/v3/users?name=<name> bypasses user_filter for LDAP

Bug #1577804 reported by Matthew Edmonds on 2016-05-03
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Matthew Edmonds
Mitaka
Medium
Unassigned

Bug Description

using the LDAP driver with user_filter, a GET /v3/users?name=<name> returns users that do not match the filter.

e.g.:

user_filter = (|(uid=arc1_admin)(uid=arc1_stgmgr))

# openstack user list
+----------------------------------------------------------------+-------------+
| ID | Name |
+----------------------------------------------------------------+-------------+
| 91476076d6686143dff68d08e87358a29daf0725c549008f9c0852d2c7ab8e | arc1_admin |
| 42 | |
| 8c1beab95fc4c2b009383827f1ea1ec2880fa6eb5bbe42aebd43aab21ad685 | arc1_stgmgr |
| b2 | |
+----------------------------------------------------------------+-------------+

# openstack user show arc1_dep
+-----------+------------------------------------------------------------------+
| Field | Value |
+-----------+------------------------------------------------------------------+
| domain_id | default |
| id | 631bbab78e33e554bc6c7fd53071c6e046fd37680b1b154261bd6183b123e8b0 |
| name | arc1_dep |
+-----------+------------------------------------------------------------------+

Fix proposed to branch: master
Review: https://review.openstack.org/312126

Changed in keystone:
assignee: nobody → Matthew Edmonds (edmondsw)
status: New → In Progress
Changed in keystone:
assignee: Matthew Edmonds (edmondsw) → Divya K Konoor (dikonoor)
Changed in keystone:
assignee: Divya K Konoor (dikonoor) → Matthew Edmonds (edmondsw)
Changed in keystone:
assignee: Matthew Edmonds (edmondsw) → Rodrigo Duarte (rodrigodsousa)
Steve Martinelli (stevemar) wrote :

is there something missing in the bug description? I don't see exactly where the failure / mismatch is happening -- or the setup of the data.

user list should return all the users, it returns 2.
user show arc1_dep is somehow returned even though she doesn't exist?

Matthew Edmonds (edmondsw) wrote :

@Steve, the user exists in the LDAP backend, but doesn't match the CONF.ldap.user_filter setting, so they are supposed to be filtered out. Indeed they are not visible if you list all users, because the user_filter conf setting is honored, so that's correct. But if you list users with the name as a query param, the conf setting for user_filter isn't used due to a bug in the code, and the user is subsequently (and incorrectly) returned.

Changed in keystone:
assignee: Rodrigo Duarte (rodrigodsousa) → Matthew Edmonds (edmondsw)
Changed in keystone:
assignee: Matthew Edmonds (edmondsw) → Rodrigo Duarte (rodrigodsousa)

Change abandoned by Rodrigo Duarte (<email address hidden>) on branch: master
Review: https://review.openstack.org/314055
Reason: just for testing purposes

tags: added: mitaka-backport-potential
Changed in keystone:
assignee: Rodrigo Duarte (rodrigodsousa) → Matthew Edmonds (edmondsw)

Reviewed: https://review.openstack.org/312126
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=322a744ba852a5a4e59c713a52168fa8db2552ca
Submitter: Jenkins
Branch: master

commit 322a744ba852a5a4e59c713a52168fa8db2552ca
Author: Matthew Edmonds <email address hidden>
Date: Tue May 3 11:37:42 2016 -0400

    Honor ldap_filter on filtered user list

    Fix GET /v3/users?name=<name> to honor conf.ldap.user_filter.

    Change-Id: I65cacc04c218a7c87855a305c7e0088ac5860cc8
    Closes-Bug: #1577804

Changed in keystone:
status: In Progress → Fix Released
Matthew Edmonds (edmondsw) wrote :

Steve suggested this could also be backported to Liberty. Unfortunately, backporting to Liberty is not clean. It hits a merge conflict due to changes from the fix for https://bugs.launchpad.net/keystone/+bug/1501698 (more specifically, https://github.com/openstack/keystone/commit/9c6c24f35717bd0a9271c975f75e0dc3419b7203), which from the look of them may at least in part also be necessary to fix this for Liberty. I'll leave that for someone else if they want to take it on.

Matthew Edmonds (edmondsw) wrote :

Boris, Alexander, see comment #8

Reviewed: https://review.openstack.org/321812
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=87d67946e75db2ec2a6af72447211ca1ee291940
Submitter: Jenkins
Branch: stable/mitaka

commit 87d67946e75db2ec2a6af72447211ca1ee291940
Author: Matthew Edmonds <email address hidden>
Date: Tue May 3 11:37:42 2016 -0400

    Honor ldap_filter on filtered user list

    Fix GET /v3/users?name=<name> to honor conf.ldap.user_filter.

    Change-Id: I65cacc04c218a7c87855a305c7e0088ac5860cc8
    (cherry picked from commit 322a744ba852a5a4e59c713a52168fa8db2552ca)
    Closes-Bug: #1577804

tags: added: in-stable-mitaka

This issue was fixed in the openstack/keystone 10.0.0.0b1 development milestone.

Changed in keystone:
importance: Undecided → Medium

This issue was fixed in the openstack/keystone 9.1.0 release.

Changed in keystone:
milestone: none → newton-1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers