Application credentials with a deleted role are unusable
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Steps to reproduce:
1. Create role R
2. Create an application credential with role R in it
3. Delete role R
4. Try to list the application credentials
Observed: list fails with 404: Role Not Found
Expected: not sure
I see the following potential behaviors:
1. The role can be removed from the application credential when the role is deleted, leaving the application credential intact; however, the application credential might remain without roles, and i am not sure what it means;
2. The application credential could be immediately deleted when a role is deleted, because it references an invalid role;
3. The non-existing role can stay with the application credential in the database and can simply be ignored when processing the application credential internally
Changed in keystone: | |
status: | New → In Progress |
We actually have a test for that: https:/ /opendev. org/openstack/ keystone/ src/commit/ 7dc175a41f92e3f 01cf26912431d0f 2c98a03b32/ keystone/ tests/unit/ test_v3_ auth.py# L5807
But i think the test is wrong and should return 401 instead of 404.