Keystone adds role to non-existing user in specific tenant by API
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Medium
|
Lin Hua Cheng |
Bug Description
Icehouse, discovered during tempest testing:
Scenario is adding role to non-existing user in specific tenant:
Tenant-id = 2775ce375d62473
Role-id = 9fe2ff9ee4384b1
User-id is some junk, like: junk-user-id-2999
The problem exists only in API requests, cli command reports an error:
@all-in-one:~# keystone user-role-add --user user-junk-id-101010 --role 9fe2ff9ee4384b1
No user with a name or ID of 'user-junk-
With API:
1) Authenticate and get token:
curl -d '{"auth"
sed -i 's/.*"id": "\(.\+\
2) Add existing role in existing tenant to non-existing user "junk-user-
curl -i -H "X-Auth-Token:`cat /tmp/aaa`" -X PUT http://
output means success:
{"role": {"enabled": "True", "description": "Default role for project membership", "name": "_member_", "id": "9fe2ff9ee4384b
3) repeat the last request and get output:
{"error": {"message": "Conflict occurred attempting to store role grant. User junk-user-id-2999 already has role 9fe2ff9ee4384b1
Seems like user is self-added.
Although there are no such users in this tenant:
curl -H "X-Auth-Token:`cat /tmp/aaa`" http://
--- no junk-user-id-2999 here ---
Seems like there is no user id check in API.
Changed in keystone: | |
assignee: | nobody → Juan Manuel Ollé (juan-m-olle) |
Changed in keystone: | |
assignee: | Juan Manuel Ollé (juan-m-olle) → nobody |
tags: | added: meeting-topic |
Changed in keystone: | |
status: | In Progress → Triaged |
Changed in keystone: | |
assignee: | nobody → WuKong (rebirthmonkey) |
Changed in keystone: | |
assignee: | WuKong (rebirthmonkey) → nobody |
Changed in keystone: | |
assignee: | nobody → Lin Hua Cheng (lin-hua-cheng) |
Changed in keystone: | |
status: | Triaged → In Progress |
keystone user-role-add might be determining that "user-junk- id-101010" is not a valid user ID, and thus making a different API call? Either way, keystone should consistently throw an error given invalid input.