LDAP list group users should not fail if user entry deleted

Bug #1174585 reported by Brant Knudson on 2013-04-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Brant Knudson
Grizzly
Medium
Brant Knudson

Bug Description

Using the LDAP identity backend,
if a group member entry doesn't exist in the LDAP server anymore
and the group's members are listed using GET /v3/groups/{groupId}/users,
Keystone returns 404 Not Found.

First, it's incorrect to return 404 Not Found when the group resource exists.
Second, Keystone should be more robust. A user entry may not exist
because the LDAP administrator deleted the entry but forgot to update the group.

The server should return all the group members that do exist
and ignore the missing members,
and probably log a warning message about the missing user.

This can be recreated by:
1) start with devstack configured to use LDAP
# set LDAP options in localrc
./stack.sh ...

2) add the default domain since it doesn't exist by default for some reason.

$ ldapadd -x -D dc=Manager,dc=openstack,dc=org -w adminpwd
dn: cn=default,ou=Domains,dc=openstack,dc=org
objectclass: groupOfNames
member: cn=dummy

3) Create a couple users

$ keystone user-create --name user1 --pass user1pwd
(example id is e1b7df356f004b73864afc8fdb261617)
$ keystone user-create --name user2 --pass user2pwd
(example id is bc8031d87e4c41d89f031a55ae7d8abd)

4) Create a group with both users:

$ ldapadd -x -D dc=Manager,dc=openstack,dc=org -w adminpwd

dn: ou=UserGroups,dc=openstack,dc=org
objectclass: organizationalUnit

dn: cn=group1,ou=UserGroups,dc=openstack,dc=org
objectclass: groupOfNames
member: cn=e1b7df356f004b73864afc8fdb261617,ou=Users,dc=openstack,dc=org
member: cn=bc8031d87e4c41d89f031a55ae7d8abd,ou=Users,dc=openstack,dc=org

5) List group members, the user's in there.

curl -H "X-Auth-Token: admintoken" http://localhost:35357/v3/groups/group1/users
...

6) Delete the user from LDAP directly.

ldapdelete -x -D dc=Manager,dc=openstack,dc=org -w adminpwd "cn=bc8031d87e4c41d89f031a55ae7d8abd,ou=Users,dc=openstack,dc=org"

7) List group members again, it fails.

$ curl -H "X-Auth-Token: adminpwd" http://localhost:35357/v3/groups/group1/users | python -mjson.tool
{
    "error": {
        "code": 404,
        "message": "Could not find user: bc8031d87e4c41d89f031a55ae7d8abd",
        "title": "Not Found"
    }
}

The last list group members should have worked, just returned the e1b7df356f004b73864afc8fdb261617 user.

Brant Knudson (blk-u) on 2013-04-29
Changed in keystone:
assignee: nobody → Brant Knudson (blk-u)
Changed in keystone:
status: New → In Progress

Reviewed: https://review.openstack.org/27787
Committed: http://github.com/openstack/keystone/commit/4eb8233d9c6b73cedf25ea66edaccbcd092e13aa
Submitter: Jenkins
Branch: master

commit 4eb8233d9c6b73cedf25ea66edaccbcd092e13aa
Author: Brant Knudson <email address hidden>
Date: Mon Apr 29 19:19:27 2013 -0500

    LDAP list groups with missing member entry

    Using the LDAP identity backend,
    if a group member entry doesn't exist in the LDAP server anymore
    and the group's members are listed using GET /v3/groups/{groupId}/users,
    Keystone returns 404 Not Found.

    The server should return all the group members that do exist
    and ignore the missing members,
    and probably log a warning message about the missing user.

    Fixes bug 1174585

    Change-Id: Idf7c8c7f87affc4a72c5fe5e18e09a0f362e2646

Changed in keystone:
status: In Progress → Fix Committed
Brant Knudson (blk-u) on 2013-05-07
tags: added: grizzly-backport-potential
Alan Pevec (apevec) on 2013-05-22
Changed in keystone:
importance: Undecided → Medium
tags: removed: grizzly-backport-potential

Reviewed: https://review.openstack.org/28448
Committed: http://github.com/openstack/keystone/commit/45fa69b1cbb5d838b0422716e7247580bbaa6cb2
Submitter: Jenkins
Branch: stable/grizzly

commit 45fa69b1cbb5d838b0422716e7247580bbaa6cb2
Author: Brant Knudson <email address hidden>
Date: Mon Apr 29 19:19:27 2013 -0500

    LDAP list groups with missing member entry

    Using the LDAP identity backend,
    if a group member entry doesn't exist in the LDAP server anymore
    and the group's members are listed using GET /v3/groups/{groupId}/users,
    Keystone returns 404 Not Found.

    The server should return all the group members that do exist
    and ignore the missing members,
    and probably log a warning message about the missing user.

    Fixes bug 1174585

    Change-Id: Idf7c8c7f87affc4a72c5fe5e18e09a0f362e2646
    (cherry picked from commit 4eb8233d9c6b73cedf25ea66edaccbcd092e13aa)

Thierry Carrez (ttx) on 2013-05-29
Changed in keystone:
milestone: none → havana-1
status: Fix Committed → Fix Released
Brant Knudson (blk-u) wrote :

This problem has been reintroduced in the current codebase.

Changed in keystone:
status: Fix Released → New

Fix proposed to branch: master
Review: https://review.openstack.org/34475

Changed in keystone:
status: New → In Progress

Reviewed: https://review.openstack.org/34475
Committed: http://github.com/openstack/keystone/commit/600c38bae5ba70d3adc2ce69107ccbdddb42498d
Submitter: Jenkins
Branch: master

commit 600c38bae5ba70d3adc2ce69107ccbdddb42498d
Author: Brant Knudson <email address hidden>
Date: Tue Jun 25 17:14:37 2013 -0500

    LDAP list group users not fail if user entry deleted

    Using the LDAP identity backend,
    if a group member entry doesn't exist in the LDAP server anymore
    and the group's members are listed using GET /v3/groups/{groupId}/users,
    Keystone returns 404 Not Found.

    The server should return all the group members that do exist
    and ignore the missing members.

    Fixes bug 1174585

    Change-Id: I97b53e3d5a5810aa0818b785e23a1948499b29e8

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-07-17
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers