OpenStack Identity (keystone)

/v3/users?name=<name> bypasses user_filter for LDAP

Bug #1577804 reported by Matthew Edmonds
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Matthew Edmonds
OpenStack Identity (keystone) newton-1 "n1"
Mitaka
Fix Released
Medium
Unassigned

Bug Description

using the LDAP driver with user_filter, a GET /v3/users?name=<name> returns users that do not match the filter.

e.g.:

user_filter = (|(uid=arc1_admin)(uid=arc1_stgmgr))

# openstack user list
+----------------------------------------------------------------+-------------+
| ID | Name |
+----------------------------------------------------------------+-------------+
| 91476076d6686143dff68d08e87358a29daf0725c549008f9c0852d2c7ab8e | arc1_admin |
| 42 | |
| 8c1beab95fc4c2b009383827f1ea1ec2880fa6eb5bbe42aebd43aab21ad685 | arc1_stgmgr |
| b2 | |
+----------------------------------------------------------------+-------------+

# openstack user show arc1_dep
+-----------+------------------------------------------------------------------+
| Field | Value |
+-----------+------------------------------------------------------------------+
| domain_id | default |
| id | 631bbab78e33e554bc6c7fd53071c6e046fd37680b1b154261bd6183b123e8b0 |
| name | arc1_dep |
+-----------+------------------------------------------------------------------+

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/312126

Changed in keystone:
assignee: nobody → Matthew Edmonds (edmondsw)
status: New → In Progress
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Matthew Edmonds (edmondsw) → Divya K Konoor (dikonoor)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Divya K Konoor (dikonoor) → Matthew Edmonds (edmondsw)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Matthew Edmonds (edmondsw) → Rodrigo Duarte (rodrigodsousa)
Revision history for this message
Steve Martinelli (stevemar) wrote :

is there something missing in the bug description? I don't see exactly where the failure / mismatch is happening -- or the setup of the data.

user list should return all the users, it returns 2.
user show arc1_dep is somehow returned even though she doesn't exist?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/314055

Revision history for this message
Matthew Edmonds (edmondsw) wrote :

@Steve, the user exists in the LDAP backend, but doesn't match the CONF.ldap.user_filter setting, so they are supposed to be filtered out. Indeed they are not visible if you list all users, because the user_filter conf setting is honored, so that's correct. But if you list users with the name as a query param, the conf setting for user_filter isn't used due to a bug in the code, and the user is subsequently (and incorrectly) returned.

OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Rodrigo Duarte (rodrigodsousa) → Matthew Edmonds (edmondsw)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Matthew Edmonds (edmondsw) → Rodrigo Duarte (rodrigodsousa)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Rodrigo Duarte (<email address hidden>) on branch: master
Review: https://review.openstack.org/314055
Reason: just for testing purposes

Matthew Edmonds (edmondsw)
tags: added: mitaka-backport-potential
Changed in keystone:
assignee: Rodrigo Duarte (rodrigodsousa) → Matthew Edmonds (edmondsw)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/312126
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=322a744ba852a5a4e59c713a52168fa8db2552ca
Submitter: Jenkins
Branch: master

commit 322a744ba852a5a4e59c713a52168fa8db2552ca
Author: Matthew Edmonds <email address hidden>
Date: Tue May 3 11:37:42 2016 -0400

    Honor ldap_filter on filtered user list

    Fix GET /v3/users?name=<name> to honor conf.ldap.user_filter.

    Change-Id: I65cacc04c218a7c87855a305c7e0088ac5860cc8
    Closes-Bug: #1577804

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/321812

Revision history for this message
Matthew Edmonds (edmondsw) wrote :

Steve suggested this could also be backported to Liberty. Unfortunately, backporting to Liberty is not clean. It hits a merge conflict due to changes from the fix for https://bugs.launchpad.net/keystone/+bug/1501698 (more specifically, https://github.com/openstack/keystone/commit/9c6c24f35717bd0a9271c975f75e0dc3419b7203), which from the look of them may at least in part also be necessary to fix this for Liberty. I'll leave that for someone else if they want to take it on.

Revision history for this message
Matthew Edmonds (edmondsw) wrote :

Boris, Alexander, see comment #8

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/mitaka)

Reviewed: https://review.openstack.org/321812
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=87d67946e75db2ec2a6af72447211ca1ee291940
Submitter: Jenkins
Branch: stable/mitaka

commit 87d67946e75db2ec2a6af72447211ca1ee291940
Author: Matthew Edmonds <email address hidden>
Date: Tue May 3 11:37:42 2016 -0400

    Honor ldap_filter on filtered user list

    Fix GET /v3/users?name=<name> to honor conf.ldap.user_filter.

    Change-Id: I65cacc04c218a7c87855a305c7e0088ac5860cc8
    (cherry picked from commit 322a744ba852a5a4e59c713a52168fa8db2552ca)
    Closes-Bug: #1577804

tags: added: in-stable-mitaka
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/keystone 10.0.0.0b1

This issue was fixed in the openstack/keystone 10.0.0.0b1 development milestone.

Samuel de Medeiros Queiroz (samueldmq)
Changed in keystone:
importance: Undecided → Medium
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/keystone 9.1.0

This issue was fixed in the openstack/keystone 9.1.0 release.

Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → newton-1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.