Page MenuHomePhabricator
Create Task
Maniphest T416483

openstack flamingo: "'enabled' is a required property" for LDAP-managed users
Open, MediumPublic
Actions

Description

Just now @Volans tried to add himself to the bastion project in codfw1dev and ran into a very weird error message:

BadRequestException: 400: Client Error for url: https://openstack.codfw1dev.wikimediacloud.org:25357/v3/users?name=volans, Invalid input for field/attribute 0. Value: {'id': 'volans', 'name': 'Volans', 'email': 'rcoccioli@wikimedia.org', 'options': {}, 'password_expires_at': None, 'domain_id': 'default', 'links': {'self': 'https://openstack.codfw1dev.wikimediacloud.org:25357/v3/users/volans'}}. 'enabled' is a required property

That error seems to actually happen when ldap is queried, not when it's written to.

One hint: this error appears when I operate on 'labtestandrew' but not when I operate on 'labtestandrewmortal' -- this makes me think that upstream added some new schema validation in the latest release.

^ that isn't a hint, it's a different issue that the openstack cli returns no output when acting on a nonexistent user account.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
keystone/flamingo: another attempt to get users marked as 'enabled'operations/puppetproduction+4 -1
keystone/flamingo: another attempt to get users marked as 'enabled'operations/puppetproduction+14 -0
Keystone/flamingo: set 'enabled' flag for all ldap usersoperations/puppetproduction+2 -0
keystone/flamingo: further attempts with user_enabled_emulationoperations/puppetproduction+4 -0
Customize query in gerrit

Related Objects

Event Timeline

Andrew created this task.Wed, Feb 4, 2:46 PM
Restricted Application added a project: cloud-services-team. · View Herald TranscriptWed, Feb 4, 2:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Andrew added a comment.Wed, Feb 4, 2:48 PM

The 'Access -> Project Access' horizon dashboard in codfw1dev is also broken, likely the same issue as #1

