yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1577804] [NEW] /v3/users?name=<name> bypasses user_filter for LDAP

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Matthew Edmonds <edmondsw@xxxxxxxxxx>
Date: Tue, 03 May 2016 14:47:18 -0000
Reply-to: Bug 1577804 <1577804@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

using the LDAP driver with user_filter, a GET /v3/users?name=<name>
returns users that do not match the filter.

e.g.:

user_filter = (|(uid=arc1_admin)(uid=arc1_stgmgr))

# openstack user list
+----------------------------------------------------------------+-------------+
| ID                                                             | Name        |
+----------------------------------------------------------------+-------------+
| 91476076d6686143dff68d08e87358a29daf0725c549008f9c0852d2c7ab8e | arc1_admin  |
| 42                                                             |             |
| 8c1beab95fc4c2b009383827f1ea1ec2880fa6eb5bbe42aebd43aab21ad685 | arc1_stgmgr |
| b2                                                             |             |
+----------------------------------------------------------------+-------------+


# openstack user show arc1_dep
+-----------+------------------------------------------------------------------+
| Field     | Value                                                            |
+-----------+------------------------------------------------------------------+
| domain_id | default                                                          |
| id        | 631bbab78e33e554bc6c7fd53071c6e046fd37680b1b154261bd6183b123e8b0 |
| name      | arc1_dep                                                         |
+-----------+------------------------------------------------------------------+

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1577804

Title:
  /v3/users?name=<name> bypasses user_filter for LDAP

Status in OpenStack Identity (keystone):
  New

Bug description:
  using the LDAP driver with user_filter, a GET /v3/users?name=<name>
  returns users that do not match the filter.

  e.g.:

  user_filter = (|(uid=arc1_admin)(uid=arc1_stgmgr))

  # openstack user list
  +----------------------------------------------------------------+-------------+
  | ID                                                             | Name        |
  +----------------------------------------------------------------+-------------+
  | 91476076d6686143dff68d08e87358a29daf0725c549008f9c0852d2c7ab8e | arc1_admin  |
  | 42                                                             |             |
  | 8c1beab95fc4c2b009383827f1ea1ec2880fa6eb5bbe42aebd43aab21ad685 | arc1_stgmgr |
  | b2                                                             |             |
  +----------------------------------------------------------------+-------------+

  
  # openstack user show arc1_dep
  +-----------+------------------------------------------------------------------+
  | Field     | Value                                                            |
  +-----------+------------------------------------------------------------------+
  | domain_id | default                                                          |
  | id        | 631bbab78e33e554bc6c7fd53071c6e046fd37680b1b154261bd6183b123e8b0 |
  | name      | arc1_dep                                                         |
  +-----------+------------------------------------------------------------------+

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1577804/+subscriptions

Follow ups

[Bug 1577804] Re: /v3/users?name=<name> bypasses user_filter for LDAP
From: Steve Martinelli, 2016-07-07
[Bug 1577804] Re: /v3/users?name=<name> bypasses user_filter for LDAP
From: OpenStack Infra, 2016-05-26