← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1396228] [NEW] Keystone V3 query REST API returns all rows when using a display_name not in the database

 

Public bug reported:

Summary:
When using the openstack CLI with V3 keystone API to query for a keystone service, user or group (probably others too), if there is one row, it is returned, even if it doesn't match the query. The API appears to return exactly the one row if there is a hit, but all rows if there is a miss.

This appears to affect the V3 API. If I use the same client with a v2.0
keystone endpoint, the problem isn't there.

Details:
Using Juno release on Ubuntu 14.04
Client version: 0.3.0
Server version: Keystone: 1:2014.2-0ubuntu1~cloud0
Using v3 keystone API

More Details (warnings and info have been removed)
$ openstack service list
+----------------------------------+----------+----------+---------+
| ID                               | Name     | Type     | Enabled |
+----------------------------------+----------+----------+---------+
| 3e67652d047f4e409eef78d7128047d2 | keystone | identity | True    |
+----------------------------------+----------+----------+---------+

$ openstack service show non-existent-service
+-------------+------------------------------------------------------------------------------------+
| Field       | Value                                                                              |
+-------------+------------------------------------------------------------------------------------+
| description | OpenStack Identity                                                                 |
| enabled     | True                                                                               |
| id          | 3e67652d047f4e409eef78d7128047d2                                                   |
| links       | {u'self': u'http://controller:35357/v3/services/3e67652d047f4e409eef78d7128047d2'} |
| name        | keystone                                                                           |
| type        | identity                                                                           |
+-------------+------------------------------------------------------------------------------------+

# Note how it returns the keystone service

$ openstack service create --name test test
+---------+------------------------------------------------------------------------------------+
| Field   | Value                                                                              |
+---------+------------------------------------------------------------------------------------+
| enabled | True                                                                               |
| id      | da518fb9a75c4f619f5010fc8b9884b1                                                   |
| links   | {u'self': u'http://controller:35357/v3/services/da518fb9a75c4f619f5010fc8b9884b1'} |
| name    | test                                                                               |
| type    | test                                                                               |
+---------+------------------------------------------------------------------------------------+

$ openstack service list
+----------------------------------+----------+----------+---------+
| ID                               | Name     | Type     | Enabled |
+----------------------------------+----------+----------+---------+
| 3e67652d047f4e409eef78d7128047d2 | keystone | identity | True    |
| da518fb9a75c4f619f5010fc8b9884b1 | test     | test     | True    |
+----------------------------------+----------+----------+---------+

$ openstack service show non-existent-service
ERROR: openstack No service with a name or ID of 'non-existent-service' exists.

More details:
$ openstack user list
INFO: urllib3.connectionpool Starting new HTTP connection (1): controller
INFO: urllib3.connectionpool Starting new HTTP connection (1): controller
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 2581bd935d714ccda0b21c7f1a28deac | admin |
+----------------------------------+-------+

$ openstack -v user show non-existent-user
[some output removed]
DEBUG: urllib3.connectionpool "GET /v3/users?display_name=non-existent-user HTTP/1.1" 200 392
DEBUG: keystoneclient.session RESP: [200] CaseInsensitiveDict({'date': 'Tue, 25 Nov 2014 16:00:01 GMT', 'vary': 'X-Auth-Token', 'content-length': '392', 'content-type': 'application/json', 'x-distribution': 'Ubuntu'})
RESP BODY: {"users": [{"domain_id": "default", "name": "admin", "links": {"self": "http://controller:35357/v3/users/2581bd935d714ccda0b21c7f1a28deac"}, "id": "2581bd935d714ccda0b21c7f1a28deac", "enabled": true, "email": null, "default_project_id": "8397dc1d021e4eddbff77eca807a1555"}], "links": {"self": "http://controller:35357/v3/users?display_name=non-existent-user";, "previous": null, "next": null}}

+--------------------+---------------------------------------------------------------------------------+
| Field              | Value                                                                           |
+--------------------+---------------------------------------------------------------------------------+
| default_project_id | 8397dc1d021e4eddbff77eca807a1555                                                |
| domain_id          | default                                                                         |
| email              | None                                                                            |
| enabled            | True                                                                            |
| id                 | 2581bd935d714ccda0b21c7f1a28deac                                                |
| links              | {u'self': u'http://controller:35357/v3/users/2581bd935d714ccda0b21c7f1a28deac'} |
| name               | admin                                                                           |
+--------------------+---------------------------------------------------------------------------------+

