yahoo-eng-team team mailing list archive

[OpenStack Infra <1693510@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/468103
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d09c337619fed8664272848abb3a1351dd5e4c85
Submitter: Jenkins
Branch:    master

commit d09c337619fed8664272848abb3a1351dd5e4c85
Author: prashkre <prashkre@xxxxxxxxxx>
Date:   Thu May 25 21:41:55 2017 +0530

    Handle group NotFound in effective assignment list
    
    When keystone is using an external identity backend such as LDAP for
    storing users and groups, but storing role assignments in the local db,
    and a group that has role assignments is deleted out-of-band, its
    assignments will still exist in the keystone database. If, after this,
    a user attempts to list effective role assignments, keystone will try
    to lookup the group and fail with NotFound.
    
    This catches the NotFound exception of the list_users_in_group call and
    returns an empty user list so that the effective assignments list does
    not fail.
    
    Closes-Bug: 1693510
    Change-Id: Ie5f69b150d59287bd0bc68f1ce9eecfeab04c91a


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1693510

Title:
  GET /v3/role_assignments?effective&include_names API is blocked with
  404 error when a group doesn't exists in identity backend

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  In an environment like ldap server as identity backend, consider ldap
  group say "fakeGroup2" containing some users is assigned role which
  insert records in keystone.assignment table. After a while if an admin
  removes that group from identity backend, role assignment still
  persists in keystone.assignment table for that group.

  So when someone invokes [0], in the flow [1] of getting effective role
  assignments, since group "fakeGroup2" doesn't exits in ldap, it is
  throwing "Could not find group: fakeGroup2" with 404 error which we
  need to handle it by displaying other role_assignments instead of
  NotFound error.

  [0] GET /v3/role_assignments?effective&include_names&scope.project.id=proj1
  [1]
  https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/assignment/core.py#L923
  https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/assignment/core.py#L839
  https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/assignment/core.py#L467 >> here it is trying to get the users for each of the ldap group.
  https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/identity/backends/ldap/core.py#L128
  https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/identity/backends/ldap/core.py#L449 >> since the group is removed from ldap backend, it is throwing exception.GroupNotFound.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1693510/+subscriptions