yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1690782] [NEW] Role assignment list with name resolution fails if a project contains a disabled AD user

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lars Erik Pedersen <pedersen.larserik@xxxxxxxxx>
Date: Mon, 15 May 2017 10:21:19 -0000
Reply-to: Bug 1690782 <1690782@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

If you have configured keystone with an LDAP backend, and you have
project with a disabled AD user as a member, the "openstack role
assignment list --project <id> --names" command will fail with a HTTP
404 response, beacause it can't resolve the name of the disabled user.

Example:
larserik@manager:~$ openstack role assignment list --project 9a71b116d24747e19671ed4f28bfd512 -f value
9fe2ff9ee4384b1894a90878d3e92bab 3e2e82db86d8423db18595a2a5dd926a  9a71b116d24747e19671ed4f28bfd512  False
9fe2ff9ee4384b1894a90878d3e92bab 83b6168d45c9362ce1ec257c224887428ba76d9f70d6f634c7ebb08b9cbd2cf3  9a71b116d24747e19671ed4f28bfd512  False

With --names:
larserik@manager:~$ openstack role assignment list --project 9a71b116d24747e19671ed4f28bfd512 --names -f value
Could not find user: <redacted username> (HTTP 404) (Request-ID: req-b7389d49-d60d-49b1-a0af-dd9ced9ba3da)

What's kind of strange, is that the 404 response actually contains the
username it can't find.

python-keystone                     2:9.0.0-0ubuntu1~cloud0
python-keystoneclient               1:2.3.1-2~cloud0
python-openstackclient              2.3.0-2~cloud0

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1690782

Title:
  Role assignment list with name resolution fails if a project contains
  a disabled AD user

Status in OpenStack Identity (keystone):
  New

Bug description:
  If you have configured keystone with an LDAP backend, and you have
  project with a disabled AD user as a member, the "openstack role
  assignment list --project <id> --names" command will fail with a HTTP
  404 response, beacause it can't resolve the name of the disabled user.

  Example:
  larserik@manager:~$ openstack role assignment list --project 9a71b116d24747e19671ed4f28bfd512 -f value
  9fe2ff9ee4384b1894a90878d3e92bab 3e2e82db86d8423db18595a2a5dd926a  9a71b116d24747e19671ed4f28bfd512  False
  9fe2ff9ee4384b1894a90878d3e92bab 83b6168d45c9362ce1ec257c224887428ba76d9f70d6f634c7ebb08b9cbd2cf3  9a71b116d24747e19671ed4f28bfd512  False

  With --names:
  larserik@manager:~$ openstack role assignment list --project 9a71b116d24747e19671ed4f28bfd512 --names -f value
  Could not find user: <redacted username> (HTTP 404) (Request-ID: req-b7389d49-d60d-49b1-a0af-dd9ced9ba3da)

  What's kind of strange, is that the 404 response actually contains the
  username it can't find.

  python-keystone                     2:9.0.0-0ubuntu1~cloud0
  python-keystoneclient               1:2.3.1-2~cloud0
  python-openstackclient              2.3.0-2~cloud0

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1690782/+subscriptions

Follow ups

[Bug 1690782] Re: Role assignment list with name resolution fails if a project contains a disabled AD user
From: Lance Bragstad, 2017-07-25