OpenStack Identity (keystone)

Entry to User table creates entries in local_user table for ldap and custom driver users

Bug #1615000 reported by Divya K Konoor on 2016-08-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Ron De Rose	OpenStack Identity (keystone) newton-3 "n3"

Bug Description

This was observed while trying with ldap and custom driver users (not sure of the behavior for federated and sql users).

It's found that after ldap / custom driver user is configured with OpenStack and a user authentication request is placed (token issue for eg.), there are entries made into 3 tables:
- User
- local_user
- nonlocal_user

As seen below, the ldap user name is avni_u1

MariaDB [keystone]> select * from id_mapping where public_id="b3a54f2bbea168204a907aad3fc15a66d60cec9ad5d3301a4586b01b5e461510";
+------------------------------------------------------------------+-----------+----------+-------------+
| public_id | domain_id | local_id | entity_type |
+------------------------------------------------------------------+-----------+----------+-------------+
| b3a54f2bbea168204a907aad3fc15a66d60cec9ad5d3301a4586b01b5e461510 | default | avni_u1 | user |
+------------------------------------------------------------------+-----------+----------+-------------+
1 row in set (0.00 sec)

MariaDB [keystone]> select * from user;
+------------------------------------------------------------------+-------------------------------------------------+---------+--------------------+---------------------+----------------+
| id | extra | enabled | default_project_id | created_at | last_active_at |
+------------------------------------------------------------------+-------------------------------------------------+---------+--------------------+---------------------+----------------+
| b3a54f2bbea168204a907aad3fc15a66d60cec9ad5d3301a4586b01b5e461510 | {"description": "user with admin role"} | NULL | NULL | 2016-08-19 13:32:44 | NULL |
+------------------------------------------------------------------+-------------------------------------------------+---------+--------------------+---------------------+----------------+
1 rows in set (0.00 sec)

MariaDB [keystone]> select * from local_user;
+----+------------------------------------------------------------------+----------------------------------+------------+-------------------+----------------+
| id | user_id | domain_id | name | failed_auth_count | failed_auth_at |
+----+------------------------------------------------------------------+----------------------------------+------------+-------------------+----------------+
| | 1 | b3a54f2bbea168204a907aad3fc15a66d60cec9ad5d3301a4586b01b5e461510 | default | avni_u1 | NULL | NULL |
+----+------------------------------------------------------------------+----------------------------------+------------+-------------------+----------------+
1 rows in set (0.00 sec)

MariaDB [keystone]> select * from nonlocal_user;
+----------------------------------+------------+------------------------------------------------------------------+
| domain_id | name | user_id |
+----------------------------------+------------+------------------------------------------------------------------+
| | default | avni_u1 | b3a54f2bbea168204a907aad3fc15a66d60cec9ad5d3301a4586b01b5e461510 |
| +----------------------------------+------------+------------------------------------------------------------------+

This behavior is probably not new and is caused due to https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql_model.py#L147

Ron De Rose (ronald-de-rose) on 2016-08-19

Changed in keystone:
assignee:	nobody → Ron De Rose (ronald-de-rose)

Steve Martinelli (stevemar) on 2016-08-19

Changed in keystone:
milestone:	none → newton-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-19: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/357979

Changed in keystone:
status:	New → In Progress

Steve Martinelli (stevemar) on 2016-08-19

Changed in keystone:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-23: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/357979
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=70e6d58f461bd066a9f149be8ef096884b3ce6b0
Submitter: Jenkins
Branch: master

commit 70e6d58f461bd066a9f149be8ef096884b3ce6b0
Author: Ronald De Rose <email address hidden>
Date: Fri Aug 19 15:40:21 2016 +0000

Shadowing a nonlocal_user incorrectly creates a local_user

    This patch fixes a bug where when shadowing a nonlocal_user (LDAP,
    custom driver) it also incorrectly creates a local_user. The error is
    related to hybrid properties and calling the class from_dict method,
    which set the local_user attributes.

Change-Id: I6e69cce5f337a330f2531ff71db3e931b785271c
Closes-Bug: #1615000

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

Thierry Carrez (ttx) wrote on 2016-09-02: Fix included in openstack/keystone 10.0.0.0b3

This issue was fixed in the openstack/keystone 10.0.0.0b3 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.