GET /v3/role_assignments?effective&include_names API fails with unexpected 500 error

We have documentation that explains how to map attributes, like `name`, from LDAP to keystone [0]. I would be curious to see if you still end up with the same issue after reading and applying the configuration in those docs.

[0] https://docs.openstack.org/keystone/latest/configuration.html#using-an-ldap-server

Marking this as invalid for now. Please feel free to reopen this if there are further issues after following the instructions in comment #1.

Yeah, those instructions were followed, but the problem here was that some users didn't have a value set in the property that was used for name. More specifically, the customer used a field that holds the email address as the name, and some users didn't have an email address. But even beyond that, we couldn't tell them to use a different LDAP attribute because there was no single attribute that consistently had a value for all users, even cn. You could argue that LDAP was misconfigured, but good luck getting that fixed in a large enterprise environment (which this was). You could argue that keystone was misconfigured, but in this case there was not a better LDAP attribute to use for name. So I'd like to see keystone handle this better somehow. Could keystone report a name of "" or "<missing>" or something when the attribute that is supposed to have the name is not found on a given resource?

Populating the name with a key like '<missing>' would work, but I think it would lead to confusion and it would push edge cases into clients. Are user's expected to always authenticate with IDs? Do they know their ID and not their username? What is the ID of the user in this case? I see two options if keystone has to deal with misconfigured LDAP installations.

1.) Keystone emits a known token in place of the name, like '<missing>'. What happens to scripts or tools that programmatically do things with the response? Do they have to hard-code how to deal with a special key?

2.) Keystone omits the name attribute in cases where the LDAP entry doesn't have the attribute. This would keep the clients from having to program around a misconfigured LDAP. At the same time, it's backward incompatible since the API guarantees a name attribute be returned.

For SQL installations, we require a name in order to function properly. I'm unsure letting LDAP slide on that requirement is a good thing long term.

I think it would be perfectly reasonable to say that users without a name can't login. Maybe we could even go a step further and filter them within keystone, i.e. act like they don't exist. The more I think of that, the more I like it. It maintains the requirement that users have names, without disrupting users that do have names.

If we want to enforce the requirement of names, and a valid attribute mapping in case of LDAP deployments, do we bother with a fix? Having conditionals around an attribute keystone requires to be present seems like a contradiction. A fix here will also prolong proper configuration (of LDAP, not keystone).

Another possible route would be to document a way to do this on the LDAP side. If an LDAP deployment doesn't have a consistent attribute to use for names, then couldn't they iterate through all their users and create an attribute specifically for it (e.g. openstack-name)?

"proper" configuration of LDAP isn't going to happen, so fixing this isn't prolonging that...

Similarly, documenting a way to address this on the LDAP side will do nothing. That's not going to happen either.

The only place this can be fixed is in keystone. And I don't see why it would be a contradiction to filter users that don't have fields we require... that just seems right to me.

Setting this to Low since there is a work around.

For what it's worth - this is change the response code from a 5XX response code to something else (either a 4XX or 2XX depending on the request). That should be fine according to the API WG guidelines [0].

[0] http://specs.openstack.org/openstack/api-wg/guidelines/api_interoperability.html#evaluating-api-changes

Fix proposed to branch: master
Review: https://review.openstack.org/485302

Reviewed: https://review.openstack.org/485302
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bb2b215b539b56c01e9a0c7acd9fd62ed1529ebc
Submitter: Jenkins
Branch: master

commit bb2b215b539b56c01e9a0c7acd9fd62ed1529ebc
Author: prashkre <email address hidden>
Date: Wed Jul 19 23:37:02 2017 +0530

    Filter users and groups in ldap

    All users and groups are required to have a name. Prior to this fix,
    Keystone was not properly enforcing this for LDAP users and groups.
    Keystone will now ignore users and groups that do not have a value for
    the LDAP attribute which Keystone has been configured to use for that
    entity's name.

    Closes-Bug: #1704205

    Change-Id: I424813785b7a355514ef42f1e4c6384b8a78b256

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/490138

This issue was fixed in the openstack/keystone 12.0.0.0rc1 release candidate.

Reviewed: https://review.openstack.org/490138
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=16d8f0d11f0ab9678b7e99f063fcce23d32c3c3b
Submitter: Jenkins
Branch: stable/ocata

commit 16d8f0d11f0ab9678b7e99f063fcce23d32c3c3b
Author: prashkre <email address hidden>
Date: Wed Jul 19 23:37:02 2017 +0530

    Filter users and groups in ldap

    All users and groups are required to have a name. Prior to this fix,
    Keystone was not properly enforcing this for LDAP users and groups.
    Keystone will now ignore users and groups that do not have a value for
    the LDAP attribute which Keystone has been configured to use for that
    entity's name.

    Closes-Bug: #1704205

    Change-Id: I424813785b7a355514ef42f1e4c6384b8a78b256
    (cherry picked from commit bb2b215b539b56c01e9a0c7acd9fd62ed1529ebc)

This issue was fixed in the openstack/keystone 11.0.4 release.