Authorization Failed: Could not find user, None. (HTTP 404)

woops, I just realized I accidentally copy/pasted my fix.

original should be:
    if (not self.get_project(tenant_id) or
         not self.identity_api.get_user(user_id)):

my local fix is:
    if (not self.get_project(tenant_id) or
        user_id and not self.identity_api.get_user(user_id)):

alexius

If you would patch it, just do it and don't care about the 'assigned to'. Anything is ok before any other guy uploads his changeset. So you could also assign this bug to yourself and run 'git review' now

hi kun,
Currently I'm unable to submit patches.

Fix proposed to branch: master
Review: https://review.openstack.org/38963

I didn't put this in the original bug message, but the same raise occurs in the following function:
    metadata_ref = _get_roles_for_just_user_and_project(user_id, tenant_id)

This bug report is wrong. UserNotFound exception was not raised from
    metadata_ref = self._get_metadata(group_id=x['id'], domain_id=project_ref['domain_id'])
But from
    metadata_ref = self._get_metadata(group_id=x['id'], tenant_id=project_ref['id'])

Bug Log:

======================================================================
ERROR: test_get_roles_for_user_and_project (tests.test_backend_ldap.LDAPIdentity)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/trystack/src/keystone/tests/test_backend_ldap.py", line 651, in test_get_roles_for_user_and_project
    tenant_id=self.tenant_bar["id"])
  File "/home/trystack/src/keystone/keystone/assignment/core.py", line 127, in get_roles_for_user_and_project
    group_role_list = _get_group_project_roles(user_id, project_ref)
  File "/home/trystack/src/keystone/keystone/assignment/core.py", line 81, in _get_group_project_roles
    group_id=x['id'], tenant_id=project_ref['id'])
  File "/home/trystack/src/keystone/keystone/common/manager.py", line 44, in _wrapper
    return f(*args, **kw)
  File "/home/trystack/src/keystone/keystone/assignment/backends/ldap.py", line 104, in _get_metadata
    not self.identity_api.get_user(user_id)):
  File "/home/trystack/src/keystone/keystone/common/manager.py", line 44, in _wrapper
    return f(*args, **kw)
  File "/home/trystack/src/keystone/keystone/identity/backends/ldap.py", line 76, in get_user
    ref = identity.filter_user(self._get_user(user_id))
  File "/home/trystack/src/keystone/keystone/identity/backends/ldap.py", line 73, in _get_user
    return self.user.get(user_id)
  File "/home/trystack/src/keystone/keystone/common/ldap/core.py", line 683, in get
    ref = super(EnabledEmuMixIn, self).get(object_id, filter)
  File "/home/trystack/src/keystone/keystone/common/ldap/core.py", line 353, in get
    raise self._not_found(id)
UserNotFound: Could not find user, None.

ok great the unit test is now catching it!

Though I'm pretty sure that it would fail the same way for both code paths since user_id=None.

Reviewed: https://review.openstack.org/38963
Committed: http://github.com/openstack/keystone/commit/5e7a56728c5c4e98dc509fb044886d6f8dd08e17
Submitter: Jenkins
Branch: master

commit 5e7a56728c5c4e98dc509fb044886d6f8dd08e17
Author: Wu Wenxiang <wu.wenxiang@99cloud.net>
Date: Sun Jul 28 22:19:42 2013 +0800

    Add defense in ldap:get_roles_for_user_and_project

    LDAP:get_roles_for_user_and_project will raise "Could not find user"
    exception when you try to get roles by user(user was in a group) and
    project.

    In this patch:
    1. Add defense in assignment.backends.ldap.Assignment::_get_metadata(),
    return empty dict rather than throw exception when userid==None or
    tenantid==None.
    2. Remove checking existance of tenant_id and user_id
    logic, because these logics were always done before this method being
    called.
    3. Add testcase test_get_role_by_user_and_project_with_user_in_group
    in test_backend module.

    Fixes bug #1204221

    Change-Id: I68c39afddde4065fc61ffb9451592c5108dc138b