Keystone client is unable to correctly look up names of federated users

Bug #1778989 reported by Lars Kellogg-Stedman on 2018-06-27
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)

Bug Description

When looking up a user in a domain, one can generally do this:

    openstack user show --domain testdomain testuser

Unfortunately, if testuser is a federated user, the above command will fail. For example:

  $ openstack domain list -c ID -c Name
  | ID | Name |
  | 2b47931027ef4b9e914ab158ef77ae07 | testdomain |
  | 3cb3f05971c243f08ec4715f228876f1 | heat_stack |
  | 6657bdf192594898a1b9b846296c5141 | 6657bdf192594898a1b9b846296c5141 |
  | default | Default |

In the above, 6657bdf192594898a1b9b846296c5141 is a domain for federated users that was auto-generated for an identity provider. There is one user in the domain:

  $ openstack user list --domain 6657bdf192594898a1b9b846296c5141
  | ID | Name |
  | 428641fc53664e3ba66bd52ff64ce37e | larsks |

But the following command fails:

  $ openstack user show --domain 6657bdf192594898a1b9b846296c5141 larsks
  No user with a name or ID of 'larsks' exists.

description: updated
Changed in keystone:
status: New → Confirmed
importance: Undecided → Medium
Lars Kellogg-Stedman (larsks) wrote :

The debug output for the failed request looks like:

  GET call to identity for used request id req-e38c00a2-2429-4443-8ef7-6ea8193a8eef
  Request returned failure status: 404
  REQ: curl -g -i -X GET -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}a5e664259619338463208b8baa268c118095eaf6" "GET /v3/users?domain_id=6657bdf192594898a1b9b846296c5141&name=larsks HTTP/1.1" 200 159
  RESP: [200] Date: Wed, 27 Jun 2018 19:46:33 GMT Server: Apache Vary: X-Auth-Token,Accept-Encoding x-openstack-request-id: req-0d425ee0-e947-4cfe-b1ad-e4fe3e400263 Content-Encoding: gzip Content-Length: 159 Content-Type: application/json
  RESP BODY: {"users": [], "links": {"self": "", "previous": null, "next": null}}

wangxiyuan (wangxiyuan) wrote :

I'm using master branch, deployed a k2k env, but can't reproduce, here is my step and env:

Adam Young (ayoung) wrote :

K2K does not work through Federated mapping, so I would expect that to work. Try using SAML and an external IdP.

Lars Kellogg-Stedman (larsks) wrote :

A federated user has an entry in the 'federated_users' table and in the 'users' table. On the other hand, in keystone.identity.backends.sql.get_user_by_name we only look up names in the local_user table (

    def get_user_by_name(self, user_name, domain_id):
        with sql.session_for_read() as session:
            query = session.query(model.User).join(model.LocalUser)
            query = query.filter(sqlalchemy.and_(
       == user_name,
                model.LocalUser.domain_id == domain_id))
                user_ref =
            except sql.NotFound:
                raise exception.UserNotFound(user_id=user_name)
            return base.filter_user(user_ref.to_dict())

This will never match for a federated user.

wangxiyuan (wangxiyuan) wrote :

@Adam, still can't reproduce using testshib as IdP :

@Lars, the request GET /v3/users?domain_id=6657bdf192594898a1b9b846296c5141&name=larsks won't go to the code you point.
It's here:

I just remember I had a fix for "list users with name": in Queens.
Does your keystone code contain this fix?

Changed in keystone:
status: Confirmed → Incomplete
importance: Medium → Undecided
Launchpad Janitor (janitor) wrote :

[Expired for OpenStack Identity (keystone) because there has been no activity for 60 days.]

Changed in keystone:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers