← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1614069] [NEW] API v2.0 responds with HTTP 200 when trying to add a non-existent user to a project

 

Public bug reported:

We have a service which communicates with Keystone using python-keystoneclient.
Part of our tests is to check if it's possible to add a non-existent user to project (should not be possible)

I figured out, that Keystone responds with HTTP 200, but it should never
respond with this status regarding the documentation
(http://developer.openstack.org/api-ref/identity/v2-ext/?expanded=grant-
roles-to-user-on-tenant-detail#grant-roles-to-user-on-tenant)

Keystone Client Log:
DEBUG:keystoneclient.session:REQ: curl -g -i --insecure -X PUT http://127.0.0.1:35357/v2.0/tenants/bef96294e70343eda7a329b76ee65100/users/doesnotexist/roles/OS-KSADM/2ed67dc256b34dd7a541fdce54e545da -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}dae012b5d2ca99a1e131a81b73204d813a569e7f" 
INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 127.0.0.1
DEBUG:requests.packages.urllib3.connectionpool:"PUT /v2.0/tenants/bef96294e70343eda7a329b76ee65100/users/doesnotexist/roles/OS-KSADM/2ed67dc256b34dd7a541fdce54e545da HTTP/1.1" 200 89
DEBUG:keystoneclient.session:RESP: [200] Content-Length: 89 Vary: X-Auth-Token X-Distribution: Ubuntu Connection: keep-alive Date: Wed, 17 Aug 2016 07:58:59 GMT Content-Type: application/json X-Openstack-Request-Id: req-2421f330-047b-4ff4-b7f6-25e05c4caeab
RESP BODY: {"role": {"domain_id": null, "id": "2ed67dc256b34dd7a541fdce54e545da", "name": "Member"}


Keystone Server Log:
2016-08-17 07:58:59.710 4668 INFO keystone.common.wsgi [req-2421f330-047b-4ff4-b7f6-25e05c4caeab - - - - -] PUT http://127.0.0.1:35357/v2.0/tenants/bef96294e70343eda7a329b76ee65100/users/doesnotexist/roles/OS-KSADM/2ed67dc256b34dd7a541fdce54e545da
2016-08-17 07:58:59.711 4668 WARNING oslo_log.versionutils [req-2421f330-047b-4ff4-b7f6-25e05c4caeab - - - - -] Deprecated: add_role_to_user of the v2 API is deprecated as of Mitaka in favor of a similar function in the v3 API and may be removed in Q.
2016-08-17 07:58:59.726 4668 INFO eventlet.wsgi.server [req-2421f330-047b-4ff4-b7f6-25e05c4caeab - - - - -] 10.0.2.2 - - [17/Aug/2016 07:58:59] "PUT /v2.0/tenants/bef96294e70343eda7a329b76ee65100/users/doesnotexist/roles/OS-KSADM/2ed67dc256b34dd7a541fdce54e545da HTTP/1.1" 200 331 0.018315


I had a look into the Keystone SQLite Database and found the entries with the user id "doesnotexist".

sqlite3 /var/lib/keystone/keystone.db
sqlite> select * from assignment;
UserProject|b637d008b0e74086be5bf6636fa3f2ca|ad3471d18b2540e18ddb6afab29e5cb4|d170e6a8308a479cba94a95ca81c44d6|0
UserProject|a4865b8650424959bff41b91a01d0003|bef96294e70343eda7a329b76ee65100|2ed67dc256b34dd7a541fdce54e545da|0
UserProject|doesnotexist|bef96294e70343eda7a329b76ee65100|2ed67dc256b34dd7a541fdce54e545da|0
UserProject|a9532223c86c4d6aa6ac04453a95c7c4|70b794a5cbd1408a90b59da8cfa68cf1|2ed67dc256b34dd7a541fdce54e545da|0
UserProject|doesnotexist|70b794a5cbd1408a90b59da8cfa68cf1|2ed67dc256b34dd7a541fdce54e545da|0


Used Versions:
OS: Ubuntu 16.04
Keystone: 9.0.0
python-keystoneclient: 3.4.0

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1614069

Title:
  API v2.0 responds with HTTP 200 when trying to add a non-existent user
  to a project

