yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1479837] Re: improper handling non existing identity providers

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: kafka <guowang@xxxxxxxxxxxxxxx>
Date: Sun, 02 Aug 2015 15:59:21 -0000
Reply-to: Bug 1479837 <1479837@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
@steve i have tracked the inplement of 'openstack identity provider show idontexist' 
and compared with the inplement of 'openstack user show admin', found that is really
a server side issue. 

since type 'openstack identity provider show <name>' , whatever the <name> is , return
the result as the inplement 'openstack identity provider list'. The cmd  'show' actually 
inplement the function 'openstack.common.utils.find_resources' :

def find_resource(manager, name_or_id, **kwargs):
    """Helper for the _find_* methods.

    This method will attempt to find a resource in a variety of ways.
    Primarily .get() methods will be called with `name_or_id` as an integer
    value, and tried again as a string value.

    If both fail, then a .find() is attempted, which is essentially calling
    a .list() function with a 'name' query parameter that is set to
    `name_or_id`.

    Lastly, if any kwargs are passed in, they will be treated as additional
    query parameters. This is particularly handy in the case of finding
    resources in a domain.

    """

just as the docstring says:

1>get('idontexist')   fail
it equals:
$curl -s -X GET http://192.168.0.2:35357/v3/OS-FEDERATION/identity_providers/idontexist \
     -H "Content-Type: application/json" \
     -H "Accept: application/json" \
     -H "X-Auth-Token: da4834b6d8f041b291c1a1087efe558f"


2>find('idontexit')    sucess and return
it equals:
$curl -s -X GET http://192.168.0.2:35357/v3/OS-FEDERATION/identity_providers?name=idontexist \
     -H "Content-Type: application/json" \
     -H "Accept: application/json" \
     -H "X-Auth-Token: da4834b6d8f041b291c1a1087efe558f"

-----------------------------------------------------------------------------------------------
see another cmd :

$openstack identity provider list
+-----+---------+-------------+
| ID  | Enabled | Description |
+-----+---------+-------------+
| k2k | True    | None        |
| k3k | True    | None        |
+-----+---------+-------------+

see the first column is  'ID' ,  not 'Name' !
the server side has no data of 'Name' 
so the 2> can exact match the query conditon '?name=idontexist' and return all
 


** Also affects: keystone
   Importance: Undecided
       Status: New

** Also affects: python-keystoneclient
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1479837

Title:
  improper handling non existing identity providers

Status in Keystone:
  New
Status in python-keystoneclient:
  New
Status in python-openstackclient:
  New

Bug description:
  I've spotted something like this today:

  ubuntu@devstack:~$ openstack identity provider list
  +-----+---------+-------------+
  | ID  | Enabled | Description |
  +-----+---------+-------------+
  | k2k | True    | None        |
  +-----+---------+-------------+
  ubuntu@devstack:~$ openstack identity provider show idontexist
  +-------------+-------+
  | Field       | Value |
  +-------------+-------+
  | description | None  |
  | enabled     | True  |
  | id          | k2k   |
  | remote_ids  | []    |
  +-------------+-------+
  ubuntu@devstack:~$ 


  
  What's more i can see such log in my keystone server:

  2015-07-30 14:53:17.174908 14054 INFO keystone.common.wsgi [-] GET
  http://128.142.132.173:35357/v3/OS-
  FEDERATION/identity_providers?name=idontexist

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1479837/+subscriptions