Icehouse, discovered during tempest testing:
Scenario is adding role to non-existing user in specific tenant:
Tenant-id = 2775ce375d624735b49347cdac41a946
Role-id = 9fe2ff9ee4384b1894a90878d3e92bab
User-id is some junk, like: junk-user-id-2999
The problem exists only in API requests, cli command reports an error:
@all-in-one:~# keystone user-role-add --user user-junk-id-101010 --role 9fe2ff9ee4384b1894a90878d3e92bab --tenant 2775ce375d624735b49347cdac41a946
No user with a name or ID of 'user-junk-id-101010' exists.
With API:
1) Authenticate and get token:
curl -d '{"auth":{"tenantName": "openstack", "passwordCredentials": {"username": "admin", "password": "admin_password"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens > /tmp/aaa
sed -i 's/.*"id": "\(.\+\)==.*/\1==/g' /tmp/aaa
2) Add existing role in existing tenant to non-existing user "junk-user-id-2999":
curl -i -H "X-Auth-Token:`cat /tmp/aaa`" -X PUT http://localhost:35357/v2.0//tenants/2775ce375d624735b49347cdac41a946/users/junk-user-id-2999/roles/OS-KSADM/9fe2ff9ee4384b1894a90878d3e92bab
output means success:
{"role": {"enabled": "True", "description": "Default role for project membership", "name": "_member_", "id": "9fe2ff9ee4384b1894a90878d3e92bab"}}
3) repeat the last request and get output:
{"error": {"message": "Conflict occurred attempting to store role grant. User junk-user-id-2999 already has role 9fe2ff9ee4384b1894a90878d3e92bab in tenant 2775ce375d624735b49347cdac41a946", "code": 409, "title": "Conflict"}}
Seems like user is self-added.
Although there are no such users in this tenant:
curl -H "X-Auth-Token:`cat /tmp/aaa`" http://localhost:35357/v2.0/tenants/2775ce375d624735b49347cdac41a946/users
--- no junk-user-id-2999 here ---
Seems like there is no user id check in API.
keystone user-role-add might be determining that "user-junk-