$ openstack user create test
INFO: urllib3.connectionpool Starting new HTTP connection (1): controller
WARNING: keystoneclient.utils create takes at most 1 positional argument (2 given)
INFO: urllib3.connectionpool Starting new HTTP connection (1): controller
+-----------+---------------------------------------------------------------------------------+
| Field     | Value                                                                           |
+-----------+---------------------------------------------------------------------------------+
| domain_id | default                                                                         |
| enabled   | True                                                                            |
| id        | d70192399e6a4b1cb3f0b91a1002cccf                                                |
| links     | {u'self': u'http://controller:35357/v3/users/d70192399e6a4b1cb3f0b91a1002cccf'} |
| name      | test                                                                            |
+-----------+---------------------------------------------------------------------------------+

$ openstack -v user show non-existent-user
[some output removed]
DEBUG: urllib3.connectionpool "GET /v3/users?display_name=non-existent-user HTTP/1.1" 200 581
DEBUG: keystoneclient.session RESP: [200] CaseInsensitiveDict({'date': 'Tue, 25 Nov 2014 16:01:24 GMT', 'vary': 'X-Auth-Token', 'content-length': '581', 'content-type': 'application/json', 'x-distribution': 'Ubuntu'})
RESP BODY: {"users": [{"domain_id": "default", "name": "admin", "links": {"self": "http://controller:35357/v3/users/2581bd935d714ccda0b21c7f1a28deac"}, "id": "2581bd935d714ccda0b21c7f1a28deac", "enabled": true, "email": null, "default_project_id": "8397dc1d021e4eddbff77eca807a1555"}, {"name": "test", "links": {"self": "http://controller:35357/v3/users/d70192399e6a4b1cb3f0b91a1002cccf"}, "enabled": true, "id": "d70192399e6a4b1cb3f0b91a1002cccf", "domain_id": "default"}], "links": {"self": "http://controller:35357/v3/users?display_name=non-existent-user";, "previous": null, "next": null}}

ERROR: openstack No user with a name or ID of 'non-existent-user' exists.
DEBUG: openstackclient.shell clean_up ShowUser
DEBUG: openstackclient.shell got an error: No user with a name or ID of 'non-existent-user' exists.

$ openstack -v user show test
[some output removed]
DEBUG: urllib3.connectionpool "GET /v3/users?name=test HTTP/1.1" 200 297
DEBUG: keystoneclient.session RESP: [200] CaseInsensitiveDict({'date': 'Tue, 25 Nov 2014 16:09:15 GMT', 'vary': 'X-Auth-Token', 'content-length': '297', 'content-type': 'application/json', 'x-distribution': 'Ubuntu'})
RESP BODY: {"users": [{"name": "test", "links": {"self": "http://controller:35357/v3/users/d70192399e6a4b1cb3f0b91a1002cccf"}, "enabled": true, "id": "d70192399e6a4b1cb3f0b91a1002cccf", "domain_id": "default"}], "links": {"self": "http://controller:35357/v3/users?name=test";, "previous": null, "next": null}}

+-----------+---------------------------------------------------------------------------------+
| Field     | Value                                                                           |
+-----------+---------------------------------------------------------------------------------+
| domain_id | default                                                                         |
| enabled   | True                                                                            |
| id        | d70192399e6a4b1cb3f0b91a1002cccf                                                |
| links     | {u'self': u'http://controller:35357/v3/users/d70192399e6a4b1cb3f0b91a1002cccf'} |
| name      | test                                                                            |
+-----------+---------------------------------------------------------------------------------+

Another example:
$ openstack group list
[it's empty]

$ openstack group create foo
+-------------+----------------------------------------------------------------------------------+
| Field       | Value                                                                            |
+-------------+----------------------------------------------------------------------------------+
| description |                                                                                  |
| domain_id   | default                                                                          |
| id          | 196a166fb05b47c594b7a3ff76738787                                                 |
| links       | {u'self': u'http://controller:35357/v3/groups/196a166fb05b47c594b7a3ff76738787'} |
| name        | foo                                                                              |
+-------------+----------------------------------------------------------------------------------+

$ openstack group show bar
+-------------+----------------------------------------------------------------------------------+
| Field       | Value                                                                            |
+-------------+----------------------------------------------------------------------------------+
| description |                                                                                  |
| domain_id   | default                                                                          |
| id          | 196a166fb05b47c594b7a3ff76738787                                                 |
| links       | {u'self': u'http://controller:35357/v3/groups/196a166fb05b47c594b7a3ff76738787'} |
| name        | foo                                                                              |
+-------------+----------------------------------------------------------------------------------+

$ openstack group delete foo

$ openstack group show bar
ERROR: openstack No group with a name or ID of 'bar' exists.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1396228

Title:
  Keystone V3 query REST API returns all rows when using a display_name
  not in the database

Status in OpenStack Identity (Keystone):
  New

Bug description:
  Summary:
  When using the openstack CLI with V3 keystone API to query for a keystone service, user or group (probably others too), if there is one row, it is returned, even if it doesn't match the query. The API appears to return exactly the one row if there is a hit, but all rows if there is a miss.

