OpenStack Identity (keystone)

Role assignment list with name resolution fails if a project contains a disabled AD user

Bug #1690782 reported by Lars Erik Pedersen on 2017-05-15

This bug report is a duplicate of: Bug #1684820: GET /role_assignments?include_names API is blocked with 404 error when a user doesn't exists in identity backend. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	New	Undecided	Unassigned

Bug Description

If you have configured keystone with an LDAP backend, and you have project with a disabled AD user as a member, the "openstack role assignment list --project <id> --names" command will fail with a HTTP 404 response, beacause it can't resolve the name of the disabled user.

Example:
larserik@manager:~$ openstack role assignment list --project 9a71b116d24747e19671ed4f28bfd512 -f value
9fe2ff9ee4384b1894a90878d3e92bab 3e2e82db86d8423db18595a2a5dd926a 9a71b116d24747e19671ed4f28bfd512 False
9fe2ff9ee4384b1894a90878d3e92bab 83b6168d45c9362ce1ec257c224887428ba76d9f70d6f634c7ebb08b9cbd2cf3 9a71b116d24747e19671ed4f28bfd512 False

With --names:
larserik@manager:~$ openstack role assignment list --project 9a71b116d24747e19671ed4f28bfd512 --names -f value
Could not find user: <redacted username> (HTTP 404) (Request-ID: req-b7389d49-d60d-49b1-a0af-dd9ced9ba3da)

What's kind of strange, is that the 404 response actually contains the username it can't find.

python-keystone 2:9.0.0-0ubuntu1~cloud0
python-keystoneclient 1:2.3.1-2~cloud0
python-openstackclient 2.3.0-2~cloud0

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-06-09:

This sounds like a duplicate of bug 1684820 [0], which we have a fix for in master [1] and stable/ocata [2].

Are you still able to recreate this issue given the fixes [1] [2]?

[0] https://bugs.launchpad.net/keystone/+bug/1684820
[1] https://review.openstack.org/#/c/458954/
[2] https://review.openstack.org/#/c/465395/

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-07-25:

Marking this as a duplicate of bug 1684820. Please feel free to reopen with any relevant information if the issue resurfaces.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1684820 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.