[LDAP] user_allow_create = False does not raise 403 Forbidden on POST /users
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Eric Brown |
Bug Description
Calling POST /users on a pre-populated LDAP backend where user_allow_create = False and the specified user already exists causes a 409 Conflict to be returned instead of a quick 403 Forbidden before any work is done.
2013-04-29 16:50:25 DEBUG [eventlet.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
at 0x3fbb450>)
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
Rn3AT44uwz5n', u'enabled': 1, u'name': u'monitoring', u'tenantId': u'4bc9cbdf97984
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
ring","
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
=4bc9cbdf979844
escription']
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
onitoring)
2013-04-29 16:50:25 WARNING [keystone.
g.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 DEBUG [keystone.
2013-04-29 16:50:25 INFO [access] 127.0.0.1 - - [29/Apr/
2013-04-29 16:50:25 DEBUG [eventlet.
2013-04-29 16:50:25 DEBUG [eventlet.
Config:
user_tree_dn = CN=Users,
user_objectclass = person
user_id_attribute = cn
user_name_attribute = cn
user_mail_attribute = mail
user_enabled_
user_enabled_mask = 2
user_enabled_
user_attribute_
user_allow_create = False
user_allow_update = False
user_allow_delete = False
Changed in keystone: | |
importance: | Undecided → Low |
status: | New → Triaged |
summary: |
- user_allow_create = False does not raise 403 Forbidden on POST /users + [LDAP] user_allow_create = False does not raise 403 Forbidden on POST + /users |
Changed in keystone: | |
assignee: | nobody → Eric Brown (ericwb) |
status: | Triaged → In Progress |
Changed in keystone: | |
milestone: | none → icehouse-3 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | icehouse-3 → 2014.1 |
I think the problem is even worse when using deleting a user with user_allow_ delete= False. In this case, backends/ldap.py removes assignments, removes the user from any groups, removes the user from any projects, then it calls the base ldap/core.py to delete the user which results in a 403 forbidden. So the user_allow_delete check needs to be sooner in the call.