OpenStack Identity (keystone)

Attempt to assign a role to a non existent user should fail

Bug #1355655 reported by troy_chen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Opinion
Undecided
Unassigned

Bug Description

I use tempest tests get the following error:
===========================================
StringException: Traceback (most recent call last):
   File "/usr/lib/python2.7/dist-packages/tempest/api/identity/admin/test_roles.py", line 143, in test_assign_user_role_for_non_existent_user
     tenant ['id'], 'junk-user-id-999', role ['id'])
   File "/usr/lib/python2.7/dist-packages/testtools/testcase.py", line 393, in assertRaises
     self.assertThat (our_callable, matcher)
   File "/usr/lib/python2.7/dist-packages/testtools/testcase.py", line 406, in assertThat
     raise mismatch_error
MismatchError: <bound method IdentityClientJSON.assign_user_role of <tempest.services.identity.json.identity_client.IdentityClientJSON object at 0x7f9183c2f250 >> returned ({'status': '200', 'content-length': '78', 'vary' : 'X-Auth-Token', 'date': 'Tue, 12 Aug 2014 08:00:39 GMT', 'content-type': 'application / json', 'x-distribution': 'Ubuntu'}, {u'id ': u'd4a5fe216f92439789389f968c6e50d6', u'name ': u'role1552687157'})
============================================

by testing found that "assign a role to a user that does not exist is a success."
See attachment Screenshot by postman

Revision history for this message
troy_chen (troy-chen) wrote :
Changed in keystone:
status: New → Fix Committed
status: Fix Committed → Incomplete
troy_chen (troy-chen)
Changed in keystone:
status: Incomplete → New
Revision history for this message
troy_chen (troy-chen) wrote :

Junk-user-id-999 user does not exist,but the keystone but return success

keystone user-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+---------+---------+----------------------+
| id | name | enabled | email |
 +----------------------------------+---------+---------+----------------------+
| 65029a34d27b4070b2d02dbcd390a4b8 | admin | True | <email address hidden> |
| 398a961477e24ecda22bd1152a60d2f9 | cinder | True | <email address hidden> |
| 414a225f713f4a72bde9ecacb12067b1 | demo | True | <email address hidden> |
| e7f707c354e84448aa8b33684a105d07 | glance | True | <email address hidden> |
| 40843344f69349cbbec7712e43e5c3c3 | neutron | True | <email address hidden> |
| f2c0b7f6749241a09ff1c44adda07668 | nova | True | <email address hidden> |
 +----------------------------------+---------+---------+----------------------+

keystone log:
"PUT /v2.0//tenants/e6ad3d4773c14d61b6b6514f3c18c085/users/junk-user-id-999/roles/OS-KSADM/69967fb5ee9
447dd83de032c7b987c89 HTTP/1.1" 200 230 0.042752

mysql/keystone:
mysql> select * from assignment where actor_id = 'junk-user-id-999';
+-------------+------------------+----------------------------------+----------------------------------+-----------+
| type | actor_id | target_id | role_id | inherited |
 +-------------+------------------+----------------------------------+----------------------------------+-----------+
| UserProject | junk-user-id-999 | a7d2f048f3b244dea10ccee838a885d3 | 3e3078fa670c412f928dfbb15f4938b8 | 0 |
 +-------------+------------------+----------------------------------+----------------------------------+-----------+
1 row in set (0.00 sec)

Revision history for this message
Dolph Mathews (dolph) wrote :

Leaving this as Opinion for the moment, because this was actually by design (although, I personally disagree with the behavior illustrated above). Going to mention this at the Keystone meeting today.

Changed in keystone:
status: New → Opinion
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.