OpenStack Identity (keystone)

Validation of paramaters during Create User

Bug #999084 reported by Rohit Karajgi on 2012-05-14

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) 8.0.0 "liberty"

Bug Description

Affected version 2012.1 (essex/stable)

In addition to the fixes made by https://bugs.launchpad.net/keystone/+bug/987121, for Folsom,
the following validations should also be made while user creation. Currently there are no checks or
error responses returned for the following scenarios.

1. User with an empty name should not be created.
2. User with an empty password should not be created
3. Email format should be validated while creating a user (currently email addresses such as '12345' are accepted by the API)
4. User having password exceeding max length should not be created - There needs to be a password length limit defined.
The password belongs to a TEXT type field and can be injected with huge number of characters (atleast 64K).
I could create a user with a password of 256 characters.

The fixes made to https://bugs.launchpad.net/keystone/+bug/987121 should also get backported to stable/essex

Tags:

Revision history for this message

Joseph Heck (heckj) wrote on 2012-05-20:

Rohit - as this is describing new functionality that will take more than a single commit to make, I suggest you create a blueprint in Keystone to cover this work.

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium
tags:	added: blueprint

Revision history for this message

Rohit Karajgi (rohitk) wrote on 2012-05-23:

Hi Joe,

Blueprint created here: https://blueprints.launchpad.net/keystone/+spec/create-user-validation

Moh (ms-faraji-b) on 2012-07-18

Changed in keystone:
status:	Triaged → Confirmed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-07-24: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/10235

Changed in keystone:
assignee:	nobody → Moh (ms-faraji-b)
status:	Confirmed → In Progress

Davanum Srinivas (DIMS) (dims-v) on 2013-02-20

tags:

added: tempest

Revision history for this message

Sean Dague (sdague) wrote on 2013-04-26:

I'm not really convinced this should be stuck in tempest, we need to start moving these kinds of functional tests back to the projects where it's closer to the source.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-04-26:

Fix proposed to branch: master
Review: https://review.openstack.org/27593

Changed in keystone:
assignee:	Moh (ms-faraji-b) → Prem Karat (prem-karat)

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-05-20:

Passwords are optional and should not be validated.

Revision history for this message

ls_andy (hw-ls000) wrote on 2013-07-10:

There is a similar problem,when create a project(tenant),the paramater "enabled" should be validated.This paramater can be assigned a int value( like "5"),rather than a bool value. But,if we assign "5" to "enabled", the API "List Tenant"(cls command "keystone tenant-list",REST request "List tenants") will be unavailable.

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-07-10:

ls_andy: that's actually by design (bool is a subclass of int in python), however I agree that it's unexpected behavior from the JSON / HTTP API perspective. Feel free to open a new bug if you'd like to see that behavior changed!

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-09-16:

Unassigning due to inactivity.

Changed in keystone:
assignee:	Prem Karat (prem-karat) → nobody
status:	In Progress → Triaged

Adam Young (ayoung) on 2014-01-07

Changed in keystone:
assignee:	nobody → Adam Young (ayoung)

Adam Young (ayoung) on 2014-04-08

Changed in keystone:
assignee:	Adam Young (ayoung) → nobody

Juan Antonio Osorio Robles (juan-osorio-robles) on 2014-05-19

Changed in keystone:
assignee:	nobody → Juan Antonio Osorio Robles (juan-osorio-robles)

Juan Antonio Osorio Robles (juan-osorio-robles) on 2014-05-19

Changed in keystone:
assignee:	Juan Antonio Osorio Robles (juan-osorio-robles) → nobody

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2014-06-28:

#10

We might be able to leverage:

https://review.openstack.org/#/c/86483/

to close this once the JSON schema validator is applied to the Identity API.

https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:validator,n,z

Revision history for this message

Ajaya Agrawal (ajayaa) wrote on 2014-08-19:

#11

https://review.openstack.org/#/c/114997/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-30:

#12

Fix proposed to branch: master
Review: https://review.openstack.org/132122

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

Adam Young (ayoung) wrote on 2014-11-22:

#13

The problem is that the password and userid fields are truncating, which is a backend issue, not a schema issue.

MySQL should have an option to not truncate if the string is too long, and instead throw an exception. Or the SqlAlchemy layer should allow for querying the schema in a RDBMS agnostic way.

I suspect that, at least for the user table, we should be setting

STRICT_TRANS_TABLES

although

STRICT_ALL_TABLES.

Will ensure this is settled across all of the tables, and maybe what we want.

OpenStack Infra (hudson-openstack) on 2015-01-31

Changed in keystone:
assignee:	Lance Bragstad (lbragstad) → Lin Hua Cheng (lin-hua-cheng)

OpenStack Infra (hudson-openstack) on 2015-03-02

Changed in keystone:
assignee:	Lin Hua Cheng (lin-hua-cheng) → Lance Bragstad (lbragstad)

OpenStack Infra (hudson-openstack) on 2015-03-03

Changed in keystone:
assignee:	Lance Bragstad (lbragstad) → Lin Hua Cheng (lin-hua-cheng)

OpenStack Infra (hudson-openstack) on 2015-03-26

Changed in keystone:
assignee:	Lin Hua Cheng (lin-hua-cheng) → Lance Bragstad (lbragstad)

OpenStack Infra (hudson-openstack) on 2015-05-01

Changed in keystone:
assignee:	Lance Bragstad (lbragstad) → Brant Knudson (blk-u)

Brant Knudson (blk-u) on 2015-05-01

Changed in keystone:
assignee:	Brant Knudson (blk-u) → Lance Bragstad (lbragstad)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-21: Fix merged to keystone (master)

#14

Reviewed: https://review.openstack.org/132122
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f2103ffdcd2523662f791c01aaf94709cec06cf3
Submitter: Jenkins
Branch: master

commit f2103ffdcd2523662f791c01aaf94709cec06cf3
Author: Lance Bragstad <email address hidden>
Date: Thu Oct 30 21:58:29 2014 +0000

Implement validation on the Identity V3 API

    Use JSONSchema to validate CRUD operations on the V3 Identity resources.
    This includes wrapping the create and update methods for Users and
    Groups.

Co-Authored-By: Lin Hua Cheng <email address hidden>

    Change-Id: Ia260838c85f897c52740217d8d222bb86edc11c6
    bp: identity-api-validation
    Closes-Bug: #999084
    Closes-Bug: #1387605

Changed in keystone:
status:	In Progress → Fix Committed

Doug Hellmann (doug-hellmann) on 2015-06-23

Changed in keystone:
milestone:	none → liberty-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in keystone:
milestone:	liberty-1 → 8.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Related blueprints

Add validation logic for User creation

Remote bug watches

Bug watches keep track of this bug in other bug trackers.