diff options
-rw-r--r-- | doc/source/admin/bootstrap.rst | 10 | ||||
-rw-r--r-- | keystone/conf/ldap.py | 8 | ||||
-rw-r--r-- | keystone/identity/backends/ldap/common.py | 19 | ||||
-rw-r--r-- | keystone/tests/unit/test_policy.py | 6 | ||||
-rw-r--r-- | lower-constraints.txt | 2 | ||||
-rw-r--r-- | releasenotes/notes/change_min_pool_retry_max-f5e7c8d315401426.yaml | 6 | ||||
-rw-r--r-- | requirements.txt | 2 |
7 files changed, 37 insertions, 16 deletions
diff --git a/doc/source/admin/bootstrap.rst b/doc/source/admin/bootstrap.rst index 51142b370..888ab6112 100644 --- a/doc/source/admin/bootstrap.rst +++ b/doc/source/admin/bootstrap.rst @@ -73,10 +73,12 @@ Verbosely, keystone can be bootstrapped with: --bootstrap-internal-url http://localhost:5000 This will create an ``admin`` user with the ``admin`` role on the ``admin`` -project. The user will have the password specified in the command. Note that -both the user and the project will be created in the ``default`` domain. By not -creating an endpoint in the catalog users will need to provide endpoint -overrides to perform additional identity operations. +project and the system. This allows the user to generate project-scoped and +system-scoped tokens which ensures they have full RBAC authorization. The user +will have the password specified in the command. Note that both the user and +the project will be created in the ``default`` domain. By not creating an +endpoint in the catalog users will need to provide endpoint overrides to +perform additional identity operations. This command will also create ``member`` and ``reader`` roles. The ``admin`` role implies the ``member`` role and ``member`` role implies the ``reader`` diff --git a/keystone/conf/ldap.py b/keystone/conf/ldap.py index 5943ff434..e9b89f9f6 100644 --- a/keystone/conf/ldap.py +++ b/keystone/conf/ldap.py @@ -411,11 +411,11 @@ use_pool` is also enabled. pool_retry_max = cfg.IntOpt( 'pool_retry_max', default=3, - min=0, + min=1, help=utils.fmt(""" -The maximum number of times to attempt reconnecting to the LDAP server before -aborting. A value of zero prevents retries. This option has no effect unless -`[ldap] use_pool` is also enabled. +The maximum number of times to attempt connecting to the LDAP server before +aborting. A value of one makes only one connection attempt. +This option has no effect unless `[ldap] use_pool` is also enabled. """)) pool_retry_delay = cfg.FloatOpt( diff --git a/keystone/identity/backends/ldap/common.py b/keystone/identity/backends/ldap/common.py index 4af42de29..1033a4efd 100644 --- a/keystone/identity/backends/ldap/common.py +++ b/keystone/identity/backends/ldap/common.py @@ -1401,9 +1401,24 @@ class BaseLdap(object): pass else: try: - obj[k] = v[0] + value = v[0] except IndexError: - obj[k] = None + value = None + + # NOTE(xek): Some LDAP servers return bytes data type + # We convert it to string here, so that it is consistent with + # the other (SQL) backends. + # Bytes data type caused issues in the past, because it could + # be cached and then passed into str() method to be used as + # LDAP filters, which results in an unexpected b'...' prefix. + if isinstance(value, bytes): + try: + value = value.decode('utf-8') + except UnicodeDecodeError: + LOG.error("Error decoding value %r (object id %r).", + value, res[0]) + raise + obj[k] = value return obj diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py index b4dea27b8..d0feec639 100644 --- a/keystone/tests/unit/test_policy.py +++ b/keystone/tests/unit/test_policy.py @@ -151,16 +151,14 @@ class PolicyScopeTypesEnforcementTestCase(unit.TestCase): def test_warning_message_is_logged_if_enforce_scope_is_false(self): self.config_fixture.config(group='oslo_policy', enforce_scope=False) expected_msg = ( - 'failed scope check. The token used to make the ' + 'Policy "foo": "" failed scope check. The token used to make the ' 'request was project scoped but the policy requires [\'system\'] ' 'scope. This behavior may change in the future where using the ' 'intended scope is required' ) with mock.patch('warnings.warn') as mock_warn: policy.enforce(self.credentials, self.action, self.target) - mock_warn.assert_called_once() - warn_msg = mock_warn.call_args[0][0] - self.assertIn(expected_msg, warn_msg) + mock_warn.assert_called_with(expected_msg) class PolicyJsonTestCase(unit.TestCase): diff --git a/lower-constraints.txt b/lower-constraints.txt index 3ceae8a1d..71f497fbd 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -32,7 +32,7 @@ oslo.i18n==3.15.3 oslo.log==3.44.0 oslo.messaging==5.29.0 oslo.middleware==3.31.0 -oslo.policy==3.7.0 +oslo.policy==3.10.0 oslo.serialization==2.18.0 oslo.upgradecheck==1.3.0 oslo.utils==3.33.0 diff --git a/releasenotes/notes/change_min_pool_retry_max-f5e7c8d315401426.yaml b/releasenotes/notes/change_min_pool_retry_max-f5e7c8d315401426.yaml new file mode 100644 index 000000000..44109b144 --- /dev/null +++ b/releasenotes/notes/change_min_pool_retry_max-f5e7c8d315401426.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Change the min value of pool_retry_max to 1. Setting this value to 0 + caused the pool to fail before connecting to ldap, always raising + MaxConnectionReachedError. diff --git a/requirements.txt b/requirements.txt index f77c24665..c7e4605f3 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ oslo.db>=6.0.0 # Apache-2.0 oslo.i18n>=3.15.3 # Apache-2.0 oslo.log>=3.44.0 # Apache-2.0 oslo.middleware>=3.31.0 # Apache-2.0 -oslo.policy>=3.7.0 # Apache-2.0 +oslo.policy>=3.10.0 # Apache-2.0 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 oslo.upgradecheck>=1.3.0 # Apache-2.0 oslo.utils>=3.33.0 # Apache-2.0 |