taavi triaged this task as Low priority.Wed, Feb 4, 2:55 PM
Andrew added a comment.Wed, Feb 4, 4:41 PM
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application [None req-92a79b9d-c3f8-45d9-940f-3337cd379c89 novaadmin admin - - default default] Invalid input for field/attribute 0. Value: {'id': 'labtestandrew', 'name': 'Labtestandrew', 'email': 'andrewbogott@gmail.com', 'options': {}, 'password_expires_at': None, 'domain_id': 'default', 'links': {'self': 'https://openstack.codfw1dev.wikimediacloud.org:25357/v3/users/labtestandrew'}}. 'enabled' is a required property: keystone.exception.SchemaValidationError: Invalid input for field/attribute 0. Value: {'id': 'labtestandrew', 'name': 'Labtestandrew', 'email': 'andrewbogott@gmail.com', 'options': {}, 'password_expires_at': None, 'domain_id': 'default', 'links': {'self': 'https://openstack.codfw1dev.wikimediacloud.org:25357/v3/users/labtestandrew'}}. 'enabled' is a required property
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application Traceback (most recent call last):
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application   File "/usr/lib/python3/dist-packages/keystone/api/validation/validators.py", line 177, in validate
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     self.validator.validate(*args, **kwargs)
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application   File "/usr/lib/python3/dist-packages/jsonschema/validators.py", line 451, in validate
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     raise error
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application jsonschema.exceptions.ValidationError: 'enabled' is a required property
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application 
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application Failed validating 'required' in schema['properties']['users']['items']:
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     {'type': 'object',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application      'properties': {'id': {'type': 'string', 'description': 'The user ID.'},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                     'default_project_id': {'type': ['string', 'null'],
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                            'description': 'The ID of the '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                           'default project '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                           'for the user.'},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                     'description': {'type': ['string', 'null'],
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                     'description': 'The user description'},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                     'domain_id': {'type': 'string',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                   'description': 'The ID of the domain.'},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                     'enabled': {'type': 'boolean',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                 'description': 'If the user is enabled, '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                'this value is true. If the '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                'user is disabled, this '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                'value is false.'},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                     'federated': {'description': 'List of federated '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                  'objects associated with '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                  'a user. Each object in '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                  'the list contains the '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                  'idp_id and protocols. '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                  'protocols is a list of '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                  'objects, each of which '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                  'contains protocol_id and '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                  'unique_id of the '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                  'protocol and user '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                  'respectively.',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                   'type': 'array',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                   'items': {'type': 'object',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                             'properties': {'idp_id': {'type': 'string',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                       'description': 'The '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                      'Identity '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                      'Provider '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                      'ID '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                      'of '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                      'the '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                      'federated '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                      'user'},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                            'protocols': {'type': 'array',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                          'items': {'type': 'object',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                    'properties': {'protocol_id': {'type': 'string'},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                                   'unique_id': {'type': 'string'}},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                    'required': ['protocol_id',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                                 'unique_id']},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                          'minItems': 1}},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                             'required': ['idp_id',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                          'protocols']}},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                     'links': {'type': 'object',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                               'description': 'Links for the collection of '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                              'resources.',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                               'properties': {'next': {'type': ['string',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                'null'],
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                       'format': 'uri'},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                              'previous': {'type': ['string',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                    'null'],
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                           'format': 'uri'},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                              'self': {'type': 'string',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                       'format': 'uri'}},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                               'required': ['self'],
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                               'additionalProperties': False,
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                               'readOnly': True},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                     'name': {'type': 'string',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                              'description': 'The user name. Must be unique '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                             'within the owning domain.'},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                     'password_expires_at': {'type': ['string', 'null'],
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                             'format': 'date-time',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                             'description': 'The date and '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                            'time when the '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                            'password '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                            'expires. The '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                            'time zone is '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                            'UTC. A null '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                            'value '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                            'indicates that '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                            'the password '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                            'never '
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                            'expires.'},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                     'options': {'type': 'object',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                 'properties': {'ignore_change_password_upon_first_use': {'type': ['boolean',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                                   'null'],
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                          'enum': [True,
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                                   False,
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                                   None]},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                'ignore_password_expiry': {'type': ['boolean',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                    'null'],
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                           'enum': [True,
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                    False,
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                    None]},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                'ignore_lockout_failure_attempts': {'type': ['boolean',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                             'null'],
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                    'enum': [True,
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                             False,
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                             None]},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                'lock_password': {'type': ['boolean',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                           'null'],
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                  'enum': [True,
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                           False,
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                           None]},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                'ignore_user_inactivity': {'type': ['boolean',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                    'null'],
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                           'enum': [True,
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                    False,
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                    None]},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                'multi_factor_auth_rules': {'type': ['array',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                     'null'],
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                            'items': {'type': 'array',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                      'items': {'type': 'string'},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                      'minItems': 1,
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                      'uniqueItems': True},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                            'uniqueItems': True},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                'multi_factor_auth_enabled': {'type': ['boolean',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                       'null'],
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                              'enum': [True,
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                       False,
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                                                                       None]}},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application                                 'additionalProperties': False}},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application      'additionalProperties': True,
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application      'required': ['id', 'domain_id', 'enabled', 'name']}
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application 
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application On instance['users']:
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     {'id': 'labtestandrew',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application      'name': 'Labtestandrew',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application      'email': 'andrewbogott@gmail.com',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application      'options': {},
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application      'password_expires_at': None,
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application      'domain_id': 'default',
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application      'links': {'self': 'https://openstack.codfw1dev.wikimediacloud.org:25357/v3/users/labtestandrew'}}
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application 
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application During handling of the above exception, another exception occurred:
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application 
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application Traceback (most recent call last):
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application   File "/usr/lib/python3/dist-packages/flask_restful/__init__.py", line 295, in error_router
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     return self.handle_error(e)
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application            ~~~~~~~~~~~~~~~~~^^^
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application   File "/usr/lib/python3/dist-packages/flask_restful/__init__.py", line 310, in handle_error
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     _handle_flask_propagate_exceptions_config(current_app, e)
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application   File "/usr/lib/python3/dist-packages/flask/app.py", line 917, in full_dispatch_request
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     rv = self.dispatch_request()
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application   File "/usr/lib/python3/dist-packages/flask/app.py", line 902, in dispatch_request
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)  # type: ignore[no-any-return]
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application   File "/usr/lib/python3/dist-packages/flask_restful/__init__.py", line 489, in wrapper
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     resp = resource(*args, **kwargs)
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application   File "/usr/lib/python3/dist-packages/flask/views.py", line 110, in view
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     return current_app.ensure_sync(self.dispatch_request)(**kwargs)  # type: ignore[no-any-return]
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application   File "/usr/lib/python3/dist-packages/flask_restful/__init__.py", line 604, in dispatch_request
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     resp = meth(*args, **kwargs)
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application   File "/usr/lib/python3/dist-packages/keystone/api/validation/__init__.py", line 113, in wrapper
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     return func(*args, **kwargs)
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application   File "/usr/lib/python3/dist-packages/keystone/api/validation/__init__.py", line 80, in wrapper
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     return func(*args, **kwargs)
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application   File "/usr/lib/python3/dist-packages/keystone/api/validation/__init__.py", line 160, in wrapper
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     _schema_validator(schema, body, args, kwargs, is_body=True)
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application   File "/usr/lib/python3/dist-packages/keystone/api/validation/__init__.py", line 52, in _schema_validator
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     schema_validator.validate(target)
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     ~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application   File "/usr/lib/python3/dist-packages/keystone/api/validation/validators.py", line 210, in validate
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application     raise exception.SchemaValidationError(detail=detail)
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application keystone.exception.SchemaValidationError: Invalid input for field/attribute 0. Value: {'id': 'labtestandrew', 'name': 'Labtestandrew', 'email': 'andrewbogott@gmail.com', 'options': {}, 'password_expires_at': None, 'domain_id': 'default', 'links': {'self': 'https://openstack.codfw1dev.wikimediacloud.org:25357/v3/users/labtestandrew'}}. 'enabled' is a required property
2026-02-04 16:40:46.922 500255 ERROR keystone.server.flask.application
Andrew renamed this task from Adding a new user to codfw1dev is messed up to Adding a new user to a codfw1dev project is messed up.Wed, Feb 4, 4:41 PM
Andrew added a comment.EditedWed, Feb 4, 5:05 PM

upstream bug: https://bugs.launchpad.net/keystone/+bug/2140354

taavi added a project: Upstream.Wed, Feb 4, 5:06 PM
Andrew added a comment.Wed, Feb 4, 6:54 PM

