Authorization Failed: Could not find user, None. (HTTP 404)

Bug #1204221 reported by alexius ludeman on 2013-07-23
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Wu Wenxiang

Bug Description

assignment/core.py:
    def _get_group_project_roles():
        ...
       metadata_ref = self._get_metadata(
                           group_id=x['id'],
                            domain_id=project_ref['domain_id'])

self._get_metadata() gets called with user_id=None

assignment/backends/ldap.py:
    def _get_metadata():
        ...
        if (not self.get_project(tenant_id) or
                user_id and not self.identity_api.get_user(user_id)):

self.identity_api.get_user(user_id) raises "Could not find user" since user_id = None

affects: python-keystoneclient → keystone
Dolph Mathews (dolph) on 2013-07-23
Changed in keystone:
status: New → Confirmed
importance: Undecided → High
Changed in keystone:
assignee: nobody → Kun Huang (academicgareth)
alexius ludeman (lexinator) wrote :

woops, I just realized I accidentally copy/pasted my fix.

original should be:
    if (not self.get_project(tenant_id) or
         not self.identity_api.get_user(user_id)):

my local fix is:
    if (not self.get_project(tenant_id) or
        user_id and not self.identity_api.get_user(user_id)):

Kun Huang (academicgareth) wrote :

alexius

If you would patch it, just do it and don't care about the 'assigned to'. Anything is ok before any other guy uploads his changeset. So you could also assign this bug to yourself and run 'git review' now

alexius ludeman (lexinator) wrote :

hi kun,
Currently I'm unable to submit patches.

Fix proposed to branch: master
Review: https://review.openstack.org/38963

Changed in keystone:
assignee: Kun Huang (academicgareth) → Wu Wenxiang (wu-wenxiang)
status: Confirmed → In Progress
alexius ludeman (lexinator) wrote :

I didn't put this in the original bug message, but the same raise occurs in the following function:
    metadata_ref = _get_roles_for_just_user_and_project(user_id, tenant_id)

Wu Wenxiang (wu-wenxiang) wrote :

This bug report is wrong. UserNotFound exception was not raised from
    metadata_ref = self._get_metadata(group_id=x['id'], domain_id=project_ref['domain_id'])
But from
    metadata_ref = self._get_metadata(group_id=x['id'], tenant_id=project_ref['id'])

Bug Log:

======================================================================
ERROR: test_get_roles_for_user_and_project (tests.test_backend_ldap.LDAPIdentity)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/trystack/src/keystone/tests/test_backend_ldap.py", line 651, in test_get_roles_for_user_and_project
    tenant_id=self.tenant_bar["id"])
  File "/home/trystack/src/keystone/keystone/assignment/core.py", line 127, in get_roles_for_user_and_project
    group_role_list = _get_group_project_roles(user_id, project_ref)
  File "/home/trystack/src/keystone/keystone/assignment/core.py", line 81, in _get_group_project_roles
    group_id=x['id'], tenant_id=project_ref['id'])
  File "/home/trystack/src/keystone/keystone/common/manager.py", line 44, in _wrapper
    return f(*args, **kw)
  File "/home/trystack/src/keystone/keystone/assignment/backends/ldap.py", line 104, in _get_metadata
    not self.identity_api.get_user(user_id)):
  File "/home/trystack/src/keystone/keystone/common/manager.py", line 44, in _wrapper
    return f(*args, **kw)
  File "/home/trystack/src/keystone/keystone/identity/backends/ldap.py", line 76, in get_user
    ref = identity.filter_user(self._get_user(user_id))
  File "/home/trystack/src/keystone/keystone/identity/backends/ldap.py", line 73, in _get_user
    return self.user.get(user_id)
  File "/home/trystack/src/keystone/keystone/common/ldap/core.py", line 683, in get
    ref = super(EnabledEmuMixIn, self).get(object_id, filter)
  File "/home/trystack/src/keystone/keystone/common/ldap/core.py", line 353, in get
    raise self._not_found(id)
UserNotFound: Could not find user, None.

alexius ludeman (lexinator) wrote :

ok great the unit test is now catching it!

Though I'm pretty sure that it would fail the same way for both code paths since user_id=None.

Reviewed: https://review.openstack.org/38963
Committed: http://github.com/openstack/keystone/commit/5e7a56728c5c4e98dc509fb044886d6f8dd08e17
Submitter: Jenkins
Branch: master

commit 5e7a56728c5c4e98dc509fb044886d6f8dd08e17
Author: Wu Wenxiang <wu.wenxiang@99cloud.net>
Date: Sun Jul 28 22:19:42 2013 +0800

    Add defense in ldap:get_roles_for_user_and_project

    LDAP:get_roles_for_user_and_project will raise "Could not find user"
    exception when you try to get roles by user(user was in a group) and
    project.

    In this patch:
    1. Add defense in assignment.backends.ldap.Assignment::_get_metadata(),
    return empty dict rather than throw exception when userid==None or
    tenantid==None.
    2. Remove checking existance of tenant_id and user_id
    logic, because these logics were always done before this method being
    called.
    3. Add testcase test_get_role_by_user_and_project_with_user_in_group
    in test_backend module.

    Fixes bug #1204221

    Change-Id: I68c39afddde4065fc61ffb9451592c5108dc138b

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-09-05
Changed in keystone:
milestone: none → havana-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-3 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers