OpenStack Identity (keystone)

IdP doesn't support field based DB filtering

Bug #1525317 reported by Dave Chen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Dave Chen

Bug Description

Currently, IdP doesn't support to filter the DB records based on the field, for example,

If config the DB like this,
mysql> select * from identity_provider;
+------+---------+-------------+
| id | enabled | description |
+------+---------+-------------+
| idp1 | 1 | NULL |
| idp2 | 1 | NULL |
+------+---------+-------------+
2 rows in set (0.00 sec)

And I query the IdP by this curl, I get all of the records from DB,

curl -g -i -X GET http://127.0.0.1:35357/v3/OS-FEDERATION/identity_providers?id=idp1 -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: f74ac35177cb4720891a9cfed5ea1b9c"

{
 "links": {
  "self": "http://10.239.48.36:35357/v3/OS-FEDERATION/identity_providers?id=idp1",
  "previous": null,
  "next": null
 },
 "identity_providers": [{
  "remote_ids": [],
  "enabled": true,
  "id": "idp1",
  "links": {
   "self": "http://10.239.48.36:35357/v3/OS-FEDERATION/identity_providers/idp1",
   "protocols": "http://10.239.48.36:35357/v3/OS-FEDERATION/identity_providers/idp1/protocols"
  },
  "description": null
 }, {
  "remote_ids": [],
  "enabled": true,
  "id": "idp2",
  "links": {
   "self": "http://10.239.48.36:35357/v3/OS-FEDERATION/identity_providers/idp2",
   "protocols": "http://10.239.48.36:35357/v3/OS-FEDERATION/identity_providers/idp2/protocols"
  },
  "description": null
 }]
}

This feature should be supported since OSC depends on this to filter the DB records that is wanted.

Noted: Open this bug since it's different with https://bugs.launchpad.net/python-openstackclient/+bug/1479837, they are two different things, and I think this sound like a feature that keystone should support.

See original description
Dave Chen (wei-d-chen)
description: updated
Changed in python-openstackclient:
assignee: nobody → Dave Chen (wei-d-chen)
Dave Chen (wei-d-chen)
affects: python-openstackclient → keystone
Dave Chen (wei-d-chen)
description: updated
Dave Chen (wei-d-chen)
description: updated
OpenStack Infra (hudson-openstack)
Changed in keystone:
status: New → In Progress
Revision history for this message
Steve Martinelli (stevemar) wrote :

how's it different from https://bugs.launchpad.net/python-openstackclient/+bug/1479837 ?

Revision history for this message
Dave Chen (wei-d-chen) wrote :

Steve - Even keystone server change the design by not ignore the unsupported filters, bug #1479837 should not get fixed since filtering has not even been enabled for list IdP.

The initial patch address the two issues in one patch, so I am going to split the patch and give a review that looks like more certainty.

Revision history for this message
Dave Chen (wei-d-chen) wrote :

Damn it, copy / paste mess it up, I update the CURL in the bug report.

So, the issue is even query with a valid IdP id you still get all IdP the backend DB have, since the filtering is not enabled for list IdP.

curl -g -i -X GET http://127.0.0.1:35357/v3/OS-FEDERATION/identity_providers?id=idp1 -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: d25773d137e347aa9ed85f9919179893"

{"links": {"self": "http://10.239.48.36:35357/v3/OS-FEDERATION/identity_providers?id=idp1", "previous": null, "next": null}, "identity_providers": [{"remote_ids": [], "enabled": true, "id": "idp1", "links": {"self": "http://10.239.48.36:35357/v3/OS-FEDERATION/identity_providers/idp1", "protocols": "http://10.239.48.36:35357/v3/OS-FEDERATION/identity_providers/idp1/protocols"}, "description": null}, {"remote_ids": [], "enabled": false, "id": "idp2", "links": {"self": "http://10.239.48.36:35357/v3/OS-FEDERATION/identity_providers/idp2", "protocols": "http://10.239.48.36:35357/v3/OS-FEDERATION/identity_providers/idp2/protocols"}, "description": null}, {"remote_ids": [], "enabled": false, "id": "idp3", "links": {"self": "http://10.239.48.36:35357/v3/OS-FEDERATION/identity_providers/idp3", "protocols": "http://10.239.48.36:35357/v3/OS-FEDERATION/identity_providers/idp3/protocols"}, "description": null}]}dave@shldeOTCopen005:/opt/stack/keystone

