yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1684820] Re: GET /role_assignments?include_names API is blocked with 404 error when a user doesn't exists in identity backend

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1684820@xxxxxxxxxxxxxxxxxx>
Date: Tue, 16 May 2017 22:46:34 -0000
Reply-to: Bug 1684820 <1684820@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/458954
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0392b36a0d7d3e7cc479b357245da04c949924de
Submitter: Jenkins
Branch:    master

commit 0392b36a0d7d3e7cc479b357245da04c949924de
Author: Kristi Nikolla <knikolla@xxxxxx>
Date:   Fri Apr 21 15:31:49 2017 -0400

    Handle NotFound when listing role assignments for deleted users
    
    Keystone can use an external identity store for the users, and
    store assignments for these users in the SQL database that it
    manages. When a user has been deleted directly in the external
    identity store, these assignments will persist. Therefore when
    listing role assignments and asking for names to be included,
    keystone will try to get information of the user and fail with
    NotFound.
    
    This catches the NotFound exception of the get_user and get_group
    calls and fills the user values with and empty string.
    
    Change-Id: Iec3e12f6cd1402e1e3f192b0ede5d608bd41ca1d
    Closes-Bug: 1684820


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1684820

Title:
  GET /role_assignments?include_names API is blocked with 404 error when
  a user doesn't exists in identity backend

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  In an environment like ldap server as identity backend, where users
  are assigned roles it insert records in keystone.assignment table.
  After a while if an admin removes one of the user say "user1" from
  identity backend, role assignment still persists in
  keystone.assignment table for "user1".

  So when a someone invokes [0], it fetches all role assignments at [1],
  then tries to get usernames at [2] by iterating though each of the
  user_id in resultant role assignments at [3]. since "user1" doesn't
  exits, it is throwing "Could not find user: user1." with 404 error
  which we need to handle it.

  
  [0] GET /v3/role_assignments?effective&include_names&scope.project.id=proj1
  [1] https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L918
  [2] https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L928
  [3] https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L941

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1684820/+subscriptions

References

[Bug 1684820] [NEW] GET /role_assignments?include_names API is blocked with 404 error when a user doesn't exists in identity backend
From: prashkre, 2017-04-20