← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #47251

[Bug 1313956] Re: Keystone adds role to non-existing user in specific tenant by API

  Thread PreviousDate PreviousThread Next 
V2 is deprecated and this behavior has been supported (intentional or
not). We can't really fix it, it will go away with the V2 api being
dropped.

** Changed in: keystone
       Status: In Progress => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1313956

Title:
  Keystone adds role to non-existing user in specific tenant by API

Status in OpenStack Identity (keystone):
  Won't Fix

Bug description:
  Icehouse, discovered during tempest testing:

  Scenario is adding role to non-existing user in specific tenant:

  Tenant-id = 2775ce375d624735b49347cdac41a946
  Role-id = 9fe2ff9ee4384b1894a90878d3e92bab
  User-id is some junk, like: junk-user-id-2999

  The problem exists only in API requests, cli command reports an error:
   
  @all-in-one:~# keystone user-role-add --user user-junk-id-101010 --role 9fe2ff9ee4384b1894a90878d3e92bab --tenant 2775ce375d624735b49347cdac41a946
  No user with a name or ID of 'user-junk-id-101010' exists.

  With API:
   
  1) Authenticate and get token:
  curl -d '{"auth":{"tenantName": "openstack", "passwordCredentials": {"username": "admin", "password": "admin_password"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens > /tmp/aaa
  sed -i 's/.*"id": "\(.\+\)==.*/\1==/g' /tmp/aaa
   
  2) Add existing role in existing tenant to non-existing user "junk-user-id-2999":
  curl -i -H "X-Auth-Token:`cat /tmp/aaa`" -X PUT http://localhost:35357/v2.0//tenants/2775ce375d624735b49347cdac41a946/users/junk-user-id-2999/roles/OS-KSADM/9fe2ff9ee4384b1894a90878d3e92bab
   
  output means success:
  {"role": {"enabled": "True", "description": "Default role for project membership", "name": "_member_", "id": "9fe2ff9ee4384b1894a90878d3e92bab"}}
   
  3) repeat the last request and get output:
  {"error": {"message": "Conflict occurred attempting to store role grant. User junk-user-id-2999 already has role 9fe2ff9ee4384b1894a90878d3e92bab in tenant 2775ce375d624735b49347cdac41a946", "code": 409, "title": "Conflict"}}
   
  Seems like user is self-added.
  Although there are no such users in this tenant:
  curl  -H "X-Auth-Token:`cat /tmp/aaa`"  http://localhost:35357/v2.0/tenants/2775ce375d624735b49347cdac41a946/users
  --- no junk-user-id-2999 here ---

  Seems like there is no user id check in API.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1313956/+subscriptions

References

  Thread PreviousDate PreviousThread Next