yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1594284] [NEW] create user through API does not validate domain_id is properly written

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Martin Schuppert <martin.schuppert@xxxxxxxxx>
Date: Mon, 20 Jun 2016 08:43:52 -0000
Reply-to: Bug 1594284 <1594284@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

When create a new user using the API (not cli client or horizon) it is
possible to pass an domain id which does not match the writing of the
domain id created. e.f.  default -> Default or DEfauLT

In e.g. liberty using keystone v2, this result in keystone user list
actions to fail.

Reproduce with:

1) get token
$ export OS_TOKEN=`curl -si   -H "Content-Type: application/json"   -d '{ "auth": { "identity": { "methods": ["password"], "password": { "user": { "name": "admin", "domain": { "id": "default" }, "password": "6e37dc4d28444c3a" }}}, "scope": { "project": { "name": "admin", "domain": { "id": "default" }}}}}' http://localhost:5000/v3/auth/tokens | awk '/X-Subject-Token/ {print $2}'`

2) create user
$ curl -s  -H "X-Auth-Token: $OS_TOKEN"  -H "Content-Type: application/json"  -d '{"user": {"name": "newuser", "password": "changeme", "domain_id": "DEfauLT"}}'  http://localhost:5000/v3/users | python -mjson.tool
{
    "user": {
        "domain_id": "DEfauLT",
        "enabled": true,
        "id": "6553a3cd71794157bef20bc82c98e2b8",
        "links": {
            "self": "http://localhost:5000/v3/users/6553a3cd71794157bef20bc82c98e2b8";
        },
        "name": "newuser"
    }
}

3) use keystone v2 and query users
# openstack user list
The request you have made requires authentication. (HTTP 401) (Request-ID: req-306fa0f5-6337-4206-ae91-27f382ca7166)

But getting token works as expected
# openstack token issue
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2016-06-20T09:20:05Z             |
| id         | 4dd0f55bc2424c31a9c15d185c403dd5 |
| project_id | 211a8c1d7eaa4918a2bd5f2b6d7199ac |
| user_id    | 6553a3cd71794157bef20bc82c98e2b8 |
+------------+----------------------------------+

On liberty:
MariaDB [keystone]> select * from user where name='newuser2'\G;
*************************** 1. row ***************************
                id: 448f9bfc33dc443e9ec2d18cd16af9f7
              name: newuser2
             extra: {}
          password: $6$rounds=10000$HNeascl/YNVeJbGU$R4TnvjIbBPKs0YaVyeT6GCyHDz7Y.UFW141xF6f0YyZVXFKjgrA3EryqXoj6PdeNUku0v0Y85K.4FrSKYnmmo0
           enabled: 1
-->         domain_id: DEfauLT
default_project_id: NULL
1 row in set (0.00 sec)

Manual change of the domain_id in the DB is needed.

Remarks:
- create user using cli client verifies domain exists
- with Mitaka it is still possible to create user with mismatching domain_id, but so far no issues identified (little testing)

[root@rdo-mitaka ~(keystone_admin_v3)]# openstack user show 6553a3cd71794157bef20bc82c98e2b8
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | DEfauLT                          |
| enabled   | True                             |
| id        | 6553a3cd71794157bef20bc82c98e2b8 |
| name      | newuser                          |
+-----------+----------------------------------+

MariaDB [keystone]> select * from local_user where name='newuser'\G;
*************************** 1. row ***************************
       id: 11
  user_id: 6553a3cd71794157bef20bc82c98e2b8
domain_id: DEfauLT
     name: newuser

** Affects: keystone
     Importance: Undecided
     Assignee: Martin Schuppert (mschuppert)
         Status: New

** Changed in: keystone
     Assignee: (unassigned) => Martin Schuppert (mschuppert)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1594284

Title:
  create user through API does not validate domain_id is properly
  written

Status in OpenStack Identity (keystone):
  New

Bug description:
  When create a new user using the API (not cli client or horizon) it is
  possible to pass an domain id which does not match the writing of the
  domain id created. e.f.  default -> Default or DEfauLT

  In e.g. liberty using keystone v2, this result in keystone user list
  actions to fail.

  Reproduce with:

  1) get token
  $ export OS_TOKEN=`curl -si   -H "Content-Type: application/json"   -d '{ "auth": { "identity": { "methods": ["password"], "password": { "user": { "name": "admin", "domain": { "id": "default" }, "password": "6e37dc4d28444c3a" }}}, "scope": { "project": { "name": "admin", "domain": { "id": "default" }}}}}' http://localhost:5000/v3/auth/tokens | awk '/X-Subject-Token/ {print $2}'`

  2) create user
  $ curl -s  -H "X-Auth-Token: $OS_TOKEN"  -H "Content-Type: application/json"  -d '{"user": {"name": "newuser", "password": "changeme", "domain_id": "DEfauLT"}}'  http://localhost:5000/v3/users | python -mjson.tool
  {
      "user": {
          "domain_id": "DEfauLT",
          "enabled": true,
          "id": "6553a3cd71794157bef20bc82c98e2b8",
          "links": {
              "self": "http://localhost:5000/v3/users/6553a3cd71794157bef20bc82c98e2b8";
          },
          "name": "newuser"
      }
  }

  3) use keystone v2 and query users
  # openstack user list
  The request you have made requires authentication. (HTTP 401) (Request-ID: req-306fa0f5-6337-4206-ae91-27f382ca7166)

  But getting token works as expected
  # openstack token issue
  +------------+----------------------------------+
  | Field      | Value                            |
  +------------+----------------------------------+
  | expires    | 2016-06-20T09:20:05Z             |
  | id         | 4dd0f55bc2424c31a9c15d185c403dd5 |
  | project_id | 211a8c1d7eaa4918a2bd5f2b6d7199ac |
  | user_id    | 6553a3cd71794157bef20bc82c98e2b8 |
  +------------+----------------------------------+

  On liberty:
  MariaDB [keystone]> select * from user where name='newuser2'\G;
  *************************** 1. row ***************************
                  id: 448f9bfc33dc443e9ec2d18cd16af9f7
                name: newuser2
               extra: {}
            password: $6$rounds=10000$HNeascl/YNVeJbGU$R4TnvjIbBPKs0YaVyeT6GCyHDz7Y.UFW141xF6f0YyZVXFKjgrA3EryqXoj6PdeNUku0v0Y85K.4FrSKYnmmo0
             enabled: 1
  -->         domain_id: DEfauLT
  default_project_id: NULL
  1 row in set (0.00 sec)

  Manual change of the domain_id in the DB is needed.

  Remarks:
  - create user using cli client verifies domain exists
  - with Mitaka it is still possible to create user with mismatching domain_id, but so far no issues identified (little testing)

  [root@rdo-mitaka ~(keystone_admin_v3)]# openstack user show 6553a3cd71794157bef20bc82c98e2b8
  +-----------+----------------------------------+
  | Field     | Value                            |
  +-----------+----------------------------------+
  | domain_id | DEfauLT                          |
  | enabled   | True                             |
  | id        | 6553a3cd71794157bef20bc82c98e2b8 |
  | name      | newuser                          |
  +-----------+----------------------------------+

  MariaDB [keystone]> select * from local_user where name='newuser'\G;
  *************************** 1. row ***************************
         id: 11
    user_id: 6553a3cd71794157bef20bc82c98e2b8
  domain_id: DEfauLT
       name: newuser

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1594284/+subscriptions
Follow ups

[Bug 1594284] Re: create user through API does not validate domain_id is properly written
From: OpenStack Infra, 2016-07-01