GET /v3/role_assignments?effective&include_names API is blocked with 404 error when a group doesn't exists in identity backend
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Matthew Edmonds | ||
Ocata |
Fix Committed
|
Medium
|
prashkre |
Bug Description
In an environment like ldap server as identity backend, consider ldap group say "fakeGroup2" containing some users is assigned role which insert records in keystone.assignment table. After a while if an admin removes that group from identity backend, role assignment still persists in keystone.assignment table for that group.
So when someone invokes [0], in the flow [1] of getting effective role assignments, since group "fakeGroup2" doesn't exits in ldap, it is throwing "Could not find group: fakeGroup2" with 404 error which we need to handle it by displaying other role_assignments instead of NotFound error.
[0] GET /v3/role_
[1]
https:/
https:/
https:/
https:/
https:/
Changed in keystone: | |
assignee: | nobody → prashkre (prashkre) |
description: | updated |
Changed in keystone: | |
assignee: | prashkre (prashkre) → Matthew Edmonds (edmondsw) |
Changed in keystone: | |
milestone: | none → pike-1 |
importance: | Undecided → Low |
importance: | Low → Medium |
I don't think include_names is needed to make this happen, if you have the fix for https:/ /bugs.launchpad .net/keystone/ +bug/1684820. But it still happens with effective even after that fix, so this is a new bug.