It returns all three IdP I have created.

description: updated
Revision history for this message
Dave Chen (wei-d-chen) wrote :

And per the discuss in that patch - https://review.openstack.org/#/c/215041/, bug #1479837 should be more likely fixed in OSC rather than Keystone server, so I could only mark the patch related with the bug 1479837. So, file this bug to track the change in Keystone.

Revision history for this message
Dave Chen (wei-d-chen) wrote :

patch is still here - https://review.openstack.org/#/c/215041/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/262307

Changed in keystone:
assignee: Dave Chen (wei-d-chen) → Henry Nash (henry-nash)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Henry Nash (henry-nash) → Dave Chen (wei-d-chen)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/262307
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2774d53355cdfc1c7b5d518fc4a5426d03d4f922
Submitter: Jenkins
Branch: master

commit 2774d53355cdfc1c7b5d518fc4a5426d03d4f922
Author: Henry Nash <email address hidden>
Date: Tue Dec 29 20:02:45 2015 +0000

    Create V9 version of federation driver interface

    In preparation for api changes for filtering, a V9 version of
    the federation driver interface is created.

    This patch also stops trying to load any of the contrib sql
    models in our test runs - since these were a duplicative load
    of the same models, since all contrib sql backends have moved
    to the core tree. Not loading the contrib models is a
    requirement for being able to test the V8 federation interface,
    since otherwise two different models get loaded.

    In addition, this patch fixes up the setup of restful test cases
    to allow legacy driver overrides to be used in such tests. This
    is useful for components (such as federation) that do not have
    good manager level testing due to their single backend driver.

    Change-Id: I179c5b86e42b8ac67b630b6871f1819c6f62c96b
    Partial-Bug: #1525317

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone-specs (master)

Fix proposed to branch: master
Review: https://review.openstack.org/267949

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/215041
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cdd3ac454c2850ab72883963aa6bd6a0d80fe56f
Submitter: Jenkins
Branch: master

commit cdd3ac454c2850ab72883963aa6bd6a0d80fe56f
Author: Dave Chen <email address hidden>
Date: Sat Dec 12 08:51:50 2015 +0800

    Enable `id`, `enabled` attributes filtering for list IdP API

    list IdP currently doesn't support to filter records by any
    attributes, but this is used somewhere, such as OpenStack
    Client using `name` to filter the record.

    IdP doesn't has `name` attribute but has `id`, `enabled`
    attributes instead.

    This patch enables the filtering of Identity Provider based
    on `id`, `enabled` attributes so that OpenStack Client or the
    CURL query can benefit from it.

    Change-Id: Ib672ba759d26bdd0eecd48451994b3451fb8648a
    Related-Bug: #1479837
    Closes-Bug: #1525317

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/keystone 9.0.0.0b2

This issue was fixed in the openstack/keystone 9.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone-specs (master)

Reviewed: https://review.openstack.org/267949
Committed: https://git.openstack.org/cgit/openstack/keystone-specs/commit/?id=026d859bb00f89dea82cd87ad139a8bd24582b0d
Submitter: Jenkins
Branch: master

commit 026d859bb00f89dea82cd87ad139a8bd24582b0d
Author: Dave Chen <email address hidden>
Date: Fri Jan 15 13:41:02 2016 +0800

    Enable `id`, `enabled` filter for list IdP

    Depends-On: Ib672ba759d26bdd0eecd48451994b3451fb8648a
    Change-Id: I732743e5991952f296b13513f0fb2c97fdfc2bde
    Partial-Bug: #1525317

Steve Martinelli (stevemar)
Changed in keystone:
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.