Any attribute that is equal to 'TRUE' or 'FALSE' is treated as boolean by LDAP drivers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Lin Hua Cheng | ||
Juno |
Fix Released
|
High
|
Lin Hua Cheng |
Bug Description
Our core LDAP driver makes a dangerous assumption that any attribute that is equal to the string 'TRUE' or 'FALSE' must be a boolean and will covert the value accordingly. For instance the following test:
def test_hn1(self):
ref = {
'name': 'TRUE',
ref = self.identity_
ref1 = self.identity_
will fail (on an LDAP backend) with:
MismatchError: !=:
reference = {'domain_id': 'default', 'enabled': True, 'id': 'd4202d8717104d
actual = {'domain_id': 'default', 'enabled': True, 'id': u'd4202d8717104
Ouch!
Now that we have a schema for our models, perhaps we should use that to determine whether something is a boolean or not? e.g. for projects, we have:
_project_properties = {
'description': validation.
# NOTE(lbragstad): domain_id isn't nullable according to some backends.
# The identity-api should be updated to be consistent with the
# implementation.
'domain_id': parameter_
'enabled': parameter_
'parent_id': validation.
'name': {
'type': 'string',
}
}
For some reason the user/group ones don't exist yet, but we can fix that.
Changed in keystone: | |
assignee: | nobody → Lin Hua Cheng (lin-hua-cheng) |
Changed in keystone: | |
milestone: | none → kilo-3 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | kilo-3 → 2015.1.0 |
Seems two separate bugs are mentioned here:
1. adding user/group schema
2. how the object from LDAP backend are converted to python objects
I opened a separate bug for #1: https:/ /bugs.launchpad .net/keystone/ +bug/1415694