OpenStack Identity (keystone)

Update role using LDAP backend with same name fails

Bug #1401721 reported by Brant Knudson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Brant Knudson
OpenStack Identity (keystone) 2015.1.0 "kilo"
Juno
Fix Released
Medium
Brant Knudson
OpenStack Identity (keystone) 2014.2.2

Bug Description

When the keystone server is configured to use the LDAP backend for assignments and a role is updated to have the same name the operation fails saying that you can't create a role because another role with the same name already exists.

The keystone server should just accept the request and ignore the change rather than failing.

To recreate:

0. Start with a devstack install using LDAP for assignment backend

1. Get a token

$ curl -i \
  -H "Content-Type: application/json" \
  -d '
{ "auth": {
    "identity": {
      "methods": ["password"],
      "password": {
        "user": {
          "name": "admin",
          "domain": { "id": "default" },
          "password": "adminpwd"
        }
      }
    },
    "scope": {
      "project": {
        "name": "demo",
        "domain": { "id": "default" }
      }
    }
  }
}' \
  http://localhost:35357/v3/auth/tokens ; echo

$ TOKEN=...

2. List roles

$ curl \
    -H "X-Auth-Token: $TOKEN" \
    http://localhost:35357/v3/roles | python -m json.tool

$ ROLE_ID=36a9eede308d41e8a92effce2e46cc4a

3. Update a role with the same name.

$ curl -X PATCH \
    -H "X-Auth-Token: $TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"role": {"name": "anotherrole"}}' \
    http://localhost:35357/v3/roles/$ROLE_ID

{"error": {"message": "Cannot duplicate name {'id': u'36a9eede308d41e8a92effce2e46cc4a', 'name': u'anotherrole'}", "code": 409, "title": "Conflict"}}

The operation should have worked.

Brant Knudson (blk-u)
Changed in keystone:
assignee: nobody → Brant Knudson (blk-u)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/141234

Changed in keystone:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/141235

Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Low
Dolph Mathews (dolph)
Changed in keystone:
importance: Low → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/141234
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=79c2fedd6ff6a6d4471412518e415351003aca39
Submitter: Jenkins
Branch: master

commit 79c2fedd6ff6a6d4471412518e415351003aca39
Author: Brant Knudson <email address hidden>
Date: Thu Dec 11 19:13:56 2014 -0600

    Add a test for modifying a role to set the name the same

    There was no test that showed what happened when a role is modified
    to have the same name. The test shows that when using the LDAP
    assignment this request fails with a conflict error.

    Change-Id: I40bb62200e79c8ff519e02facad042a657c26cae
    Partial-Bug: #1401721

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/141235
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b6f7cad8ba432e6d3e33812238620e768c529996
Submitter: Jenkins
Branch: master

commit b6f7cad8ba432e6d3e33812238620e768c529996
Author: Brant Knudson <email address hidden>
Date: Thu Dec 11 19:18:45 2014 -0600

    Fix modifying a role with same name using LDAP

    When the keystone server was configured to use the LDAP assignment
    backend and a role was modified with the same name as the role the
    operation would fail. This is because the server would check that a
    role with the same name existed already and it would of course find
    the entry that is currently being modified.

    The server is changed to check if the entry currently being modified
    is the one with the same name and the operation is allowed if this is
    the case.

    Change-Id: Ia86ef9fabfd438367a7ed09efb55711860e47d8b
    Closes-Bug: #1401721

Thierry Carrez (ttx)
Changed in keystone:
milestone: none → kilo-1
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/142555

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/142556

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/juno)

Reviewed: https://review.openstack.org/142555
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7fc6585406b83327da47bcf0496c476e9a460213
Submitter: Jenkins
Branch: stable/juno

commit 7fc6585406b83327da47bcf0496c476e9a460213
Author: Brant Knudson <email address hidden>
Date: Thu Dec 11 19:13:56 2014 -0600

    Add a test for modifying a role to set the name the same

    There was no test that showed what happened when a role is modified
    to have the same name. The test shows that when using the LDAP
    assignment this request fails with a conflict error.

    (cherry picked from commit 79c2fedd6ff6a6d4471412518e415351003aca39)

    Change-Id: I40bb62200e79c8ff519e02facad042a657c26cae
    Partial-Bug: #1401721

tags: added: in-stable-juno
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/142556
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=44c1bd0c8d029f8fb420f78948403eb3d86f84fd
Submitter: Jenkins
Branch: stable/juno

commit 44c1bd0c8d029f8fb420f78948403eb3d86f84fd
Author: Brant Knudson <email address hidden>
Date: Thu Dec 11 19:18:45 2014 -0600

    Fix modifying a role with same name using LDAP

    When the keystone server was configured to use the LDAP assignment
    backend and a role was modified with the same name as the role the
    operation would fail. This is because the server would check that a
    role with the same name existed already and it would of course find
    the entry that is currently being modified.

    The server is changed to check if the entry currently being modified
    is the one with the same name and the operation is allowed if this is
    the case.

    (cherry picked from commit b6f7cad8ba432e6d3e33812238620e768c529996)

    Change-Id: Ia86ef9fabfd438367a7ed09efb55711860e47d8b
    Closes-Bug: #1401721

Alan Pevec (apevec)
tags: removed: in-stable-juno
Thierry Carrez (ttx)
Changed in keystone:
milestone: kilo-1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.