OpenStack Identity (keystone)

Unable to remove an assignment from domain and project

Bug #1754677 reported by Lance Bragstad on 2018-03-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Vishakha Agarwal	OpenStack Identity (keystone) victoria-2

Bug Description

When you setup a user with a role assignment on a domain and then a role assignment on a project "acting as a domain", you can't actually remove them. The following pastes sets up the environment:

http://paste.openstack.org/show/695978/

Which results in the following when a user tries to remove either of those assignments:

http://paste.openstack.org/show/696013/

And the resulting trace:

http://paste.openstack.org/show/695994/

It appears the issue is because somewhere in the assignment code we're only expecting a single assignment to be returned for us to delete, which isn't the case here and causes ambiguity.

See original description

Tags:

Lance Bragstad (lbragstad) on 2018-03-09

Changed in keystone:
status:	New → Triaged
importance:	Undecided → High

Raildo Mascena de Sousa Filho (raildo) on 2018-03-09

Changed in keystone:
assignee:	nobody → Raildo Mascena de Sousa Filho (raildo)

Revision history for this message

Adrian Turjak (adriant-y) wrote on 2018-03-09:

I have a feeling the reason for this in keystone is that the query in question isn't looking at the type when doing a query: https://github.com/openstack/keystone/blob/master/keystone/assignment/backends/sql.py#L358

just the other fields:
https://github.com/openstack/keystone/blob/master/keystone/assignment/backends/sql.py#L363-L366

Chances are the same error would occur if you assign to a group a project and a domain scope.

This is most likely legacy code that needed to deal with multiple types of assignments between projects and domains when the two were actually two different types. Now that a domain is a project, the type field is almost pointless in the actual internals, unless there is somewhere that actually makes a distinction between domain vs project scope on an assignment.

Revision history for this message

Adrian Turjak (adriant-y) wrote on 2018-03-09:

yep, looking back in the git history, the type definition comes from before domains became projects.

Lance Bragstad (lbragstad) on 2018-03-19

tags:

added: office-hours

OpenStack Infra (hudson-openstack) on 2018-05-29

Changed in keystone:
status:	Triaged → In Progress

Lance Bragstad (lbragstad) on 2018-05-31

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-26: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/570438
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9cefb4dfc9f3497fd4c123ad9b1aadc65b2974d0
Submitter: Zuul
Branch: master

commit 9cefb4dfc9f3497fd4c123ad9b1aadc65b2974d0
Author: Raildo Mascena <email address hidden>
Date: Thu May 24 17:13:05 2018 -0300

Exposing ambiguity bug when querying role assignments

    Test case exposing the issue described in that bug
    also, adding the expected result commented, to be
    removed the commented tags, after the bug be fixed.

Change-Id: I0e7b181977a1850a9a93472892407817561bfa0a
Partial-Bug: 1754677

Lance Bragstad (lbragstad) on 2018-08-02

Changed in keystone:
milestone:	none → rocky-rc1

Vishakha Agarwal (vishakha.agarwal) on 2018-09-19

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

Colleen Murphy (krinkle) wrote on 2018-09-26:

I don't see a fix committed for this, the @wip marker on the test that Raildo added is still there so I don't think this is fixed yet.

Changed in keystone:
status:	Fix Committed → In Progress
milestone:	rocky-rc1 → stein-1

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2019-01-28:

Removing the targetted milestone since stein-1 has passed.

Changed in keystone:
milestone:	stein-1 → none

Vishakha Agarwal (vishakha.agarwal) on 2020-06-16

Changed in keystone:
assignee:	Raildo Mascena de Sousa Filho (raildo) → Vishakha Agarwal (vishakha.agarwal)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-22: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/737225

Kristi Nikolla (knikolla) on 2020-06-30

Changed in keystone:
milestone:	none → victoria-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-25: Fix merged to keystone (master)

Reviewed: https://review.opendev.org/737225
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=28faa24e68467f7c10e00e433fec61914e172ca1
Submitter: Zuul
Branch: master

commit 28faa24e68467f7c10e00e433fec61914e172ca1
Author: Vishakha Agarwal <email address hidden>
Date: Mon Jun 22 12:58:00 2020 +0530

Remove an assignment from domain and project

    When you setup a user with a role assignment on a domain
    and then a role assignment on a project "acting as a domain",
    you can't actually remove them. The database throws you the
    error "Multiple rows were found for one()" since it gets two
    results for "actor_id" with the same "target_id".

    This patch fixes this problem by filtering the database query
    by "type" field to determine whether it is a user domain relation
    or a user project and then removing the assignment.

Change-Id: Ife92a3c9e0982baafb4224882681c0855f573580
Closes-Bug: #1754677

Changed in keystone:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.