OpenStack Identity (keystone)

For ldap, API wrongly reports user is in group

Bug #1245247 reported by Craig Jellick
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
wanghong
OpenStack Identity (keystone) 2014.1 "icehouse"

Bug Description

When the ldap identity backend is configured,
HEAD v3/groups/​{group_id}​/users/​{user_id}
always returns 200, regardless of whether or not the user is actually in the group.

Fix is simple:
keystone.identity.backends.ldap.check_user_in_group() should raise an exception if the user isn't in the group, rather than just return false

See original description
Craig Jellick (craig-jellick)
information type: Private Security → Public
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/54032

Changed in keystone:
assignee: nobody → Craig Jellick (craig-jellick)
status: New → In Progress
Craig Jellick (craig-jellick)
summary: - When using ldap identity backend, API reports that a user is in a group
- when he isnt
+ For ldap, API wrongly reports user is in group
Revision history for this message
Dolph Mathews (dolph) wrote :

Unassigning due to inactivity.

Changed in keystone:
assignee: Craig Jellick (craig-jellick) → nobody
status: In Progress → Triaged
wanghong (w-wanghong)
Changed in keystone:
assignee: nobody → wanghong (w-wanghong)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/80934

Changed in keystone:
status: Triaged → In Progress
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (milestone-proposed)

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/85103

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/85104

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/80934
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=da006715840b665e8f07c042587ecd3d4bce1ff7
Submitter: Jenkins
Branch: master

commit da006715840b665e8f07c042587ecd3d4bce1ff7
Author: wanghong <email address hidden>
Date: Mon Mar 17 17:22:08 2014 +0800

    For ldap, API wrongly reports user is in group

    When the ldap identity backend is configured,
    HEAD v3/groups/​{group_id}​/users/​{user_id}
    always returns 200, even if the user is not actually in the group.
    This is because the sql and kvs backend will raise NotFound
    exception if the user is not in the group, but the ldap backend
    just return result.

    Change-Id: Ie1585c8aebe054091bd76fded666bf41125ff9ca
    Closes-Bug: 1245247

Changed in keystone:
status: In Progress → Fix Committed
Dolph Mathews (dolph)
Changed in keystone:
milestone: none → icehouse-rc2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (milestone-proposed)

Reviewed: https://review.openstack.org/85103
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=628f383fbb14ae99679957ab05a02562a4d43d91
Submitter: Jenkins
Branch: milestone-proposed

commit 628f383fbb14ae99679957ab05a02562a4d43d91
Author: wanghong <email address hidden>
Date: Mon Mar 17 17:22:08 2014 +0800

    For ldap, API wrongly reports user is in group

    When the ldap identity backend is configured,
    HEAD v3/groups/​{group_id}​/users/​{user_id}
    always returns 200, even if the user is not actually in the group.
    This is because the sql and kvs backend will raise NotFound
    exception if the user is not in the group, but the ldap backend
    just return result.

    Change-Id: Ie1585c8aebe054091bd76fded666bf41125ff9ca
    Closes-Bug: 1245247

Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: icehouse-rc2 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.