← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #13981

[Bug 1313956] [NEW] Keystone adds role to non-existing user in specific tenant by API

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Icehouse, discovered during tempest testing:

Scenario is adding role to non-existing user in specific tenant:

Tenant-id = 2775ce375d624735b49347cdac41a946
Role-id = 9fe2ff9ee4384b1894a90878d3e92bab
User-id is some junk, like: junk-user-id-2999

The problem exists only in API requests, cli command reports an error:
 
@all-in-one:~# keystone user-role-add --user user-junk-id-101010 --role 9fe2ff9ee4384b1894a90878d3e92bab --tenant 2775ce375d624735b49347cdac41a946
No user with a name or ID of 'user-junk-id-101010' exists.

With API:
 
1) Authenticate and get token:
curl -d '{"auth":{"tenantName": "openstack", "passwordCredentials": {"username": "admin", "password": "admin_password"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens > /tmp/aaa
sed -i 's/.*"id": "\(.\+\)==.*/\1==/g' /tmp/aaa
 
2) Add existing role in existing tenant to non-existing user "junk-user-id-2999":
curl -i -H "X-Auth-Token:`cat /tmp/aaa`" -X PUT http://localhost:35357/v2.0//tenants/2775ce375d624735b49347cdac41a946/users/junk-user-id-2999/roles/OS-KSADM/9fe2ff9ee4384b1894a90878d3e92bab
 
output means success:
{"role": {"enabled": "True", "description": "Default role for project membership", "name": "_member_", "id": "9fe2ff9ee4384b1894a90878d3e92bab"}}
 
3) repeat the last request and get output:
{"error": {"message": "Conflict occurred attempting to store role grant. User junk-user-id-2999 already has role 9fe2ff9ee4384b1894a90878d3e92bab in tenant 2775ce375d624735b49347cdac41a946", "code": 409, "title": "Conflict"}}
 
Seems like user is self-added.
Although there are no such users in this tenant:
curl  -H "X-Auth-Token:`cat /tmp/aaa`"  http://localhost:35357/v2.0/tenants/2775ce375d624735b49347cdac41a946/users
--- no junk-user-id-2999 here ---

Seems like there is no user id check in API.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1313956

Title:
  Keystone adds role to non-existing user in specific tenant by API

Status in OpenStack Identity (Keystone):
  New

Bug description:
  Icehouse, discovered during tempest testing:

  Scenario is adding role to non-existing user in specific tenant:

  Tenant-id = 2775ce375d624735b49347cdac41a946
  Role-id = 9fe2ff9ee4384b1894a90878d3e92bab
  User-id is some junk, like: junk-user-id-2999

  The problem exists only in API requests, cli command reports an error:
   
  @all-in-one:~# keystone user-role-add --user user-junk-id-101010 --role 9fe2ff9ee4384b1894a90878d3e92bab --tenant 2775ce375d624735b49347cdac41a946
  No user with a name or ID of 'user-junk-id-101010' exists.

  With API:
   
  1) Authenticate and get token:
  curl -d '{"auth":{"tenantName": "openstack", "passwordCredentials": {"username": "admin", "password": "admin_password"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens > /tmp/aaa
  sed -i 's/.*"id": "\(.\+\)==.*/\1==/g' /tmp/aaa
   
  2) Add existing role in existing tenant to non-existing user "junk-user-id-2999":
  curl -i -H "X-Auth-Token:`cat /tmp/aaa`" -X PUT http://localhost:35357/v2.0//tenants/2775ce375d624735b49347cdac41a946/users/junk-user-id-2999/roles/OS-KSADM/9fe2ff9ee4384b1894a90878d3e92bab
   
  output means success:
  {"role": {"enabled": "True", "description": "Default role for project membership", "name": "_member_", "id": "9fe2ff9ee4384b1894a90878d3e92bab"}}
   
  3) repeat the last request and get output:
  {"error": {"message": "Conflict occurred attempting to store role grant. User junk-user-id-2999 already has role 9fe2ff9ee4384b1894a90878d3e92bab in tenant 2775ce375d624735b49347cdac41a946", "code": 409, "title": "Conflict"}}
   
  Seems like user is self-added.
  Although there are no such users in this tenant:
  curl  -H "X-Auth-Token:`cat /tmp/aaa`"  http://localhost:35357/v2.0/tenants/2775ce375d624735b49347cdac41a946/users
  --- no junk-user-id-2999 here ---

  Seems like there is no user id check in API.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1313956/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next