← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #53086

[Bug 1594284] Re: create user through API does not validate domain_id is properly written

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/331567
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7df92f7b624500e24b71c4b2d516604e0edb52f2
Submitter: Jenkins
Branch:    master

commit 7df92f7b624500e24b71c4b2d516604e0edb52f2
Author: Martin Schuppert <mschuppert@xxxxxxxxxx>
Date:   Mon Jun 20 11:04:19 2016 +0200

    Verify domain_id when get_domain is being called
    
    When create user using API it is possible to use a domain_id which
    does match the created domain_id since mysql per default is not
    case sensitive and returns the domain_id to be valid. In e.g.
    liberty this breaks cli keystone v2 user list actions when a user
    with a DEFaULt domain has been created.
    
    With this change the domain_id is being validated with what provided
    with the API call in get_domain.
    
    Change-Id: I028b2add3067e6fb9aa3f33eb8fe10d8ebace006
    Closes-Bug: #1594284


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1594284

Title:
  create user through API does not validate domain_id is properly
  written

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  When create a new user using the API (not cli client or horizon) it is
  possible to pass an domain id which does not match the writing of the
  domain id created. e.f.  default -> Default or DEfauLT

  In e.g. liberty using keystone v2, this result in keystone user list
  actions to fail.

  Reproduce with:

  1) get token
  $ export OS_TOKEN=`curl -si   -H "Content-Type: application/json"   -d '{ "auth": { "identity": { "methods": ["password"], "password": { "user": { "name": "admin", "domain": { "id": "default" }, "password": "6e37dc4d28444c3a" }}}, "scope": { "project": { "name": "admin", "domain": { "id": "default" }}}}}' http://localhost:5000/v3/auth/tokens | awk '/X-Subject-Token/ {print $2}'`

  2) create user
  $ curl -s  -H "X-Auth-Token: $OS_TOKEN"  -H "Content-Type: application/json"  -d '{"user": {"name": "newuser", "password": "changeme", "domain_id": "DEfauLT"}}'  http://localhost:5000/v3/users | python -mjson.tool
  {
      "user": {
          "domain_id": "DEfauLT",
          "enabled": true,
          "id": "6553a3cd71794157bef20bc82c98e2b8",
          "links": {
              "self": "http://localhost:5000/v3/users/6553a3cd71794157bef20bc82c98e2b8";
          },
          "name": "newuser"
      }
  }

  3) use keystone v2 and query users
  # openstack user list
  The request you have made requires authentication. (HTTP 401) (Request-ID: req-306fa0f5-6337-4206-ae91-27f382ca7166)

  But getting token works as expected
  # openstack token issue
  +------------+----------------------------------+
  | Field      | Value                            |
  +------------+----------------------------------+
  | expires    | 2016-06-20T09:20:05Z             |
  | id         | 4dd0f55bc2424c31a9c15d185c403dd5 |
  | project_id | 211a8c1d7eaa4918a2bd5f2b6d7199ac |
  | user_id    | 6553a3cd71794157bef20bc82c98e2b8 |
  +------------+----------------------------------+

  On liberty:
  MariaDB [keystone]> select * from user where name='newuser2'\G;
  *************************** 1. row ***************************
                  id: 448f9bfc33dc443e9ec2d18cd16af9f7
                name: newuser2
               extra: {}
            password: $6$rounds=10000$HNeascl/YNVeJbGU$R4TnvjIbBPKs0YaVyeT6GCyHDz7Y.UFW141xF6f0YyZVXFKjgrA3EryqXoj6PdeNUku0v0Y85K.4FrSKYnmmo0
             enabled: 1
  -->         domain_id: DEfauLT
  default_project_id: NULL
  1 row in set (0.00 sec)

  Manual change of the domain_id in the DB is needed.

  Remarks:
  - create user using cli client verifies domain exists
  - with Mitaka it is still possible to create user with mismatching domain_id, but so far no issues identified (little testing)

  [root@rdo-mitaka ~(keystone_admin_v3)]# openstack user show 6553a3cd71794157bef20bc82c98e2b8
  +-----------+----------------------------------+
  | Field     | Value                            |
  +-----------+----------------------------------+
  | domain_id | DEfauLT                          |
  | enabled   | True                             |
  | id        | 6553a3cd71794157bef20bc82c98e2b8 |
  | name      | newuser                          |
  +-----------+----------------------------------+

  MariaDB [keystone]> select * from local_user where name='newuser'\G;
  *************************** 1. row ***************************
         id: 11
    user_id: 6553a3cd71794157bef20bc82c98e2b8
  domain_id: DEfauLT
       name: newuser

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1594284/+subscriptions

References

  Thread PreviousDate PreviousThread Next