yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1684820] [NEW] GET /role_assignments?include_names API is blocked with 404 error when a user doesn't exists in identity backend

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: prashkre <1684820@xxxxxxxxxxxxxxxxxx>
Date: Thu, 20 Apr 2017 14:29:03 -0000
Reply-to: Bug 1684820 <1684820@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

In an environment like ldap server as identity backend, where users are
assigned roles it insert records in keystone.assignment table. After a
while if an admin removes one of the user say "user1" from identity
backend, role assignment still persists in keystone.assignment table for
"user1".

So when a someone invokes [0], it fetches all role assignments at [1],
then tries to get usernames at [2] by iterating though each of the
user_id in resultant role assignments at [3]. since "user1" doesn't
exits, it is throwing "Could not find user: user1." with 404 error which
we need to handle it.


[0] GET /v3/role_assignments?effective&include_names&scope.project.id=proj1
[1] https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L918
[2] https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L928
[3] https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L941

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1684820

Title:
  GET /role_assignments?include_names API is blocked with 404 error when
  a user doesn't exists in identity backend

Status in OpenStack Identity (keystone):
  New

Bug description:
  In an environment like ldap server as identity backend, where users
  are assigned roles it insert records in keystone.assignment table.
  After a while if an admin removes one of the user say "user1" from
  identity backend, role assignment still persists in
  keystone.assignment table for "user1".

  So when a someone invokes [0], it fetches all role assignments at [1],
  then tries to get usernames at [2] by iterating though each of the
  user_id in resultant role assignments at [3]. since "user1" doesn't
  exits, it is throwing "Could not find user: user1." with 404 error
  which we need to handle it.

  
  [0] GET /v3/role_assignments?effective&include_names&scope.project.id=proj1
  [1] https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L918
  [2] https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L928
  [3] https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L941

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1684820/+subscriptions

Follow ups

[Bug 1684820] Re: GET /role_assignments?include_names API is blocked with 404 error when a user doesn't exists in identity backend
From: Lance Bragstad, 2017-06-09
[Bug 1684820] Re: GET /role_assignments?include_names API is blocked with 404 error when a user doesn't exists in identity backend
From: Lance Bragstad, 2017-05-25
[Bug 1684820] Re: GET /role_assignments?include_names API is blocked with 404 error when a user doesn't exists in identity backend
From: OpenStack Infra, 2017-05-16