yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1174451] Re: [LDAP] user_allow_create = False does not raise 403 Forbidden on POST /users

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 05 Mar 2014 19:54:52 -0000
Reply-to: Bug 1174451 <1174451@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => icehouse-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1174451

Title:
  [LDAP] user_allow_create = False does not raise 403 Forbidden on POST
  /users

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  Calling POST /users on a pre-populated LDAP backend where
  user_allow_create = False and the specified user already exists causes
  a 409 Conflict to be returned instead of a quick 403 Forbidden before
  any work is done.

  
  2013-04-29 16:50:25    DEBUG [eventlet.wsgi.server] (9072) accepted ('127.0.0.1', 44390)

  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] ******************** REQUEST ENVIRON ********************
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] SCRIPT_NAME = /v2.0
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] webob.adhoc_attrs = {'response': <Response at 0x3fbb550 200 OK>}
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] REQUEST_METHOD = POST
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] PATH_INFO = /users
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] SERVER_PROTOCOL = HTTP/1.0
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] REMOTE_ADDR = 127.0.0.1
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] CONTENT_LENGTH = 135
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] HTTP_X_AUTH_TOKEN = 999888777666
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] HTTP_USER_AGENT = Chef keystone_user
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] HTTP_CONNECTION = close
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] eventlet.posthooks = []
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] RAW_PATH_INFO = //v2.0/users
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] REMOTE_PORT = 44390
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] eventlet.input = <eventlet.wsgi.Input object at 0x3fbb450>
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] wsgi.url_scheme = http
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] webob._body_file = (<_io.BufferedReader>, <eventlet.wsgi.Input object

  
   at 0x3fbb450>)
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] SERVER_PORT = 35357
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] wsgi.input = <_io.BytesIO object at 0x3c96a70>
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] openstack.context = {'token_id': '999888777666', 'is_admin': True}
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] HTTP_HOST = 127.0.0.1:35357
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] wsgi.multithread = True
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] openstack.params = {u'user': {u'email': None, u'password': u'NR9e3quO
  Rn3AT44uwz5n', u'enabled': 1, u'name': u'monitoring', u'tenantId': u'4bc9cbdf979844449b9017b7b33abba9'}}
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] HTTP_ACCEPT = */*
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] wsgi.version = (1, 0)
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] SERVER_NAME = 127.0.0.1
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] GATEWAY_INTERFACE = CGI/1.1
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] wsgi.run_once = False
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] wsgi.errors = <open file '<stderr>', mode 'w' at 0x7fc4ad1c0270>
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] wsgi.multiprocess = False
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] webob.is_body_seekable = True
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] CONTENT_TYPE = application/json
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi]
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] ******************** REQUEST BODY ********************
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] {"user":{"tenantId":"4bc9cbdf979844449b9017b7b33abba9","name":"monito
  ring","password":"NR9e3quORn3AT44uwz5n","email":null,"enabled":1}}
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi]
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] arg_dict: {}
  2013-04-29 16:50:25    DEBUG [keystone.common.ldap.core] LDAP init: url=ldap://10.181.143.15
  2013-04-29 16:50:25    DEBUG [keystone.common.ldap.core] LDAP bind: dn=CN=Administrator,CN=Users,DC=rcbops,DC=me
  2013-04-29 16:50:25    DEBUG [keystone.common.ldap.core] LDAP search: dn=OU=Tenants,DC=rcbops,DC=me, scope=1, query=(&(cn
  =4bc9cbdf979844449b9017b7b33abba9)(objectClass=groupOfNames)), attrs=['businessCategory', 'cn', 'extensionName', 'ou', 'd
  escription']
  2013-04-29 16:50:25    DEBUG [keystone.common.ldap.core] LDAP init: url=ldap://10.181.143.15
  2013-04-29 16:50:25    DEBUG [keystone.common.ldap.core] LDAP bind: dn=CN=Administrator,CN=Users,DC=rcbops,DC=me
  2013-04-29 16:50:25    DEBUG [keystone.common.ldap.core] LDAP search: dn=CN=Users,DC=rcbops,DC=me, scope=1, query=(&(cn=m
  onitoring)(objectClass=person)), attrs=['businessCategory', 'userPassword', 'userAccountControl', 'mail', 'cn']
  2013-04-29 16:50:25  WARNING [keystone.common.wsgi] Conflict occurred attempting to store user. Duplicate name, monitorin
  g.
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] ******************** RESPONSE HEADERS ********************
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] Vary = X-Auth-Token
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] Content-Type = application/json
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] Content-Length = 131
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi]
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] ******************** RESPONSE BODY ********************
  2013-04-29 16:50:25    DEBUG [keystone.common.wsgi] {"error": {"message": "Conflict occurred attempting to store user. Duplicate name, monitoring.", "code": 409, "title": "Conflict"}}
  2013-04-29 16:50:25     INFO [access] 127.0.0.1 - - [29/Apr/2013:16:50:25 +0000] "POST http://127.0.0.1:35357/v2.0/users HTTP/1.0" 409 131
  2013-04-29 16:50:25    DEBUG [eventlet.wsgi.server] 127.0.0.1 - - [29/Apr/2013 16:50:25] "POST //v2.0/users HTTP/1.1" 409 285 0.033216

  2013-04-29 16:50:25    DEBUG [eventlet.wsgi.server] (9072) accepted
  ('127.0.0.1', 44393)

  Config:

  user_tree_dn = CN=Users,DC=rcbops,DC=me
  user_objectclass = person
  user_id_attribute = cn
  user_name_attribute = cn
  user_mail_attribute = mail
  user_enabled_attribute = userAccountControl
  user_enabled_mask = 2
  user_enabled_default = 512
  user_attribute_ignore = password,tenantId,tenants,domain_id
  user_allow_create = False
  user_allow_update = False
  user_allow_delete = False

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1174451/+subscriptions