Disabling user in ldap breaks user-list for project

Bug #1408845 reported by Oleksii Aleksieiev on 2015-01-09
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Undecided
Unassigned

Bug Description

Disabling user in ldap brakes user-list for project.

Step to reproduce.

* create a "testuser" user in ldap backend for keystone.
* check that user exist in user list.
* assign some role to this user in any test project.
* check that this user appear in keystone user-list --tenant_id=testtenantid
* disable this user in ldap or remove it from the group.
* the user will disappear from user list but the command keystone user-list --tenant_id=testtenantid will return "User "testuser" not found." error in api and in keystone error log.

The workaround is to remove role for user from user_project_metadata table in keystone database.

Matt Fischer (mfisch) on 2015-01-09
summary: - Disabling user in ldap brakes user-list for project
+ Disabling user in ldap breaks user-list for project
description: updated
Steve Martinelli (stevemar) wrote :

I think we need more info here, like the actual server logs that indicate where the exception is happening. I tried to replicate this with devstack and i couldn't disable the user:

$ keystone user-update testo --enabled false
Unable to update user: You are not authorized to perform the requested action: Disabling an entity where the 'enable' attribute is ignored by configuration. (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-327ab96c-4376-498c-a7a7-47a45cfd9b77)

Nathan Kinder (nkinder) wrote :

This is working fine for me with Juno:

[root@rdo ~(keystone_admin)]# keystone user-role-add --user test --role _member_ --tenant demo
[root@rdo ~(keystone_admin)]# keystone user-list --tenant demo
+------+------+---------+------------------+
| id | name | enabled | email |
+------+------+---------+------------------+
| demo | demo | True | <email address hidden> |
| test | test | True | <email address hidden> |
+------+------+---------+------------------+
[root@rdo ~(keystone_admin)]# ipa user-disable test
----------------------------
Disabled user account "test"
----------------------------
[root@rdo ~(keystone_admin)]# keystone user-list --tenant demo
+------+------+---------+------------------+
| id | name | enabled | email |
+------+------+---------+------------------+
| demo | demo | True | <email address hidden> |
| test | test | False | <email address hidden> |
+------+------+---------+------------------+

This bug is being marked as 'Incomplete' since it could not be verified, the reporter (Oleksii Aleksieiev) needs to give more info about the environment in which this potential bug was detected.

Thanks to Steve Martinelli and Nathan Kinder for trying to verify this bug.

Changed in keystone:
status: New → Incomplete
Oleksii Aleksieiev (alexzzman) wrote :

Looks like the problem affect havana version only. Looks like in icehouse and above the ldap driver was modified and the issue is not repeatable.

Launchpad Janitor (janitor) wrote :

[Expired for Keystone because there has been no activity for 60 days.]

Changed in keystone:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers