idp_id, protocol_id, unique_id and name filter doesn't work for list_users API when domain_specific_drivers_enabled is set
Bug #1748062 reported by
wangxiyuan
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
When domain_
Reproduce:
1. set the domain_
2. try to list the federated users by "idp_id" filter, for example, if you have a federated user whose idp_id is "deamoidp" already, try this: GET /v3/users?
please ensure the user driver is domian aware, that is, should not be ldap.
Expect: the federated user whose idp_id=demoidp should return.
Actual: Nothing returned.
description: | updated |
Changed in keystone: | |
status: | New → Incomplete |
Changed in keystone: | |
status: | Incomplete → Invalid |
To post a comment you must log in.
If domain_ specific_ drivers_ enabled = true, keystone will get the domain_id from request token if it's not specified in the request url. So when list users without filters, keystone will return all the users which in the specified domain. id=XXX, idp_id= demoidp
for example , there are three users:
userA, local, domain_id=default,
userB, federated, domain_
userC, federated, domain_id=default, idp_id=demoidp
When call GET /v3/users with a token which domain_id=default, keystone will only return UserA and UserC. Then call GET /v3/users? idp_id= demoidp, Keystone will return UserC. If you want to get UserC, you should call GET /v3/users? domain_ id=XXX, or use a token which domain_id=XXX.
So I think Keystone's behavior is correct. We don't need to change something.
I'll set the bug to Invalid if no other comment.