At least one upstream dev has asserted that this is a bug fix and not a regression, which would mean that we've been setting the 'enabled' flag wrong in ldap all along. I could believe that but am not yet clear on how to set it properly.

Andrew raised the priority of this task from Low to Medium.Wed, Feb 4, 7:00 PM

I'm elevating the priority because this is a blocker for upgrading eqiad1 to flamingo

taavi renamed this task from Adding a new user to a codfw1dev project is messed up to openstack flamingo: "'enabled' is a required property" for LDAP-managed users.Thu, Feb 5, 10:46 AM
taavi mentioned this in T416568: Document how to add SSH keys in codfw1dev LDAP deployment.
taavi updated the task description. (Show Details)
taavi subscribed.

I have split the SSH key documentation part to T416568: Document how to add SSH keys in codfw1dev LDAP deployment.

Andrew updated the task description. (Show Details)Fri, Feb 6, 3:36 PM
gerritbot added a comment.Tue, Feb 10, 11:18 PM

Change #1238445 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Keystone/flamingo: set 'enabled' flag for all ldap users

https://gerrit.wikimedia.org/r/1238445

gerritbot added a project: Patch-For-Review.Tue, Feb 10, 11:18 PM
gerritbot added a comment.Tue, Feb 10, 11:26 PM

Change #1238445 merged by Andrew Bogott:

[operations/puppet@production] Keystone/flamingo: set 'enabled' flag for all ldap users

https://gerrit.wikimedia.org/r/1238445

Maintenance_bot removed a project: Patch-For-Review.Tue, Feb 10, 11:30 PM
gerritbot added a comment.Wed, Feb 11, 4:31 AM

Change #1238479 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] keystone/flamingo: further attempts with user_enabled_emulation

https://gerrit.wikimedia.org/r/1238479

gerritbot added a project: Patch-For-Review.Wed, Feb 11, 4:31 AM

Change #1238479 merged by Andrew Bogott:

[operations/puppet@production] keystone/flamingo: further attempts with user_enabled_emulation

https://gerrit.wikimedia.org/r/1238479

Maintenance_bot removed a project: Patch-For-Review.Wed, Feb 11, 5:31 AM
Andrew added a comment.Thu, Feb 12, 9:11 PM

This is irritating because all we really want is to mark every user as 'enabled'. The updated keystone implementation wants that to be a boolean in the ldap schema.

We could alter the ldap schema to add that flag; it might be sort of useful. That kind of bulk edit is a bit scary but can certainly be done safely.

An alternative that I've struck on is to just re-use the 'hasSubordinate' attrib. Every user has that, and it's always set to false, so this whole issue is resolved with this keystone config:

user_enabled_attribute = hasSubordinates
user_enabled_invert = true

that is, obviously, silly. But it seems to work fine.

Andrew added a comment.Thu, Feb 12, 10:31 PM
This comment was removed by Andrew.
Andrew added a comment.Thu, Feb 12, 10:57 PM

Last comment redacted because of security concerns. See https://bugs.launchpad.net/keystone/+bug/2141713 if/when it becomes public.

gerritbot added a comment.Fri, Feb 13, 1:07 AM

Change #1239271 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] keystone/flamingo: another attempt to get users marked as 'enabled'

https://gerrit.wikimedia.org/r/1239271

gerritbot added a project: Patch-For-Review.Fri, Feb 13, 1:07 AM

Change #1239271 merged by Andrew Bogott:

[operations/puppet@production] keystone/flamingo: another attempt to get users marked as 'enabled'

https://gerrit.wikimedia.org/r/1239271

Maintenance_bot removed a project: Patch-For-Review.Fri, Feb 13, 1:30 AM
gerritbot added a comment.Fri, Feb 13, 3:39 AM

Change #1239276 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] keystone/flamingo: another attempt to get users marked as 'enabled'

https://gerrit.wikimedia.org/r/1239276

gerritbot added a project: Patch-For-Review.Fri, Feb 13, 3:39 AM
gerritbot added a comment.Fri, Feb 13, 3:42 AM

Change #1239276 merged by Andrew Bogott:

[operations/puppet@production] keystone/flamingo: another attempt to get users marked as 'enabled'

https://gerrit.wikimedia.org/r/1239276

Maintenance_bot removed a project: Patch-For-Review.Fri, Feb 13, 4:31 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits