← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1701324] Re: Removing duplicated items doesn't work in case of federations

 

Reviewed:  https://review.openstack.org/494049
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=058a23c0873723d5a4ffa8e99121f7b3b4485db5
Submitter: Jenkins
Branch:    master

commit 058a23c0873723d5a4ffa8e99121f7b3b4485db5
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Tue Aug 1 16:03:53 2017 +0000

    Remove duplicate roles from federated auth
    
    We were using a one-liner to prune duplicate role references from a
    list of roles, but it didn't work in all cases. This reworks the
    logic to pass the existing test case. I also added a comment
    explaining why the logic we used previously doesn't work so we can
    hopefully avoid the pattern in the future.
    
    Change-Id: Id786d6463364ad8f4f02c22bb83221baac4b83d0
    Closes-Bug: 1701324


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1701324

Title:
  Removing duplicated items doesn't work in case of federations

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  In commit eed233cac8f34ce74a2f6fa989c484773c491df3 "Concrete role assignments for federated users" there was added handling of federation-related objects. In that implementation objects like roles, projects and domains were aggregated from 2 sources - from appropriate tables directly and from federation-related hooks.
  This mechanism can lead to situation when there's duplication of objects, so for such cases code for filtering out duplicates was added.

  It was impemented in the following way:

  domains = [dict(t) for t in set([tuple(d.items()) for d in domains])]

  where domains is a list of dicts, each of which contains information
  about appropriate domain. This code can work fine in some situations
  but in general can work in a wrong way because dict "items" method
  returns key-value pairs in arbitrary order according to
  https://docs.python.org/2/library/stdtypes.html#dict.items. So, this
  code may remain unchanged list of 2 similar dicts where items listed
  out in a different order.

  This code was introduced in upstream Thu Feb 25 21:39:15 2016, so it
  seems that this code remains in newton and ocata and master branch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1701324/+subscriptions


References