[Identity] Create user error in identity cookbook

Bug #1457533 reported by Jun Hong Li on 2015-05-21
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack + Chef
Xiaopei Liu

Bug Description

Currently when creating a user in identity cookbook, it query the user with tenant in :create_user action, using:

    output = identity_command(new_resource, 'user-list',
                              'tenant-id' => tenant_uuid)

The above code query the users with tenant, then to see whether the given user is in the given tenant. So in some very special cases, the user has already existed, but it's not in the given tenant, which will leads to create error later in :create_user action.

We'd better check whether the user has already existed before create it, if it does already exist, then we should call "keystone user-role-add" instead of "keystone user-create".

Jun Hong Li (junhongl) on 2015-05-21
summary: - Create user error in identity cookbook
+ [Identity] Create user error in identity cookbook
Mark Vanderwiel (vanderwl) wrote :

Good catch here. Is there also a case for where we might want to user-role-delete?

tags: added: identity
Changed in openstack-chef:
status: New → Confirmed
importance: Undecided → Medium
Mark Vanderwiel (vanderwl) wrote :

After some investigation, the create_user currently does not take in the role, so we can't call the user-role-add.
A user must have a role in order to do something within a project. Since all the cookbooks do the create_user action followed by the
grant_role action, it's seems reasonable that this case should work if the create_user did not specifically check for a user assigned to the given tenant/project. I will give that a try, but will need help in testing the edge cases like this. If this appears to be risky, it will have to wait until liberty.

You can only set the user's default project with the openstack cli, the keystone cli is deprecated and does not support this.

Mark Vanderwiel (vanderwl) wrote :

Looks like a simple solution for this is to just relax the check for existing user a bit. Right now it checks for BOTH user name and requested tenant. But there's really no need for including the tenant in the search. If the user already exists, but is associated with a different tenant, the next step, grant_role will handle giving that use a role in a the specified tenant. I'll put up a patch with that approach shortly.

Changed in openstack-chef:
assignee: nobody → Mark Vanderwiel (vanderwl)
milestone: none → kilo-rc1

Fix proposed to branch: master
Review: https://review.openstack.org/188428

Changed in openstack-chef:
status: Confirmed → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/190054

Changed in openstack-chef:
assignee: Mark Vanderwiel (vanderwl) → xiao pei liu (liuxpei)

Change abandoned by xiao pei liu (<email address hidden>) on branch: master
Review: https://review.openstack.org/190054
Reason: duplicate with https://review.openstack.org/188428

Reviewed: https://review.openstack.org/188428
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-identity/commit/?id=3951a0dcc032251c86b1b5b57d29792d7afa3f1d
Submitter: Jenkins
Branch: master

commit 3951a0dcc032251c86b1b5b57d29792d7afa3f1d
Author: Mark Vanderwiel <email address hidden>
Date: Thu Jun 4 09:53:41 2015 -0500

    Allow create_user to find existing user regardless of tenant

    The current code was checking for existing user ONLY in the
    requested tenant. But if the user already existing with another
    tenant, the create user call will fail. With this patch, it will
    skip the create and succeed, and then the grant_role action can
    be used to add a role for this user in the requested tenant.

    Change-Id: I0a96ed6103e9a7da7f2e50624ddaff45d2ed9881
    Closes-Bug: 1457533

Changed in openstack-chef:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers