OpenStack Identity (keystone)

able to create two users with the same name in the same domain with sqlite

Bug #1304049 reported by Guang Yee
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Low
Unassigned

Bug Description

Looks like we can create two different users with the same name in the same domain. That should not be allowed.

gyee@gyee-VirtualBox:~/projects/openstack/keystone$ curl -s -H 'X-Auth-Token: ADMIN' -H 'Content-Type: application/json' -d '{"domain": {"name": "test-domain"}}' -XPOST http://localhost:35357/v3/domains | python -mjson.tool
{
    "domain": {
        "enabled": true,
        "id": "ebf7d50dbba54e13a1fe881e39ad4409",
        "links": {
            "self": "http://localhost:35357/v3/domains/ebf7d50dbba54e13a1fe881e39ad4409"
        },
        "name": "test-domain"
    }
}
gyee@gyee-VirtualBox:~/projects/openstack/keystone$ curl -s -H 'X-Auth-Token: ADMIN' -H 'Content-Type: application/json' -d '{"user": {"name": "jacksquat", "password": "jacksquat", "domain_id": "ebf7d50dbba54e13a1fe881e39ad4409"}}' -XPOST http://localhost:35357/v3/users | python -mjson.tool
{
    "user": {
        "domain_id": "ebf7d50dbba54e13a1fe881e39ad4409",
        "enabled": true,
        "id": "375ac107d3624752a5a53dc561ba578c",
        "links": {
            "self": "http://localhost:35357/v3/users/375ac107d3624752a5a53dc561ba578c"
        },
        "name": "jacksquat"
    }
}
gyee@gyee-VirtualBox:~/projects/openstack/keystone$ curl -s -H 'X-Auth-Token: ADMIN' -H 'Content-Type: application/json' -d '{"user": {"name": "jacksquat", "password": "jacksquat-fake", "domain_id": "ebf7d50dbba54e13a1fe881e39ad4409"}}' -XPOST http://localhost:35357/v3/users | python -mjson.tool
{
    "user": {
        "domain_id": "ebf7d50dbba54e13a1fe881e39ad4409",
        "enabled": true,
        "id": "c3bd426062d243d68d5ada2bb5984751",
        "links": {
            "self": "http://localhost:35357/v3/users/c3bd426062d243d68d5ada2bb5984751"
        },
        "name": "jacksquat"
    }
}

Now try to authenticate the user and obviously it will fail.

gyee@gyee-VirtualBox:~/projects/openstack/keystone$ curl -s -H 'Content-Type: application/json' -d '{"auth": {"identity": {"methods": ["password"], "password": {"user": {"name": "jacksquat", "password": "jacksquat", "domain": {"id": "ebf7d50dbba54e13a1fe881e39ad4409"}}}}}}' -XPOST http://localhost:35357/v3/auth/tokens | python -mjson.tool
{
    "error": {
        "code": 500,
        "message": "An unexpected error prevented the server from fulfilling your request.",
        "title": "Internal Server Error"
    }
}

Revision history for this message
Guang Yee (guang-yee) wrote :

Stacktrace from the backend when authenticating the user

2014-04-07 14:22:50.595 11069 ERROR keystone.common.wsgi [-] Multiple rows were found for one()
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi File "/home/gyee/projects/openstack/keystone/keystone/common/wsgi.py", line 207, in __call__
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi result = method(context, **params)
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi File "/home/gyee/projects/openstack/keystone/keystone/auth/controllers.py", line 323, in authenticate_for_token
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi self.authenticate(context, auth_info, auth_context)
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi File "/home/gyee/projects/openstack/keystone/keystone/auth/controllers.py", line 423, in authenticate
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi auth_context)
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi File "/home/gyee/projects/openstack/keystone/keystone/auth/plugins/password.py", line 111, in authenticate
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi user_info = UserAuthInfo.create(auth_payload)
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi File "/home/gyee/projects/openstack/keystone/keystone/auth/plugins/password.py", line 31, in create
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi user_auth_info._validate_and_normalize_auth_data(auth_payload)
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi File "/home/gyee/projects/openstack/keystone/keystone/auth/plugins/password.py", line 89, in _validate_and_normalize_auth_data
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi user_name, domain_ref['id'])
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi File "/home/gyee/projects/openstack/keystone/keystone/identity/core.py", line 184, in wrapper
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi File "/home/gyee/projects/openstack/keystone/keystone/identity/core.py", line 310, in get_user_by_name
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi ref = driver.get_user_by_name(user_name, domain_id)
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi File "/home/gyee/projects/openstack/keystone/keystone/identity/backends/sql.py", line 143, in get_user_by_name
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi user_ref = query.one()
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/query.py", line 2370, in one
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi "Multiple rows were found for one()")
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi MultipleResultsFound: Multiple rows were found for one()
2014-04-07 14:22:50.595 11069 TRACE keystone.common.wsgi

Revision history for this message
Dolph Mathews (dolph) wrote :

Which SQL server? (I've run into bugs similar to this against sqlite that weren't reproducible against mysql or postgres, for example)

Changed in keystone:
importance: Undecided → High
tags: added: icehouse-rc-potential
Changed in keystone:
status: New → Incomplete
Revision history for this message
Guang Yee (guang-yee) wrote :

sqlite 2.6.3

Just do this

1. remove the existing keystone.db
2. create a new keystone.db (db_sync)

Revision history for this message
Dolph Mathews (dolph) wrote :

But is this reproducible against anything other than sqlite?

Revision history for this message
Guang Yee (guang-yee) wrote :

Not reproducible with mysql backend. Not sure about other SQL backends as I only have mysql setup locally.

Dolph Mathews (dolph)
summary: - able to create two users with the same name in the same domain
+ able to create two users with the same name in the same domain with
+ sqlite
Changed in keystone:
importance: High → Low
status: Incomplete → Triaged
Dolph Mathews (dolph)
tags: removed: icehouse-rc-potential
Akshay (akshay-onweb)
Changed in keystone:
assignee: nobody → Akshay (akshay-onweb)
Akshay (akshay-onweb)
Changed in keystone:
assignee: Akshay (akshay-onweb) → nobody
Steve Martinelli (stevemar)
tags: added: sql validation
Morgan Fainberg (mdrnstm)
tags: added: sqlite
Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

I just confirmed this is no longer an issue

Changed in keystone:
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.