Removing duplicated items doesn't work in case of federations

The change referenced in the description [0] includes tests for duplicate projects via direct and indirect assignments [1]. This should be testing the code in question.

I ran the tests locally and ensured there were't duplicate projects or domains as a result of the API. Are you able to recreate this with a test of some kind?

[0] https://review.openstack.org/#/c/284943/63
[1] https://github.com/openstack/keystone/blob/bebd7056ad33d294871013067cb7367bc6db1a13/keystone/tests/unit/test_v3_federation.py#L3069-L3132

Yes, Lance. I found an issue in forked version of keystone with some changes related to federations.
The issue there occured in that line of code. You can look at the example below and check if it works for python 2.7:

domains = [{'id': 1, 'name': 'domain1', 'extra': ''}, {'extra': '', 'id': 1, 'name': 'domain1'}]
domains = [dict(t) for t in set([tuple(d.items()) for d in domains])]

after running these 2 lines of code you can see that there will be 2 items in domains list.

There might be something wrong with how the test is working then. Let's keep this open until we figure out exactly where the mismatch is.

Thanks for following up!

After discussing on IRC privately - it sounded like this was more of an issue with role names being duplicated and not projects or domains. Is that correct, Dmitry?

I'm unable to reproduce this with duplicate domains or projects.

Marking as Incomplete until we get some more feedback.

Today I was able to reproduce this issue on ocata using federation setup on devstack. I was using federated user which:
  * was in a group according to mapping - http://paste.openstack.org/show/616748/
  * was additionally added to the same group using 'openstack group add user ...'

I ran command "openstack stack create -t auto_scaling.yaml DM" and received message
" ERROR: Remote error: Conflict Conflict occurred attempting to store trust - Duplicate entry. (HTTP 409)"

The duplication occured because heat created the same trust twice. In turn, this happened because keystone returned admin role for current user twice.

Related fix proposed to branch: master
Review: https://review.openstack.org/489647

I was able to recreate this - but it appears to be transient. This is going to still require some investigation to see if we can make it 100% reproducible. See the approach I've taken in the patch from comment #7.

Looks like the code to remove duplicate roles for federated users is susceptible to the case described in the description of the bug report [0]. I was able to recreate this and verify it with the test in comment #7. The reason why this doesn't consistently fail is because python dictionaries are unordered. Whether or not this fails depends on the if the dictionary (role reference) is returned in a state that allows it to match other duplicate role references.

[0] https://github.com/openstack/keystone/blob/2164d0550c39a07b9c0dacc6c2167d0018b0c7bd/keystone/token/providers/common.py#L195-L196

Fix proposed to branch: master
Review: https://review.openstack.org/494049

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/489647
Reason: Rolled this into https://review.openstack.org/#/c/494049/

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/494238

Reviewed: https://review.openstack.org/494049
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=058a23c0873723d5a4ffa8e99121f7b3b4485db5
Submitter: Jenkins
Branch: master

commit 058a23c0873723d5a4ffa8e99121f7b3b4485db5
Author: Lance Bragstad <email address hidden>
Date: Tue Aug 1 16:03:53 2017 +0000

    Remove duplicate roles from federated auth

    We were using a one-liner to prune duplicate role references from a
    list of roles, but it didn't work in all cases. This reworks the
    logic to pass the existing test case. I also added a comment
    explaining why the logic we used previously doesn't work so we can
    hopefully avoid the pattern in the future.

    Change-Id: Id786d6463364ad8f4f02c22bb83221baac4b83d0
    Closes-Bug: 1701324

Reviewed: https://review.openstack.org/494238
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=10a9ef511dffb2e7dd19a075039e66fbf307ca85
Submitter: Jenkins
Branch: stable/pike

commit 10a9ef511dffb2e7dd19a075039e66fbf307ca85
Author: Lance Bragstad <email address hidden>
Date: Tue Aug 1 16:03:53 2017 +0000

    Remove duplicate roles from federated auth

    We were using a one-liner to prune duplicate role references from a
    list of roles, but it didn't work in all cases. This reworks the
    logic to pass the existing test case. I also added a comment
    explaining why the logic we used previously doesn't work so we can
    hopefully avoid the pattern in the future.

    Change-Id: Id786d6463364ad8f4f02c22bb83221baac4b83d0
    Closes-Bug: 1701324
    (cherry picked from commit 058a23c0873723d5a4ffa8e99121f7b3b4485db5)

This issue was fixed in the openstack/keystone 12.0.0.0rc2 release candidate.

This issue was fixed in the openstack/keystone 13.0.0.0b1 development milestone.

Change abandoned by Lance Bragstad (<email address hidden>) on branch: master
Review: https://review.openstack.org/481020
Reason: I believe this was already fixed in another patch [0].

[0] https://review.openstack.org/#/c/494049/