OpenStack Identity (keystone)

[LDAP] user_allow_create = False does not raise 403 Forbidden on POST /users

Bug #1174451 reported by Dolph Mathews
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Eric Brown
OpenStack Identity (keystone) 2014.1 "icehouse"

Bug Description

Calling POST /users on a pre-populated LDAP backend where user_allow_create = False and the specified user already exists causes a 409 Conflict to be returned instead of a quick 403 Forbidden before any work is done.

2013-04-29 16:50:25 DEBUG [eventlet.wsgi.server] (9072) accepted ('127.0.0.1', 44390)

2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] ******************** REQUEST ENVIRON ********************
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] SCRIPT_NAME = /v2.0
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] webob.adhoc_attrs = {'response': <Response at 0x3fbb550 200 OK>}
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] REQUEST_METHOD = POST
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] PATH_INFO = /users
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] SERVER_PROTOCOL = HTTP/1.0
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] REMOTE_ADDR = 127.0.0.1
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] CONTENT_LENGTH = 135
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] HTTP_X_AUTH_TOKEN = 999888777666
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] HTTP_USER_AGENT = Chef keystone_user
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] HTTP_CONNECTION = close
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] eventlet.posthooks = []
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] RAW_PATH_INFO = //v2.0/users
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] REMOTE_PORT = 44390
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] eventlet.input = <eventlet.wsgi.Input object at 0x3fbb450>
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] wsgi.url_scheme = http
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] webob._body_file = (<_io.BufferedReader>, <eventlet.wsgi.Input object

 at 0x3fbb450>)
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] SERVER_PORT = 35357
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] wsgi.input = <_io.BytesIO object at 0x3c96a70>
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] openstack.context = {'token_id': '999888777666', 'is_admin': True}
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] HTTP_HOST = 127.0.0.1:35357
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] wsgi.multithread = True
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] openstack.params = {u'user': {u'email': None, u'password': u'NR9e3quO
Rn3AT44uwz5n', u'enabled': 1, u'name': u'monitoring', u'tenantId': u'4bc9cbdf979844449b9017b7b33abba9'}}
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] HTTP_ACCEPT = */*
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] wsgi.version = (1, 0)
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] SERVER_NAME = 127.0.0.1
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] GATEWAY_INTERFACE = CGI/1.1
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] wsgi.run_once = False
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] wsgi.errors = <open file '<stderr>', mode 'w' at 0x7fc4ad1c0270>
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] wsgi.multiprocess = False
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] webob.is_body_seekable = True
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] CONTENT_TYPE = application/json
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi]
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] ******************** REQUEST BODY ********************
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] {"user":{"tenantId":"4bc9cbdf979844449b9017b7b33abba9","name":"monito
ring","password":"NR9e3quORn3AT44uwz5n","email":null,"enabled":1}}
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi]
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] arg_dict: {}
2013-04-29 16:50:25 DEBUG [keystone.common.ldap.core] LDAP init: url=ldap://10.181.143.15
2013-04-29 16:50:25 DEBUG [keystone.common.ldap.core] LDAP bind: dn=CN=Administrator,CN=Users,DC=rcbops,DC=me
2013-04-29 16:50:25 DEBUG [keystone.common.ldap.core] LDAP search: dn=OU=Tenants,DC=rcbops,DC=me, scope=1, query=(&(cn
=4bc9cbdf979844449b9017b7b33abba9)(objectClass=groupOfNames)), attrs=['businessCategory', 'cn', 'extensionName', 'ou', 'd
escription']
2013-04-29 16:50:25 DEBUG [keystone.common.ldap.core] LDAP init: url=ldap://10.181.143.15
2013-04-29 16:50:25 DEBUG [keystone.common.ldap.core] LDAP bind: dn=CN=Administrator,CN=Users,DC=rcbops,DC=me
2013-04-29 16:50:25 DEBUG [keystone.common.ldap.core] LDAP search: dn=CN=Users,DC=rcbops,DC=me, scope=1, query=(&(cn=m
onitoring)(objectClass=person)), attrs=['businessCategory', 'userPassword', 'userAccountControl', 'mail', 'cn']
2013-04-29 16:50:25 WARNING [keystone.common.wsgi] Conflict occurred attempting to store user. Duplicate name, monitorin
g.
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] ******************** RESPONSE HEADERS ********************
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] Vary = X-Auth-Token
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] Content-Type = application/json
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] Content-Length = 131
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi]
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] ******************** RESPONSE BODY ********************
2013-04-29 16:50:25 DEBUG [keystone.common.wsgi] {"error": {"message": "Conflict occurred attempting to store user. Duplicate name, monitoring.", "code": 409, "title": "Conflict"}}
2013-04-29 16:50:25 INFO [access] 127.0.0.1 - - [29/Apr/2013:16:50:25 +0000] "POST http://127.0.0.1:35357/v2.0/users HTTP/1.0" 409 131
2013-04-29 16:50:25 DEBUG [eventlet.wsgi.server] 127.0.0.1 - - [29/Apr/2013 16:50:25] "POST //v2.0/users HTTP/1.1" 409 285 0.033216

2013-04-29 16:50:25 DEBUG [eventlet.wsgi.server] (9072) accepted ('127.0.0.1', 44393)

Config:

user_tree_dn = CN=Users,DC=rcbops,DC=me
user_objectclass = person
user_id_attribute = cn
user_name_attribute = cn
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512
user_attribute_ignore = password,tenantId,tenants,domain_id
user_allow_create = False
user_allow_update = False
user_allow_delete = False

Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Low
status: New → Triaged
summary: - user_allow_create = False does not raise 403 Forbidden on POST /users
+ [LDAP] user_allow_create = False does not raise 403 Forbidden on POST
+ /users
Eric Brown (ericwb)
Changed in keystone:
assignee: nobody → Eric Brown (ericwb)
status: Triaged → In Progress
Revision history for this message
Eric Brown (ericwb) wrote :

I think the problem is even worse when using deleting a user with user_allow_delete=False. In this case, backends/ldap.py removes assignments, removes the user from any groups, removes the user from any projects, then it calls the base ldap/core.py to delete the user which results in a 403 forbidden. So the user_allow_delete check needs to be sooner in the call.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/66759

Revision history for this message
Dolph Mathews (dolph) wrote :

Eric: agree! increased the priority of this

Changed in keystone:
importance: Low → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/66759
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5cc1906429c6b77bb644f8387b5507dc3a682e06
Submitter: Jenkins
Branch: master

commit 5cc1906429c6b77bb644f8387b5507dc3a682e06
Author: Eric Brown <email address hidden>
Date: Tue Jan 14 20:11:17 2014 -0800

    Improve forbidden checks

    New functions were created to check 'allowed' access because the previous design
    was checking after changes were possibly made.

    Changed the unit test to use an already created user to simulate the original
    error that was reported.

    Change-Id: I9f7e56a5afd9624070fffef6672ef88cd549f210
    Closes-Bug: #1174451

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → icehouse-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: icehouse-3 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.