yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #64250
[Bug 1693510] [NEW] GET /v3/role_assignments?effective&include_names API is blocked with 404 error when a group doesn't exists in identity backend
Public bug reported:
In an environment like ldap server as identity backend, consider ldap
group say "fakeGroup2" containing some users is assigned role which
insert records in keystone.assignment table. After a while if an admin
removes that group from identity backend, role assignment still persists
in keystone.assignment table for that group.
So when someone invokes [0], in the flow [1] of getting effective role
assignments, since group "fakeGroup2" doesn't exits in ldap, it is
throwing "Could not find group: fakeGroup2" with 404 error which we need
to handle it by displaying other role_assignments instead of NotFound
error.
[0] GET /v3/role_assignments?effective&include_names&scope.project.id=proj1
[1]
https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L923
https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L839
https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L467 >> here it is trying to get the users for each of the ldap group.
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L128
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L449 >> since the group is removed from ldap backend, it is throwing exception.GroupNotFound.
** Affects: keystone
Importance: Undecided
Assignee: prashkre (prashkre)
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1693510
Title:
GET /v3/role_assignments?effective&include_names API is blocked with
404 error when a group doesn't exists in identity backend
Status in OpenStack Identity (keystone):
New
Bug description:
In an environment like ldap server as identity backend, consider ldap
group say "fakeGroup2" containing some users is assigned role which
insert records in keystone.assignment table. After a while if an admin
removes that group from identity backend, role assignment still
persists in keystone.assignment table for that group.
So when someone invokes [0], in the flow [1] of getting effective role
assignments, since group "fakeGroup2" doesn't exits in ldap, it is
throwing "Could not find group: fakeGroup2" with 404 error which we
need to handle it by displaying other role_assignments instead of
NotFound error.
[0] GET /v3/role_assignments?effective&include_names&scope.project.id=proj1
[1]
https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L923
https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L839
https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L467 >> here it is trying to get the users for each of the ldap group.
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L128
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L449 >> since the group is removed from ldap backend, it is throwing exception.GroupNotFound.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1693510/+subscriptions
Follow ups
