`openstack group contains user` hides real client and server errors

Bug #1672634 reported by Colleen Murphy on 2017-03-14
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-openstackclient
Fix Released
Medium
Colleen Murphy

Bug Description

If keystone is misconfigured, calling `openstack group contains user $group $user` may result in the response '$user not in $group' when the reality is that the keystone server experienced an error and returned a 500. In my case, pyldap was raising a DECODING_ERROR because I needed to [ldap]/group_members_are_ids, but openstackclient's error message was leading me to believe that I had misconfigured [ldap]/group_member_attribute or that in fact the user was not in the group.

In keystone, HEAD /v3/groups/{group_id}/users/{user_id} returns a 404 if the given user is not in the given group. It may also return a 403 to indicate that the resources being compared have different backends, which would also indicate that the user is not in the group. Therefore openstackclient should interpret a 403 or a 404 as an acceptable negative response and any other 4XX or 5XX response as an error to which the user should be alerted.

Colleen Murphy (krinkle) wrote :

Not sure why the 'closes-bug' isn't automatically linking the patch but here it is: https://review.openstack.org/#/c/445257/

Changed in python-openstackclient:
importance: Undecided → Medium
assignee: nobody → Colleen Murphy (krinkle)
status: New → In Progress

Reviewed: https://review.openstack.org/445257
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=853ea5ab59e5d7845d389e46527038575c3c170c
Submitter: Jenkins
Branch: master

commit 853ea5ab59e5d7845d389e46527038575c3c170c
Author: Colleen Murphy <email address hidden>
Date: Tue Mar 14 01:24:31 2017 +0100

    Narrow expected responses for CheckUserInGroup

    When checking whether a given user is in a given group, keystone will
    return a 404 Not Found if all went well but the user was not in the
    group. It may also return a 403 if the user and the group are in
    different backends, which would also mean that the user was not in the
    group[1]. Any other 400 response is a client error and any 500 response
    is a server error to which the user should be alerted.

    Without this patch, openstackclient treats any exception as a valid "not
    found" and may end up hiding server errors. This patch reduces the
    caught exceptions to 403 and 404 responses and treats everything else as
    an error.

    [1] https://developer.openstack.org/api-ref/identity/v3/?expanded=check-whether-user-belongs-to-group-detail#check-whether-user-belongs-to-group

    Closes-bug: #1672634

    Change-Id: Id3f3b2409b7cee480ee3c19b6d6c3070599ffe8f

Changed in python-openstackclient:
status: In Progress → Fix Released

This issue was fixed in the openstack/python-openstackclient 3.10.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers