keystone.tenant.list_users returns user multiple times

Bug #1308218 reported by Christina Darretta on 2014-04-15
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Christina Darretta
Icehouse
Medium
Kieran Spear

Bug Description

With the icehouse code base, if you call keystone v2's keystone.tenant.list_users(<tenant_id>) it returns each user * the number of roles the user has in the project.

My assignment table for my test server looks like this for one specific project_id:

mysql> select * from assignment where target_id='0f031cca55704f87af9630d939c1ebd3'\G
*************************** 1. row ***************************
     type: UserProject
 actor_id: 665cae4478fb47a1ab21eecf95ea200c
target_id: 0f031cca55704f87af9630d939c1ebd3
  role_id: dc6dbe0f687d4afb8f2634fb2a3a61c2
inherited: 0
*************************** 2. row ***************************
     type: UserProject
 actor_id: 665cae4478fb47a1ab21eecf95ea200c
target_id: 0f031cca55704f87af9630d939c1ebd3
  role_id: bd089cb8a31c47af9aff36e40fe8e99e
inherited: 0
*************************** 3. row ***************************
     type: UserProject
 actor_id: 665cae4478fb47a1ab21eecf95ea200c
target_id: 0f031cca55704f87af9630d939c1ebd3
  role_id: 9ee0b22736dd4fc480432929dfa1e899
inherited: 0
*************************** 4. row ***************************
     type: UserProject
 actor_id: 665cae4478fb47a1ab21eecf95ea200c
target_id: 0f031cca55704f87af9630d939c1ebd3
  role_id: 9fe2ff9ee4384b1894a90878d3e92bab
inherited: 0
*************************** 5. row ***************************
     type: UserProject
 actor_id: 665cae4478fb47a1ab21eecf95ea200c
target_id: 0f031cca55704f87af9630d939c1ebd3
  role_id: b804871ba2c543fdbc0e20bc0ebcd658
inherited: 0
5 rows in set (0.01 sec)

So user '665cae4478fb47a1ab21eecf95ea200c' has 5 roles in project '0f031cca55704f87af9630d939c1ebd3'. With a keystone client connection to v2.0, I get the same user returned 5 times:

>tenants.list_users('0f031cca55704f87af9630d939c1ebd3')
[<User {u'username': u'ctina', u'name': u'ctina', u'enabled': True, u'tenantId': u'0f031cca55704f87af9630d939c1ebd3', u'id': u'665cae4478fb47a1ab21eecf95ea200c', u'email': None}>, <User {u'username': u'ctina', u'name': u'ctina', u'enabled': True, u'tenantId': u'0f031cca55704f87af9630d939c1ebd3', u'id': u'665cae4478fb47a1ab21eecf95ea200c', u'email': None}>, <User {u'username': u'ctina', u'name': u'ctina', u'enabled': True, u'tenantId': u'0f031cca55704f87af9630d939c1ebd3', u'id': u'665cae4478fb47a1ab21eecf95ea200c', u'email': None}>, <User {u'username': u'ctina', u'name': u'ctina', u'enabled': True, u'tenantId': u'0f031cca55704f87af9630d939c1ebd3', u'id': u'665cae4478fb47a1ab21eecf95ea200c', u'email': None}>, <User {u'username': u'ctina', u'name': u'ctina', u'enabled': True, u'tenantId': u'0f031cca55704f87af9630d939c1ebd3', u'id': u'665cae4478fb47a1ab21eecf95ea200c', u'email': None}>]

The Havana code calls the following:
    def list_user_ids_for_project(self, tenant_id):
        session = self.get_session()
        self.get_project(tenant_id)
        query = session.query(UserProjectGrant)
        query = query.filter(UserProjectGrant.project_id ==
                             tenant_id)
        project_refs = query.all()
        return [project_ref.user_id for project_ref in project_refs]

class UserProjectGrant(sql.ModelBase, BaseGrant):
    __tablename__ = 'user_project_metadata'
    user_id = sql.Column(sql.String(64), primary_key=True)
    project_id = sql.Column(sql.String(64), sql.ForeignKey('project.id'),
                            primary_key=True)
    data = sql.Column(sql.JsonBlob())

The user_project_metadata table has the roles listed as a dictionary inside of the 'data' column, so each user has only one entry. The Icehouse code calls the same list_user_ids_for_project but it uses the assignment table which has one entry for each user/project/role combination, leading to a user to potentially have multiple entries per project.

