OpenStack Identity (keystone)

Resolving the members of a group with no members in LDAP throws an exception

Bug #1751048 reported by Jose Castro Leon on 2018-02-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Invalid	Undecided	Unassigned

Bug Description

In an environment with an ldap server as identity backend, if a group with no members has a role on a project, if you try to resolve the memberships on a specific project it will throw an exception.

This is caused as when searching from members in a group in LDAP, if it does not have any it returns empty and in the code is always assuming that there is at least an object returned

Jose Castro Leon (jose-castro-leon) on 2018-02-22

Changed in keystone:
status:	New → Invalid

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2018-04-06:

I could see where keystone could handle this a bit better. Is this no longer a concern?

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2018-04-06:

Actually - I'm attempting to recreate this locally, but I'm unable to get it to throw an error. I have a group in a Users domain that has a role assignment on a project within that same domain. There are no users in the group.

At that point, is there a specific API you're calling that causes this to fail?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.