python-openstackclient

`openstack group contains user` hides real client and server errors

Bug #1672634 reported by Colleen Murphy on 2017-03-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python-openstackclient	Fix Released	Medium	Colleen Murphy

Bug Description

If keystone is misconfigured, calling `openstack group contains user $group $user` may result in the response '$user not in $group' when the reality is that the keystone server experienced an error and returned a 500. In my case, pyldap was raising a DECODING_ERROR because I needed to [ldap]/group_members_are_ids, but openstackclient's error message was leading me to believe that I had misconfigured [ldap]/group_member_attribute or that in fact the user was not in the group.

In keystone, HEAD /v3/groups/{group_id}/users/{user_id} returns a 404 if the given user is not in the given group. It may also return a 403 to indicate that the resources being compared have different backends, which would also indicate that the user is not in the group. Therefore openstackclient should interpret a 403 or a 404 as an acceptable negative response and any other 4XX or 5XX response as an error to which the user should be alerted.

Revision history for this message

Colleen Murphy (krinkle) wrote on 2017-03-14:

Not sure why the 'closes-bug' isn't automatically linking the patch but here it is: https://review.openstack.org/#/c/445257/

Steve Martinelli (stevemar) on 2017-03-14

Changed in python-openstackclient:
importance:	Undecided → Medium
assignee:	nobody → Colleen Murphy (krinkle)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-16: Fix merged to python-openstackclient (master)

Reviewed: https://review.openstack.org/445257
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=853ea5ab59e5d7845d389e46527038575c3c170c
Submitter: Jenkins
Branch: master

commit 853ea5ab59e5d7845d389e46527038575c3c170c
Author: Colleen Murphy <email address hidden>
Date: Tue Mar 14 01:24:31 2017 +0100

Narrow expected responses for CheckUserInGroup

    When checking whether a given user is in a given group, keystone will
    return a 404 Not Found if all went well but the user was not in the
    group. It may also return a 403 if the user and the group are in
    different backends, which would also mean that the user was not in the
    group[1]. Any other 400 response is a client error and any 500 response
    is a server error to which the user should be alerted.

    Without this patch, openstackclient treats any exception as a valid "not
    found" and may end up hiding server errors. This patch reduces the
    caught exceptions to 403 and 404 responses and treats everything else as
    an error.

[1] https://developer.openstack.org/api-ref/identity/v3/?expanded=check-whether-user-belongs-to-group-detail#check-whether-user-belongs-to-group

Closes-bug: #1672634

Change-Id: Id3f3b2409b7cee480ee3c19b6d6c3070599ffe8f