yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1693510] Re: GET /v3/role_assignments?effective&include_names API is blocked with 404 error when a group doesn't exists in identity backend

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Wed, 31 May 2017 13:50:42 -0000
Reply-to: Bug 1693510 <1693510@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
    Milestone: None => pike-1

** Also affects: keystone/ocata
   Importance: Undecided
       Status: New

** Changed in: keystone/ocata
     Assignee: (unassigned) => prashkre (prashkre)

** Changed in: keystone
   Importance: Undecided => Low

** Changed in: keystone
   Importance: Low => Medium

** Changed in: keystone/ocata
   Importance: Undecided => Medium

** Changed in: keystone/ocata
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1693510

Title:
  GET /v3/role_assignments?effective&include_names API is blocked with
  404 error when a group doesn't exists in identity backend

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) ocata series:
  In Progress

Bug description:
  In an environment like ldap server as identity backend, consider ldap
  group say "fakeGroup2" containing some users is assigned role which
  insert records in keystone.assignment table. After a while if an admin
  removes that group from identity backend, role assignment still
  persists in keystone.assignment table for that group.

  So when someone invokes [0], in the flow [1] of getting effective role
  assignments, since group "fakeGroup2" doesn't exits in ldap, it is
  throwing "Could not find group: fakeGroup2" with 404 error which we
  need to handle it by displaying other role_assignments instead of
  NotFound error.

  [0] GET /v3/role_assignments?effective&include_names&scope.project.id=proj1
  [1]
  https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/assignment/core.py#L923
  https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/assignment/core.py#L839
  https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/assignment/core.py#L467 >> here it is trying to get the users for each of the ldap group.
  https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/identity/backends/ldap/core.py#L128
  https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/identity/backends/ldap/core.py#L449 >> since the group is removed from ldap backend, it is throwing exception.GroupNotFound.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1693510/+subscriptions

References

[Bug 1693510] [NEW] GET /v3/role_assignments?effective&include_names API is blocked with 404 error when a group doesn't exists in identity backend
From: prashkre, 2017-05-25