yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #03170
[Bug 1174585] Re: LDAP list group users should not fail if user entry deleted
** Changed in: keystone/grizzly
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1174585
Title:
LDAP list group users should not fail if user entry deleted
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone grizzly series:
Fix Released
Bug description:
Using the LDAP identity backend,
if a group member entry doesn't exist in the LDAP server anymore
and the group's members are listed using GET /v3/groups/{groupId}/users,
Keystone returns 404 Not Found.
First, it's incorrect to return 404 Not Found when the group resource exists.
Second, Keystone should be more robust. A user entry may not exist
because the LDAP administrator deleted the entry but forgot to update the group.
The server should return all the group members that do exist
and ignore the missing members,
and probably log a warning message about the missing user.
This can be recreated by:
1) start with devstack configured to use LDAP
# set LDAP options in localrc
./stack.sh ...
2) add the default domain since it doesn't exist by default for some
reason.
$ ldapadd -x -D dc=Manager,dc=openstack,dc=org -w adminpwd
dn: cn=default,ou=Domains,dc=openstack,dc=org
objectclass: groupOfNames
member: cn=dummy
3) Create a couple users
$ keystone user-create --name user1 --pass user1pwd
(example id is e1b7df356f004b73864afc8fdb261617)
$ keystone user-create --name user2 --pass user2pwd
(example id is bc8031d87e4c41d89f031a55ae7d8abd)
4) Create a group with both users:
$ ldapadd -x -D dc=Manager,dc=openstack,dc=org -w adminpwd
dn: ou=UserGroups,dc=openstack,dc=org
objectclass: organizationalUnit
dn: cn=group1,ou=UserGroups,dc=openstack,dc=org
objectclass: groupOfNames
member: cn=e1b7df356f004b73864afc8fdb261617,ou=Users,dc=openstack,dc=org
member: cn=bc8031d87e4c41d89f031a55ae7d8abd,ou=Users,dc=openstack,dc=org
5) List group members, the user's in there.
curl -H "X-Auth-Token: admintoken" http://localhost:35357/v3/groups/group1/users
...
6) Delete the user from LDAP directly.
ldapdelete -x -D dc=Manager,dc=openstack,dc=org -w adminpwd
"cn=bc8031d87e4c41d89f031a55ae7d8abd,ou=Users,dc=openstack,dc=org"
7) List group members again, it fails.
$ curl -H "X-Auth-Token: adminpwd" http://localhost:35357/v3/groups/group1/users | python -mjson.tool
{
"error": {
"code": 404,
"message": "Could not find user: bc8031d87e4c41d89f031a55ae7d8abd",
"title": "Not Found"
}
}
The last list group members should have worked, just returned the e1b7df356f004b73864afc8fdb261617 user.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1174585/+subscriptions