OpenStack Identity (keystone)

Keystone Admin: Can create a duplicate roleRef (role assignment) for a user

Bug #999594 reported by Rohit Karajgi
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Vincent Untz
OpenStack Identity (keystone) 2012.2 "folsom"

Bug Description

Our tempest test calls the create_role_ref() API and tests whether a duplicate roleRef can be created

Expected Result: A Duplicate error should be received during the second call create_role_ref()
Actual Result: HTTP 200 response status is received and a duplicate roleRef ID is created.

rohit@osbox:~/opt/stack/tempest$ nosetests -v -s tempest.tests.identity.test_roles:RolesTest.test_create_duplicate_user_role

Duplicate user role should not get created ...
First status ->{'date': 'Tue, 15 May 2012 10:19:08 GMT', 'content-type': 'application/json', 'content-length': '79', 'status': '200', 'vary': 'X-Auth-Token'}
First Response -> {u'id': u'69c88b4160494a27aabb38ed34a609e8', u'name': u'role29265233787'}
Second status ->{'date': 'Tue, 15 May 2012 10:19:13 GMT', 'content-type': 'application/json', 'content-length': '79', 'status': '200', 'vary': 'X-Auth-Token'}
Second Response -> {u'id': u'69c88b4160494a27aabb38ed34a609e8', u'name': u'role29265233787'}

ok

Revision history for this message
Joseph Heck (heckj) wrote :

Rohit -

Is there a tempest test against this that we can explicit run to verify/validate that the issue has been fully resolved?

Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Dolph Mathews (dolph) wrote :

Is a second grant *actually* being created? Can you list the resulting duplicated role grants? (keystone user-role-list, for example)

Also, what response are you expecting? A 409?

Revision history for this message
Vincent Untz (vuntz) wrote :

I've looked at this a bit. The second grant is never created as far as I can see.

For the kvs and sql backends, it's all working fine because we use sets to make sure we don't duplicate grants. The ldap backend, however, raises an exception.Error. So whatever we do, we should make things consistent.

I guess returning a 409 error makes some sense.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/9009

Changed in keystone:
assignee: nobody → Vincent Untz (vuntz)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/9009
Committed: http://github.com/openstack/keystone/commit/7297afc75dd94771d5054daa20b1aa10aa5667d2
Submitter: Jenkins
Branch: master

commit 7297afc75dd94771d5054daa20b1aa10aa5667d2
Author: Vincent Untz <email address hidden>
Date: Tue Jun 26 17:04:08 2012 +0200

    Return a 409 error when adding a second time a role to user/tenant

    Fix bug 999594.

    When a user/tenant pair already has a role and there is a request to add
    the role to the pair, we can choose to either return 200 and let the
    client feel it's alright to do so, or return a 409 error (Conflict) to
    inform the client of the pre-existing role for the pair. I feel the
    latter is a bit more appropriate.

    The KVS and the pam backends were simply accepting the request, while
    the LDAP backend was raising an error. So be consistent, and always
    return 409.

    Change-Id: I7328d2932f6907d48e6422674eeeee22dc7a7149

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → folsom-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: folsom-3 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.