Resolving the members of a group with no members in LDAP throws an exception

Bug #1751048 reported by Jose Castro Leon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Undecided
Unassigned

Bug Description

In an environment with an ldap server as identity backend, if a group with no members has a role on a project, if you try to resolve the memberships on a specific project it will throw an exception.

This is caused as when searching from members in a group in LDAP, if it does not have any it returns empty and in the code is always assuming that there is at least an object returned

Changed in keystone:
status: New → Invalid
Revision history for this message
Lance Bragstad (lbragstad) wrote :

I could see where keystone could handle this a bit better. Is this no longer a concern?

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Actually - I'm attempting to recreate this locally, but I'm unable to get it to throw an error. I have a group in a Users domain that has a role assignment on a project within that same domain. There are no users in the group.

At that point, is there a specific API you're calling that causes this to fail?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.