GET /role_assignments?include_names API is blocked with 404 error when a user doesn't exists in identity backend

Bug #1684820 reported by prashkre
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Kristi Nikolla
Ocata
Fix Released
Medium
Divya K Konoor

Bug Description

In an environment like ldap server as identity backend, where users are assigned roles it insert records in keystone.assignment table. After a while if an admin removes one of the user say "user1" from identity backend, role assignment still persists in keystone.assignment table for "user1".

So when a someone invokes [0], it fetches all role assignments at [1], then tries to get usernames at [2] by iterating though each of the user_id in resultant role assignments at [3]. since "user1" doesn't exits, it is throwing "Could not find user: user1." with 404 error which we need to handle it.

[0] GET /v3/role_assignments?effective&include_names&scope.project.id=proj1
[1] https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L918
[2] https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L928
[3] https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L941

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/458954

Changed in keystone:
assignee: nobody → Kristi Nikolla (knikolla)
status: New → In Progress
tags: added: ldap
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/458954
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0392b36a0d7d3e7cc479b357245da04c949924de
Submitter: Jenkins
Branch: master

commit 0392b36a0d7d3e7cc479b357245da04c949924de
Author: Kristi Nikolla <email address hidden>
Date: Fri Apr 21 15:31:49 2017 -0400

    Handle NotFound when listing role assignments for deleted users

    Keystone can use an external identity store for the users, and
    store assignments for these users in the SQL database that it
    manages. When a user has been deleted directly in the external
    identity store, these assignments will persist. Therefore when
    listing role assignments and asking for names to be included,
    keystone will try to get information of the user and fail with
    NotFound.

    This catches the NotFound exception of the get_user and get_group
    calls and fills the user values with and empty string.

    Change-Id: Iec3e12f6cd1402e1e3f192b0ede5d608bd41ca1d
    Closes-Bug: 1684820

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/465395

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/ocata)

Reviewed: https://review.openstack.org/465395
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e1ee00f1dfdb62383b3b0c0528fa59f2af4c7040
Submitter: Jenkins
Branch: stable/ocata

commit e1ee00f1dfdb62383b3b0c0528fa59f2af4c7040
Author: Kristi Nikolla <email address hidden>
Date: Fri Apr 21 15:31:49 2017 -0400

    Handle NotFound when listing role assignments for deleted users

    Keystone can use an external identity store for the users, and
    store assignments for these users in the SQL database that it
    manages. When a user has been deleted directly in the external
    identity store, these assignments will persist. Therefore when
    listing role assignments and asking for names to be included,
    keystone will try to get information of the user and fail with
    NotFound.

    This catches the NotFound exception of the get_user and get_group
    calls and fills the user values with and empty string.

    Change-Id: Iec3e12f6cd1402e1e3f192b0ede5d608bd41ca1d
    Closes-Bug: 1684820
    (cherry picked from commit 0392b36a0d7d3e7cc479b357245da04c949924de)

tags: added: in-stable-ocata
Changed in keystone:
importance: Undecided → Medium
tags: added: ocata-backport-potential
Changed in keystone:
milestone: none → pike-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 11.0.2

This issue was fixed in the openstack/keystone 11.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 12.0.0.0b2

This issue was fixed in the openstack/keystone 12.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.