OpenStack Identity (keystone)

Disabling user in ldap breaks user-list for project

Bug #1408845 reported by Oleksii Aleksieiev on 2015-01-09

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Expired	Undecided	Unassigned

Bug Description

Disabling user in ldap brakes user-list for project.

Step to reproduce.

* create a "testuser" user in ldap backend for keystone.
* check that user exist in user list.
* assign some role to this user in any test project.
* check that this user appear in keystone user-list --tenant_id=testtenantid
* disable this user in ldap or remove it from the group.
* the user will disappear from user list but the command keystone user-list --tenant_id=testtenantid will return "User "testuser" not found." error in api and in keystone error log.

The workaround is to remove role for user from user_project_metadata table in keystone database.

See original description

Matt Fischer (mfisch) on 2015-01-09

summary:

- Disabling user in ldap brakes user-list for project
+ Disabling user in ldap breaks user-list for project

Lance Bragstad (lbragstad) on 2015-01-09

description:

updated

Revision history for this message

Steve Martinelli (stevemar) wrote on 2015-03-06:

#1

I think we need more info here, like the actual server logs that indicate where the exception is happening. I tried to replicate this with devstack and i couldn't disable the user:

$ keystone user-update testo --enabled false
Unable to update user: You are not authorized to perform the requested action: Disabling an entity where the 'enable' attribute is ignored by configuration. (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-327ab96c-4376-498c-a7a7-47a45cfd9b77)

Revision history for this message

Nathan Kinder (nkinder) wrote on 2015-03-13:

#2

This is working fine for me with Juno:

[root@rdo ~(keystone_admin)]# keystone user-role-add --user test --role _member_ --tenant demo
[root@rdo ~(keystone_admin)]# keystone user-list --tenant demo
+------+------+---------+------------------+
| id | name | enabled | email |
+------+------+---------+------------------+
| demo | demo | True | <email address hidden> |
| test | test | True | <email address hidden> |
+------+------+---------+------------------+
[root@rdo ~(keystone_admin)]# ipa user-disable test
----------------------------
Disabled user account "test"
----------------------------
[root@rdo ~(keystone_admin)]# keystone user-list --tenant demo
+------+------+---------+------------------+
| id | name | enabled | email |
+------+------+---------+------------------+
| demo | demo | True | <email address hidden> |
| test | test | False | <email address hidden> |
+------+------+---------+------------------+

Revision history for this message

Samuel de Medeiros Queiroz (samueldmq) wrote on 2015-03-13:

#3

This bug is being marked as 'Incomplete' since it could not be verified, the reporter (Oleksii Aleksieiev) needs to give more info about the environment in which this potential bug was detected.

Thanks to Steve Martinelli and Nathan Kinder for trying to verify this bug.

Changed in keystone:
status:	New → Incomplete

Revision history for this message

Oleksii Aleksieiev (alexzzman) wrote on 2015-03-19:

#4

Looks like the problem affect havana version only. Looks like in icehouse and above the ldap driver was modified and the issue is not repeatable.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-05-19:

#5

[Expired for Keystone because there has been no activity for 60 days.]

Changed in keystone:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.