yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1220945] Re: Create user with LDAP enabled_mask, enabled not boolean

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 02 Oct 2013 11:30:10 -0000
Reply-to: Bug 1220945 <1220945@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1220945

Title:
  Create user with LDAP enabled_mask, enabled not boolean

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  When set up Keystone to use the LDAP identity backend and set
  user_enabled_mask to non-zero and then create a user with "enabled"
  set to 'false', the "enabled" value comes back as a number rather than
  a boolean. This is unexpected because the SQL backend always returns a
  boolean.

  Here's an example:

  $ curl -s \
    -H "X-Auth-Token: $TOKEN" \
    -H "Content-Type: application/json" \
    --data '{"user": {"name": "blk-test1", "enabled": false}}' \
    http://localhost:35357/v3/users | python -mjson.tool
  {
      "user": {
          "domain_id": "default",
          "enabled": 514,
          "id": "e5d09e0ff7944b28b151865ed6b300ba",
          "links": {
              "self": "http://192.168.122.176:5000/v3/users/e5d09e0ff7944b28b151865ed6b300ba";
          },
          "name": "blk-test1"
      }
  }

  -- enabled should be false and not 514.

  Here's the output when use the SQL identity backend:

  {
      "user": {
          "domain_id": "default",
          "enabled": false,
          "id": "73734048e27545f185e2a37eda08f593",
          "links": {
              "self": "http://192.168.122.176:5000/v3/users/73734048e27545f185e2a37eda08f593";
          },
          "name": "blk-test1"
      }
  }

  
  To recreate, set in keystone.conf.sample:
  user_enabled_attribute = employeeType
  user_enabled_mask = 2
  user_enabled_default = 512

  Next, 
  change devstack to not set enabled in lib/keystone,
  configure localrc to use LDAP,
  start devstack, 
  and then run the curl command above.

  
  Note that when do an update, the enabled value is a Boolean and the "enabled_nomask" value is returned:

  curl -s \
   -X PATCH \
   -H "X-Auth-Token: $TOKEN" \
   -H "Content-Type: application/json" \
   --data '{"user": {"enabled": false}}' \
   http://localhost:35357/v3/users/$USER_ID | python -mjson.tool
  {
      "user": {
          "domain_id": "default",
          "enabled": true,
          "enabled_nomask": 512,
          "id": "4c6aebecf60e441dbbdb678405d4f5ab",
          "links": {
              "self": "http://192.168.122.176:5000/v3/users/4c6aebecf60e441dbbdb678405d4f5ab";
          },
          "name": "demo"
      }
  }

  Creating a user should probably work similarly to this, although I
  don't see how the enabled_nomask value is useful to anyone.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1220945/+subscriptions