yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1174585] Re: LDAP list group users should not fail if user entry deleted

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 29 May 2013 08:47:16 -0000
Reply-to: Bug 1174585 <1174585@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => havana-1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1174585

Title:
  LDAP list group users should not fail if user entry deleted

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone grizzly series:
  Fix Committed

Bug description:
  Using the LDAP identity backend,
  if a group member entry doesn't exist in the LDAP server anymore
  and the group's members are listed using GET /v3/groups/{groupId}/users,
  Keystone returns 404 Not Found.

  First, it's incorrect to return 404 Not Found when the group resource exists.
  Second, Keystone should be more robust. A user entry may not exist
  because the LDAP administrator deleted the entry but forgot to update the group.

  The server should return all the group members that do exist
  and ignore the missing members,
  and probably log a warning message about the missing user.

  This can be recreated by:
  1) start with devstack configured to use LDAP
  # set LDAP options in localrc
  ./stack.sh ...

  2) add the default domain since it doesn't exist by default for some
  reason.

  $ ldapadd -x -D dc=Manager,dc=openstack,dc=org -w adminpwd
  dn: cn=default,ou=Domains,dc=openstack,dc=org
  objectclass: groupOfNames
  member: cn=dummy

  3) Create a couple users

  $ keystone user-create --name user1 --pass user1pwd
  (example id is e1b7df356f004b73864afc8fdb261617)
  $ keystone user-create --name user2 --pass user2pwd
  (example id is bc8031d87e4c41d89f031a55ae7d8abd)

  4) Create a group with both users:

  $ ldapadd -x -D dc=Manager,dc=openstack,dc=org -w adminpwd

  dn: ou=UserGroups,dc=openstack,dc=org
  objectclass: organizationalUnit

  dn: cn=group1,ou=UserGroups,dc=openstack,dc=org
  objectclass: groupOfNames
  member: cn=e1b7df356f004b73864afc8fdb261617,ou=Users,dc=openstack,dc=org
  member: cn=bc8031d87e4c41d89f031a55ae7d8abd,ou=Users,dc=openstack,dc=org

  5) List group members, the user's in there.

  curl -H "X-Auth-Token: admintoken" http://localhost:35357/v3/groups/group1/users
  ...

  6) Delete the user from LDAP directly.

  ldapdelete -x -D dc=Manager,dc=openstack,dc=org -w adminpwd
  "cn=bc8031d87e4c41d89f031a55ae7d8abd,ou=Users,dc=openstack,dc=org"

  
  7) List group members again, it fails.

  $ curl -H "X-Auth-Token: adminpwd" http://localhost:35357/v3/groups/group1/users | python -mjson.tool
  {
      "error": {
          "code": 404,
          "message": "Could not find user: bc8031d87e4c41d89f031a55ae7d8abd",
          "title": "Not Found"
      }
  }

  
  The last list group members should have worked, just returned the e1b7df356f004b73864afc8fdb261617 user.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1174585/+subscriptions