Comment 0 for bug 1242855

Using the LDAP assignment backend, if remove a role from a user that the user doesn't have then the user gets the role.

To recreate

0) Start with devstack, configured with LDAP (note especially to set KEYSTONE_ASSIGNMENT_BACKEND):

In localrc,
 enable_service ldap
 KEYSTONE_IDENTITY_BACKEND=ldap
 KEYSTONE_ASSIGNMENT_BACKEND=ldap

1) set up environment with OS_USERNAME=admin

export OS_USERNAME=admin
...

2) Create a new user, give admin role, list roles:

$ keystone user-create --name blktest1 --pass blkpwd
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 3b71182dc36e45c6be4733d508201694 |
| name | blktest1 |
+----------+----------------------------------+

$ keystone user-role-add --user blktest1 --role admin --tenant service
(no output)

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------+----------------------------------+----------------------------------+

3) Remove a role from that user that they don't have (using otherrole here since devstack sets it up):

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service

- Expected to fail with 404, but it doesn't!

4) List roles as that user:

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
| afe23e7955704ccfad803b4a104b28a7 | anotherrole | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------------+----------------------------------+----------------------------------+

- Expected to not include the role that was just removed!

5) Remove the role again:

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service

- No errors, which I guess is expected since list just said they had the role...

6) List roles, and now it's gone:

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------+----------------------------------+----------------------------------+

7) Remove role again:

$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
Could not find user, 3b71182dc36e45c6be4733d508201694. (HTTP 404)

- Strangely says user not found rather than role not assigned.