  This appears to affect the V3 API. If I use the same client with a
  v2.0 keystone endpoint, the problem isn't there.

  Details:
  Using Juno release on Ubuntu 14.04
  Client version: 0.3.0
  Server version: Keystone: 1:2014.2-0ubuntu1~cloud0
  Using v3 keystone API

  More Details (warnings and info have been removed)
  $ openstack service list
  +----------------------------------+----------+----------+---------+
  | ID                               | Name     | Type     | Enabled |
  +----------------------------------+----------+----------+---------+
  | 3e67652d047f4e409eef78d7128047d2 | keystone | identity | True    |
  +----------------------------------+----------+----------+---------+

  $ openstack service show non-existent-service
  +-------------+------------------------------------------------------------------------------------+
  | Field       | Value                                                                              |
  +-------------+------------------------------------------------------------------------------------+
  | description | OpenStack Identity                                                                 |
  | enabled     | True                                                                               |
  | id          | 3e67652d047f4e409eef78d7128047d2                                                   |
  | links       | {u'self': u'http://controller:35357/v3/services/3e67652d047f4e409eef78d7128047d2'} |
  | name        | keystone                                                                           |
  | type        | identity                                                                           |
  +-------------+------------------------------------------------------------------------------------+

  # Note how it returns the keystone service

  $ openstack service create --name test test
  +---------+------------------------------------------------------------------------------------+
  | Field   | Value                                                                              |
  +---------+------------------------------------------------------------------------------------+
  | enabled | True                                                                               |
  | id      | da518fb9a75c4f619f5010fc8b9884b1                                                   |
  | links   | {u'self': u'http://controller:35357/v3/services/da518fb9a75c4f619f5010fc8b9884b1'} |
  | name    | test                                                                               |
  | type    | test                                                                               |
  +---------+------------------------------------------------------------------------------------+

  $ openstack service list
  +----------------------------------+----------+----------+---------+
  | ID                               | Name     | Type     | Enabled |
  +----------------------------------+----------+----------+---------+
  | 3e67652d047f4e409eef78d7128047d2 | keystone | identity | True    |
  | da518fb9a75c4f619f5010fc8b9884b1 | test     | test     | True    |
  +----------------------------------+----------+----------+---------+

  $ openstack service show non-existent-service
  ERROR: openstack No service with a name or ID of 'non-existent-service' exists.

  More details:
  $ openstack user list
  INFO: urllib3.connectionpool Starting new HTTP connection (1): controller
  INFO: urllib3.connectionpool Starting new HTTP connection (1): controller
  +----------------------------------+-------+
  | ID                               | Name  |
  +----------------------------------+-------+
  | 2581bd935d714ccda0b21c7f1a28deac | admin |
  +----------------------------------+-------+

  $ openstack -v user show non-existent-user
  [some output removed]
  DEBUG: urllib3.connectionpool "GET /v3/users?display_name=non-existent-user HTTP/1.1" 200 392
  DEBUG: keystoneclient.session RESP: [200] CaseInsensitiveDict({'date': 'Tue, 25 Nov 2014 16:00:01 GMT', 'vary': 'X-Auth-Token', 'content-length': '392', 'content-type': 'application/json', 'x-distribution': 'Ubuntu'})
  RESP BODY: {"users": [{"domain_id": "default", "name": "admin", "links": {"self": "http://controller:35357/v3/users/2581bd935d714ccda0b21c7f1a28deac"}, "id": "2581bd935d714ccda0b21c7f1a28deac", "enabled": true, "email": null, "default_project_id": "8397dc1d021e4eddbff77eca807a1555"}], "links": {"self": "http://controller:35357/v3/users?display_name=non-existent-user";, "previous": null, "next": null}}

  +--------------------+---------------------------------------------------------------------------------+
  | Field              | Value                                                                           |
  +--------------------+---------------------------------------------------------------------------------+
  | default_project_id | 8397dc1d021e4eddbff77eca807a1555                                                |
  | domain_id          | default                                                                         |
  | email              | None                                                                            |
  | enabled            | True                                                                            |
  | id                 | 2581bd935d714ccda0b21c7f1a28deac                                                |
  | links              | {u'self': u'http://controller:35357/v3/users/2581bd935d714ccda0b21c7f1a28deac'} |
  | name               | admin                                                                           |
  +--------------------+---------------------------------------------------------------------------------+

