case sensitivity inconsistency when doing user get and user create

Hi Jerry,

You're using V2.0, right? I tried recreating this on V2.0 [1] and I found that V2.0 API documentation [2] seems to be wrong (unless I'm missing something).

Given that V2.0 is deprecated I'll probably have to defer to Morgan to determine what the fix will be with respect to the inconsistency in the docs.

[1] http://paste.openstack.org/show/132989/
[2] http://developer.openstack.org/api-ref-identity-v2.html#admin-users

Lance
It is not about getting user info by uuid or name. The issue i had is getting the user with all lowercase name didn't return any result, but creating that user by all lowercase name failed because there was a user with the name StevenK existing in database.

(openstack) user show StevenK
+----------+----------------------------------+
| Field | Value |
+----------+----------------------------------+
| email | <email address hidden> |
| enabled | True |
| id | cab307b5740a414cb43017536454cbb5 |
| name | StevenK |
| username | StevenK |
+----------+----------------------------------+
(openstack) user show stevenk
ERROR: openstack No user with a name or ID of 'stevenk' exists.
(openstack) user create stevenk
ERROR: openstack Conflict occurred attempting to store user - Duplicate Entry (HTTP 409)

If I had to guess, I'd guess that somehow case sensitivity is happening in the 'get' , but not in the INSERT. That is weird, because in general the same index is used for both operations, and the same collation (utf8_general_ci, where ci == case insensitive) will be used... assuming this is a MySQL backed Keystone, which I believe it is.

Related bug: https://bugs.launchpad.net/keystone/+bug/1229093

Related discussion: http://lists.openstack.org/pipermail/openstack-dev/2013-September/015610.html

It looks like client problem and not a keystone server one.

All mysql tables uses utf8_general_ci, so all string operations are case insensitive. It's why you get

user create stevenk
ERROR: openstack Conflict occurred attempting to store user - Duplicate Entry (HTTP 409)

for mysql values are identical:

mysql> select * from user where name='Newuser';
+----------------------------------+---------+-----------------+----------+---------+-----------+--------------------+
| id | name | extra | password | enabled | domain_id | default_project_id |
+----------------------------------+---------+-----------------+----------+---------+-----------+--------------------+
| 66433a960fbd44599e1f4cccfd6489a8 | Newuser | {"email": null} | NULL | 1 | default | NULL |
+----------------------------------+---------+-----------------+----------+---------+-----------+--------------------+
1 row in set (0.00 sec)

mysql> select * from user where name='newuser';
+----------------------------------+---------+-----------------+----------+---------+-----------+--------------------+
| id | name | extra | password | enabled | domain_id | default_project_id |
+----------------------------------+---------+-----------------+----------+---------+-----------+--------------------+
| 66433a960fbd44599e1f4cccfd6489a8 | Newuser | {"email": null} | NULL | 1 | default | NULL |
+----------------------------------+---------+-----------------+----------+---------+-----------+--------------------+

However 'user show' command is very interesting. It treats the parameter as user ID and calls keystone's get_user(id). When name is used it returns NotFound. So then client invokes get_users() without any filters, gets list of all users and parses it locally to find a match. It's a reason why show command is case sensitive, because it has nothing to do with mysql collation.

Note - there is an interesting comment:

@controller.v2_deprecated
    def get_users(self, context):
        # NOTE(termie): i can't imagine that this really wants all the data
        # about every single user in the system...

however 'user show' uses it heavily.

I think this approach - to treat the parameter as ID, if fails - as name is far from perfect. Here is a situation when it gets wrong result:

(openstack) user show Newuser
+----------+----------------------------------+
| Field | Value |
+----------+----------------------------------+
| email | None |
| enabled | True |
| id | 66433a960fbd44599e1f4cccfd6489a8 |
| name | Newuser |
| username | Newuser |
+----------+----------------------------------+

(openstack) user create 66433a960fbd44599e1f4cccfd6489a8
+----------+----------------------------------+
| Field | Value |
+----------+----------------------------------+
| email | None |
| enabled | True |
| id | 3c1fea7066a84cc6a5ccf2292de5893d |
| name | 66433a960fbd44599e1f4cccfd6489a8 |
| username | 66433a960fbd44599e1f4cccfd6489a8 |
+----------+----------------------------------+

(openstack) user show 66433a960fbd44599e1f4cccfd6489a8
+----------+----------------------------------+
| Field | Value |
+----------+----------------------------------+
| email | None |
| enabled | True |
| id | 66433a960fbd44599e1f4cccfd6489a8 |
| name | Newuser |
| username | Newuser |
+----------+----------------------------------+

added tripleo because tripleo-incubator script need to be changed to work-around this bug before keystone client fixes it.

Reviewed: https://review.openstack.org/136479
Committed: https://git.openstack.org/cgit/openstack/tripleo-incubator/commit/?id=0cf3bd0de4f2c6c95af13eb3d76f0c6d5496d401
Submitter: Jenkins
Branch: master

commit 0cf3bd0de4f2c6c95af13eb3d76f0c6d5496d401
Author: Jerry Zhao <email address hidden>
Date: Fri Nov 21 11:55:17 2014 -0800

    use lowercase name to check for user/tenant existence

    keystone client's getuser/gettenant is case sensitive while create
    is not, which will cause failure to create user or tenant with
    letter case difference due to duplicate entry, so format user
    name and tenant name to lowercase as the filter string and the
    keystone ***-list output to lowercase as well,so that any case
    of duplication could be avoided.
    This is a work-around for keystoneclient bug: 1392035
    Partial-bug: #1392035

    Change-Id: I793fbef43d4321c6a991f89b6cfe0088fc24b58b

This is worked around in tripleo, but I'm leaving the bug open to track the fact that we should remove the workaround once Keystone has a fix.

This is something that should be fixed in the client not really something we can/should be fixing server side - as this would be a change in behavior.

This bug is > 365 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

[Expired for tripleo because there has been no activity for 60 days.]