Role assignment list with name resolution fails if a project contains a disabled AD user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned |
Bug Description
If you have configured keystone with an LDAP backend, and you have project with a disabled AD user as a member, the "openstack role assignment list --project <id> --names" command will fail with a HTTP 404 response, beacause it can't resolve the name of the disabled user.
Example:
larserik@manager:~$ openstack role assignment list --project 9a71b116d24747e
9fe2ff9ee4384b1
9fe2ff9ee4384b1
With --names:
larserik@manager:~$ openstack role assignment list --project 9a71b116d24747e
Could not find user: <redacted username> (HTTP 404) (Request-ID: req-b7389d49-
What's kind of strange, is that the 404 response actually contains the username it can't find.
python-keystone 2:9.0.0-
python-
python-
This sounds like a duplicate of bug 1684820 [0], which we have a fix for in master [1] and stable/ocata [2].
Are you still able to recreate this issue given the fixes [1] [2]?
[0] https:/ /bugs.launchpad .net/keystone/ +bug/1684820 /review. openstack. org/#/c/ 458954/ /review. openstack. org/#/c/ 465395/
[1] https:/
[2] https:/