  $ openstack user create test
  INFO: urllib3.connectionpool Starting new HTTP connection (1): controller
  WARNING: keystoneclient.utils create takes at most 1 positional argument (2 given)
  INFO: urllib3.connectionpool Starting new HTTP connection (1): controller
  +-----------+---------------------------------------------------------------------------------+
  | Field     | Value                                                                           |
  +-----------+---------------------------------------------------------------------------------+
  | domain_id | default                                                                         |
  | enabled   | True                                                                            |
  | id        | d70192399e6a4b1cb3f0b91a1002cccf                                                |
  | links     | {u'self': u'http://controller:35357/v3/users/d70192399e6a4b1cb3f0b91a1002cccf'} |
  | name      | test                                                                            |
  +-----------+---------------------------------------------------------------------------------+

  $ openstack -v user show non-existent-user
  [some output removed]
  DEBUG: urllib3.connectionpool "GET /v3/users?display_name=non-existent-user HTTP/1.1" 200 581
  DEBUG: keystoneclient.session RESP: [200] CaseInsensitiveDict({'date': 'Tue, 25 Nov 2014 16:01:24 GMT', 'vary': 'X-Auth-Token', 'content-length': '581', 'content-type': 'application/json', 'x-distribution': 'Ubuntu'})
  RESP BODY: {"users": [{"domain_id": "default", "name": "admin", "links": {"self": "http://controller:35357/v3/users/2581bd935d714ccda0b21c7f1a28deac"}, "id": "2581bd935d714ccda0b21c7f1a28deac", "enabled": true, "email": null, "default_project_id": "8397dc1d021e4eddbff77eca807a1555"}, {"name": "test", "links": {"self": "http://controller:35357/v3/users/d70192399e6a4b1cb3f0b91a1002cccf"}, "enabled": true, "id": "d70192399e6a4b1cb3f0b91a1002cccf", "domain_id": "default"}], "links": {"self": "http://controller:35357/v3/users?display_name=non-existent-user";, "previous": null, "next": null}}

  ERROR: openstack No user with a name or ID of 'non-existent-user' exists.
  DEBUG: openstackclient.shell clean_up ShowUser
  DEBUG: openstackclient.shell got an error: No user with a name or ID of 'non-existent-user' exists.

  $ openstack -v user show test
  [some output removed]
  DEBUG: urllib3.connectionpool "GET /v3/users?name=test HTTP/1.1" 200 297
  DEBUG: keystoneclient.session RESP: [200] CaseInsensitiveDict({'date': 'Tue, 25 Nov 2014 16:09:15 GMT', 'vary': 'X-Auth-Token', 'content-length': '297', 'content-type': 'application/json', 'x-distribution': 'Ubuntu'})
  RESP BODY: {"users": [{"name": "test", "links": {"self": "http://controller:35357/v3/users/d70192399e6a4b1cb3f0b91a1002cccf"}, "enabled": true, "id": "d70192399e6a4b1cb3f0b91a1002cccf", "domain_id": "default"}], "links": {"self": "http://controller:35357/v3/users?name=test";, "previous": null, "next": null}}

  +-----------+---------------------------------------------------------------------------------+
  | Field     | Value                                                                           |
  +-----------+---------------------------------------------------------------------------------+
  | domain_id | default                                                                         |
  | enabled   | True                                                                            |
  | id        | d70192399e6a4b1cb3f0b91a1002cccf                                                |
  | links     | {u'self': u'http://controller:35357/v3/users/d70192399e6a4b1cb3f0b91a1002cccf'} |
  | name      | test                                                                            |
  +-----------+---------------------------------------------------------------------------------+

  Another example:
  $ openstack group list
  [it's empty]

  $ openstack group create foo
  +-------------+----------------------------------------------------------------------------------+
  | Field       | Value                                                                            |
  +-------------+----------------------------------------------------------------------------------+
  | description |                                                                                  |
  | domain_id   | default                                                                          |
  | id          | 196a166fb05b47c594b7a3ff76738787                                                 |
  | links       | {u'self': u'http://controller:35357/v3/groups/196a166fb05b47c594b7a3ff76738787'} |
  | name        | foo                                                                              |
  +-------------+----------------------------------------------------------------------------------+

  $ openstack group show bar
  +-------------+----------------------------------------------------------------------------------+
  | Field       | Value                                                                            |
  +-------------+----------------------------------------------------------------------------------+
  | description |                                                                                  |
  | domain_id   | default                                                                          |
  | id          | 196a166fb05b47c594b7a3ff76738787                                                 |
  | links       | {u'self': u'http://controller:35357/v3/groups/196a166fb05b47c594b7a3ff76738787'} |
  | name        | foo                                                                              |
  +-------------+----------------------------------------------------------------------------------+

  $ openstack group delete foo

  $ openstack group show bar
  ERROR: openstack No group with a name or ID of 'bar' exists.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1396228/+subscriptions


Follow ups

References