Status in OpenStack Identity (keystone):
  New

Bug description:
  We have a service which communicates with Keystone using python-keystoneclient.
  Part of our tests is to check if it's possible to add a non-existent user to project (should not be possible)

  I figured out, that Keystone responds with HTTP 200, but it should
  never respond with this status regarding the documentation
  (http://developer.openstack.org/api-ref/identity/v2-ext/?expanded
  =grant-roles-to-user-on-tenant-detail#grant-roles-to-user-on-tenant)

  Keystone Client Log:
  DEBUG:keystoneclient.session:REQ: curl -g -i --insecure -X PUT http://127.0.0.1:35357/v2.0/tenants/bef96294e70343eda7a329b76ee65100/users/doesnotexist/roles/OS-KSADM/2ed67dc256b34dd7a541fdce54e545da -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}dae012b5d2ca99a1e131a81b73204d813a569e7f" 
  INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 127.0.0.1
  DEBUG:requests.packages.urllib3.connectionpool:"PUT /v2.0/tenants/bef96294e70343eda7a329b76ee65100/users/doesnotexist/roles/OS-KSADM/2ed67dc256b34dd7a541fdce54e545da HTTP/1.1" 200 89
  DEBUG:keystoneclient.session:RESP: [200] Content-Length: 89 Vary: X-Auth-Token X-Distribution: Ubuntu Connection: keep-alive Date: Wed, 17 Aug 2016 07:58:59 GMT Content-Type: application/json X-Openstack-Request-Id: req-2421f330-047b-4ff4-b7f6-25e05c4caeab
  RESP BODY: {"role": {"domain_id": null, "id": "2ed67dc256b34dd7a541fdce54e545da", "name": "Member"}

  
  Keystone Server Log:
  2016-08-17 07:58:59.710 4668 INFO keystone.common.wsgi [req-2421f330-047b-4ff4-b7f6-25e05c4caeab - - - - -] PUT http://127.0.0.1:35357/v2.0/tenants/bef96294e70343eda7a329b76ee65100/users/doesnotexist/roles/OS-KSADM/2ed67dc256b34dd7a541fdce54e545da
  2016-08-17 07:58:59.711 4668 WARNING oslo_log.versionutils [req-2421f330-047b-4ff4-b7f6-25e05c4caeab - - - - -] Deprecated: add_role_to_user of the v2 API is deprecated as of Mitaka in favor of a similar function in the v3 API and may be removed in Q.
  2016-08-17 07:58:59.726 4668 INFO eventlet.wsgi.server [req-2421f330-047b-4ff4-b7f6-25e05c4caeab - - - - -] 10.0.2.2 - - [17/Aug/2016 07:58:59] "PUT /v2.0/tenants/bef96294e70343eda7a329b76ee65100/users/doesnotexist/roles/OS-KSADM/2ed67dc256b34dd7a541fdce54e545da HTTP/1.1" 200 331 0.018315

  
  I had a look into the Keystone SQLite Database and found the entries with the user id "doesnotexist".

  sqlite3 /var/lib/keystone/keystone.db
  sqlite> select * from assignment;
  UserProject|b637d008b0e74086be5bf6636fa3f2ca|ad3471d18b2540e18ddb6afab29e5cb4|d170e6a8308a479cba94a95ca81c44d6|0
  UserProject|a4865b8650424959bff41b91a01d0003|bef96294e70343eda7a329b76ee65100|2ed67dc256b34dd7a541fdce54e545da|0
  UserProject|doesnotexist|bef96294e70343eda7a329b76ee65100|2ed67dc256b34dd7a541fdce54e545da|0
  UserProject|a9532223c86c4d6aa6ac04453a95c7c4|70b794a5cbd1408a90b59da8cfa68cf1|2ed67dc256b34dd7a541fdce54e545da|0
  UserProject|doesnotexist|70b794a5cbd1408a90b59da8cfa68cf1|2ed67dc256b34dd7a541fdce54e545da|0

  
  Used Versions:
  OS: Ubuntu 16.04
  Keystone: 9.0.0
  python-keystoneclient: 3.4.0

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1614069/+subscriptions


Follow ups