate_auth_info
2014-09-25 17:44:50.616 30353 TRACE keystone.common.wsgi user_ref['domain_id'])
2014-09-25 17:44:50.616 30353 TRACE keystone.common.wsgi KeyError: 'domain_id'
2014-09-25 17:44:50.616 30353 TRACE keystone.common.wsgi

[2]:

    def is_domain_aware(self):
        # XXX we only need domain_aware to be False when authenticating
        # as an LDAP user; after that, all operations will be done on
        # the SQL database and domain_aware needs to be True. This code
        # makes the assumption that the result of authenticate() should
        # be read as not domain_aware (for LDAP), after which
        # domain_aware should revert to True.
        domain_aware = self.domain_aware
        #if not self.domain_aware:
        #    self.domain_aware = True
        return domain_aware

Attempting to update LDAP user causes internal server error

This happens as both a user changing their own password and as an admin resetting a user's password. I haven't tested admin updating a user other than password yet, but I bet it's the same. Keystone logs this stacktrace:

2014-09-05 17:57:25.623 445821 ERROR keystone.common.wsgi [-] 'User' object has no attribute 'to_dict'
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 212, in call
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi result = method(context, *_params)
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 239, in set_user_password
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi return self.update_user(context, user_id, user)
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 185, in update_user
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi self.identity_api.update_user(user_id, user))
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/notifications.py", line 74, in wrapper
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi result = f(_args, *_kwargs)
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 189, in wrapper
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi return f(self, *args, *_kwargs)
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 351, in update_user
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi ref = driver.update_user(user_id, user)
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/sql/core.py", line 392, in wrapper
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi return method(_args, *_kwargs)
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/sql.py", line 164, in update_user
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi old_user_dict = user_ref.to_dict()
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi AttributeError: 'User' object has no attribute 'to_dict'
2014-09-05 17:57:25.623 445821 TRACE keystone.common.wsgi
An unexpected error prevented the server from fulfilling your request. (HTTP 500)

The problem is the driver sql calls our _get_user() which returns a user already in dict format because it came from LDAP:
user_ref = self._get_user(session, user_id)
On the line after that it calls:
old_user_dict = user_ref.to_dict()
which causes the problem.
I think the correct solution is to write an update_user() function that then calls update_user() in the LDAP or SQL backend accordingly. Thoughts?

With the normal LDAP driver it returns "You are not authorized to perform the requested action, LDAP user update. (HTTP 403)"

The default project/role is unconditionally assigned to SQL users

This causes users such as 'admin' and 'nova' to be a member of the configured 'default_project'. This causes "fun" issues such as the admin user being told it can't access the admin pages in Horizon (because the default project is non-admin) and puppet continually trying to remove the 'default_roles' value from the service users and failing because it's not really there.

sql _get_user function changed

get refs from sql session.
def _get_use(session,user_id)

openstack/keystone@8d2b8e6#diff-d36d696b43e6991c5e56b7085e3ca411L171

Not working with kilo release (resolved)

It was working fine with havana, with some modifications with juno
but in kilo openstack release does not work at all

2015-07-03 15:35:26.525 2601 ERROR keystone.common.wsgi [-] get_all_filtered() takes exactly 2 arguments (1 given)
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi Traceback (most recent call last):
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 239, in call
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi result = method(context, *_params)
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 50, in get_users
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi CONF.identity.default_domain_id)
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 47, in wrapper
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi return f(self, *args, *_kwargs)
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 342, in wrapper
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi return f(self, _args, *_kwargs)
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 353, in wrapper
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi return f(self, _args, *_kwargs)
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 791, in list_users
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi ref_list = driver.list_users(hints)
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/hybrid_identity.py", line 138, in list_users
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi ldap_users = self.user.get_all_filtered()
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi TypeError: get_all_filtered() takes exactly 2 arguments (1 given)
2015-07-03 15:35:26.525 2601 TRACE keystone.common.wsgi

'User' object has no attribute 'to_dict'

While using hybrid_identity.py, the following error occured on executing 'keystone user-get':

ERROR keystone.common.wsgi [-] 'User' object has no attribute 'to_dict'
TRACE keystone.common.wsgi Traceback (most recent call last):
TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 207, in call
TRACE keystone.common.wsgi result = method(context, *_params)
TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/assignment/controllers.py", line 77, in get_projects_for_token
TRACE keystone.common.wsgi self.assignment_api.list_projects_for_user(user_ref['id']))
TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/assignment/core.py", line 289, in list_projects_for_user
TRACE keystone.common.wsgi x in self.identity_api.list_groups_for_user(user_id)]
TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/common/manager.py", line 47, in wrapper
TRACE keystone.common.wsgi return f(self, *args, *_kwargs)
TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 189, in wrapper
TRACE keystone.common.wsgi return f(self, _args, *_kwargs)
TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 447, in list_groups_for_user
TRACE keystone.common.wsgi user_id, hints or driver_hints.Hints())
TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/backends/sql.py", line 220, in list_groups_for_user
TRACE keystone.common.wsgi self.get_user(user_id)
TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/backends/hybrid_identity.py", line 99, in get_user
TRACE keystone.common.wsgi return identity.filter_user(self._get_user(session, user_id).to_dict())
TRACE keystone.common.wsgi AttributeError: 'User' object has no attribute 'to_dict'
TRACE keystone.common.wsgi

b/r
H.

suse-cloud / keystone-hybrid-backend Goto Github PK

keystone-hybrid-backend's Introduction

hybrid SQL and LDAP backends for OpenStack Keystone

The Identity Backend

Installation

The Assignment Backend

Installation

keystone-hybrid-backend's People

Contributors

Stargazers

Watchers

Forkers

keystone-hybrid-backend's Issues

Recommend Projects

Recommend Topics

Recommend Org