Dolph Mathews (dolph) on 2014-04-15
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Nathanael Burton (mathrock) wrote :

This seems to be a pretty big regression in v2 API behavior.

Dolph Mathews (dolph) wrote :

Agree; I included this in the release notes [1] as a known issue [2]. We definitely need to include a fix in the first stable update. If this is breaking another project somehow, please make a note here!

[1] https://wiki.openstack.org/wiki/ReleaseNotes/Icehouse
[2] https://wiki.openstack.org/wiki/ReleaseNotes/Icehouse#Known_Issues_5

Thierry Carrez (ttx) on 2014-04-17
tags: added: icehouse-backport-potential
removed: icehouse-rc-potential
wanghong (w-wanghong) wrote :

I have a question, does v3 API need list_users_for_project and list_users_for_domain API?

wanghong (w-wanghong) wrote :

I think these two API will be very useful for admin.

Changed in keystone:
assignee: nobody → wanghong (w-wanghong)
Christina Darretta (darrettac) wrote :

For V3, the users list command accepts different parameters that get the result you're looking for:
 users.list(project=<project>) and users.list(domain=<domain>)

The users.list(project=<project>) also returns duplicates.

Dolph Mathews (dolph) wrote :

Christina: ++ users.list(project=<project>) should be calling the same broken driver method.

Christina Darretta (darrettac) wrote :

Submitted patch for review: https://review.openstack.org/#/c/88621/

Changed in keystone:
assignee: wanghong (w-wanghong) → Christina Darretta (darrettac)
Changed in keystone:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/88621
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d6cb7043cb47f5e73b61635af596736314441275
Submitter: Jenkins
Branch: master

commit d6cb7043cb47f5e73b61635af596736314441275
Author: Christina Darretta <email address hidden>
Date: Fri Apr 18 11:36:31 2014 -0400

    Removed duplication with list_user_ids_for_project

    Keystone list_user_ids_for_project has the possibility of returning
    duplicate users if the user has more than one role in the project.
    list_user_ids_for_project queries the assignment table which has
    one entry for every role the user has but will now remove
    duplicate combinations of target_id and actor_id. This impacts
    V2 calls for tenants.list_users(<tenant_id>) and
    users.list(tenant_id=<tenant_id>).

    Change-Id: I9a1e5b944c2c627138851976e81d405f54fae1c9
    Closes-Bug: #1308218

Changed in keystone:
status: In Progress → Fix Committed
Alan Pevec (apevec) on 2014-05-28
tags: removed: icehouse-backport-potential

Reviewed: https://review.openstack.org/92051
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0bd819c4695034b8a68a13c7739accd2726879a7
Submitter: Jenkins
Branch: stable/icehouse

commit 0bd819c4695034b8a68a13c7739accd2726879a7
Author: Christina Darretta <email address hidden>
Date: Fri Apr 18 11:36:31 2014 -0400

    Removed duplication with list_user_ids_for_project

    Keystone list_user_ids_for_project has the possibility of returning
    duplicate users if the user has more than one role in the project.
    list_user_ids_for_project queries the assignment table which has
    one entry for every role the user has but will now remove
    duplicate combinations of target_id and actor_id. This impacts
    V2 calls for tenants.list_users(<tenant_id>) and
    users.list(tenant_id=<tenant_id>).

    Change-Id: I9a1e5b944c2c627138851976e81d405f54fae1c9
    Closes-Bug: #1308218
    (cherry picked from commit d6cb7043cb47f5e73b61635af596736314441275)

Thierry Carrez (ttx) on 2014-06-11
Changed in keystone:
milestone: none → juno-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-10-16
Changed in keystone:
milestone: juno-1 → 2014.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers