OpenStack Identity (keystone)

Update user name not supported by LDAP identity driver

Bug #1211643 reported by Ya Hong Du on 2013-08-13

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Won't Fix	Wishlist	Unassigned

Bug Description

Run command keystone help user-update, know that user name can be updated.
[root@localhost ~]# keystone help user-update
usage: keystone user-update [--name <user-name>] [--email <email>]
[--enabled <true|false>]
<user>

Update user's name, email, and enabled status

Arguments:
  --name <user-name> Desired new user name
  --email <email> Desired new email address
  --enabled <true|false>
                        Enable or disable user
  <user> Name or ID of user to update

Update username from yahongdu to yhd, but failed
[root@localhost ~]# keystone user-update --name yhd yahongdu
Unable to update user: Cannot change user name (HTTP 409)

Tags:

Revision history for this message

Ya Hong Du (yahongdu) wrote on 2013-08-13:

#1

/usr/lib/python2.6/site-packages/keystone/identity/backends/ldap.py

def update_user(self, user_id, user):
        user = self.assignment_api._validate_default_domain(user)
        if 'id' in user and user['id'] != user_id:
            raise exception.ValidationError('Cannot change user ID')
        old_obj = self.user.get(user_id)
        if 'name' in user and old_obj.get('name') != user['name']:
            raise exception.Conflict('Cannot change user name')

This is the code that cause this issue. I will remove the check for name. If anyone has any other concern, please let me know.

Changed in keystone:
assignee:	nobody → Ya Hong Du (yahongdu)
status:	New → In Progress

Revision history for this message

Ya Hong Du (yahongdu) wrote on 2013-08-13:

#2

Code change in this code review.
https://review.openstack.org/#/c/41603/1

Revision history for this message

Adam Young (ayoung) wrote on 2013-08-13:

#3

As you can see from the original code, this was a deliberate implementation decision. Neither the SQL nor the LDAP code allows modification of the usernames. Please respond here why you need this change.

Changed in keystone:
status:	In Progress → Invalid

Revision history for this message

Ya Hong Du (yahongdu) wrote on 2013-08-15:

#4

Some reasons to allow change user name.

1. SQL backend allows to change user name (tested) 2. keystone CLI allows to change user name 3. I think we should not allow changing name to existing names by conflict check, but if the name is changed to a new name, I don't see a reason to not allow it.

Ya Hong Du (yahongdu) on 2013-08-16

Changed in keystone:
status:	Invalid → New

Revision history for this message

Adam Young (ayoung) wrote on 2013-08-20:

#5

It is more likely as mistake that the SQL allows modification of the User Name than that we do not. Since Username is a unique identifier through the system, modification can have significant consequences. However, the business rule probably should be enforced by the LDAP backend, and not by Keystone.

Changed in keystone:
status:	New → Confirmed
importance:	Undecided → Low

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-02-05:

#6

Unassigning due to inactivity.

Changed in keystone:
assignee:	Ya Hong Du (yahongdu) → nobody

Revision history for this message

Ya Hong Du (yahongdu) wrote on 2014-02-05: Ya Hong YH Du is on vacation from 1/27-2/9.

#7

I will be out of the office starting 01/26/2014 and will not return until
02/10/2014.

I will respond to your message when I return.

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-04-04: Re: Update user name failed with LDAP back end by CLI

#8

Related: https://bugs.launchpad.net/keystone/+bug/1136403

tags:

added: ldap

Revision history for this message

Mahesh Sawaiker (mahesh-sawaiker) wrote on 2014-05-15:

#9

I also think modification of name should be allowed, especially since the database driver allows it.

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-05-22:

#10

Mahesh: FWIW, most LDAP deployments of keystone only have read-only access to the directory anyway. This sounds like a feature addition more-so than a bug fix to me.

summary:	- Update user name failed with LDAP back end by CLI + Update user name not supported by LDAP identity driver
Changed in keystone:
importance:	Low → Wishlist

Revision history for this message

Mahesh Sawaiker (mahesh-sawaiker) wrote on 2014-08-07:

#11

I think that can be controlled by the allow user update flag in keystone.conf.
So really it seems ok to allow the update of the user name.

Revision history for this message

David Stanek (dstanek) wrote on 2015-08-26:

#12

I agree with Dolph that this really should be a blueprint to describe and track the new feature.

Revision history for this message

Steve Martinelli (stevemar) wrote on 2015-11-30:

#13

write support for the identity ldap backend is being deprecated

Changed in keystone:
status:	Confirmed → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.