OpenStack Identity (keystone)

GET /v3/role_assignments?effective&include_names API is blocked with 404 error when a group doesn't exists in identity backend

Series ocata
Bug #1693510

Bug #1693510 reported by prashkre on 2017-05-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Matthew Edmonds	OpenStack Identity (keystone) pike-1 "pike-1"
	Ocata	Fix Committed	Medium	prashkre

Bug Description

In an environment like ldap server as identity backend, consider ldap group say "fakeGroup2" containing some users is assigned role which insert records in keystone.assignment table. After a while if an admin removes that group from identity backend, role assignment still persists in keystone.assignment table for that group.

So when someone invokes [0], in the flow [1] of getting effective role assignments, since group "fakeGroup2" doesn't exits in ldap, it is throwing "Could not find group: fakeGroup2" with 404 error which we need to handle it by displaying other role_assignments instead of NotFound error.

[0] GET /v3/role_assignments?effective&include_names&scope.project.id=proj1
[1]
https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/assignment/core.py#L923
https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/assignment/core.py#L839
https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/assignment/core.py#L467 >> here it is trying to get the users for each of the ldap group.
https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/identity/backends/ldap/core.py#L128
https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/identity/backends/ldap/core.py#L449 >> since the group is removed from ldap backend, it is throwing exception.GroupNotFound.

See original description

Tags:

prashkre (prashkre) on 2017-05-25

Changed in keystone:
assignee:	nobody → prashkre (prashkre)

Revision history for this message

Matthew Edmonds (edmondsw) wrote on 2017-05-25:

I don't think include_names is needed to make this happen, if you have the fix for https://bugs.launchpad.net/keystone/+bug/1684820. But it still happens with effective even after that fix, so this is a new bug.

Changed in keystone:
status:	New → Confirmed
tags:	added: ldap
tags:	added: ocata-backport-potential
tags:	added: in-stable-ocata
tags:	removed: in-stable-ocata

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-25: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/468103

Changed in keystone:
status:	Confirmed → In Progress

Lance Bragstad (lbragstad) on 2017-05-25

description:

updated

OpenStack Infra (hudson-openstack) on 2017-05-25

Changed in keystone:
assignee:	prashkre (prashkre) → Matthew Edmonds (edmondsw)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-30: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/468103
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d09c337619fed8664272848abb3a1351dd5e4c85
Submitter: Jenkins
Branch: master

commit d09c337619fed8664272848abb3a1351dd5e4c85
Author: prashkre <email address hidden>
Date: Thu May 25 21:41:55 2017 +0530

Handle group NotFound in effective assignment list

    When keystone is using an external identity backend such as LDAP for
    storing users and groups, but storing role assignments in the local db,
    and a group that has role assignments is deleted out-of-band, its
    assignments will still exist in the keystone database. If, after this,
    a user attempts to list effective role assignments, keystone will try
    to lookup the group and fail with NotFound.

    This catches the NotFound exception of the list_users_in_group call and
    returns an empty user list so that the effective assignments list does
    not fail.

Closes-Bug: 1693510
Change-Id: Ie5f69b150d59287bd0bc68f1ce9eecfeab04c91a

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-31: Fix proposed to keystone (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/469299

Lance Bragstad (lbragstad) on 2017-05-31

Changed in keystone:
milestone:	none → pike-1
importance:	Undecided → Low
importance:	Low → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-31: Fix merged to keystone (stable/ocata)

Reviewed: https://review.openstack.org/469299
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2fdf89554f75c46e20e4b0ec4c373037da2cfe53
Submitter: Jenkins
Branch: stable/ocata

commit 2fdf89554f75c46e20e4b0ec4c373037da2cfe53
Author: prashkre <email address hidden>
Date: Thu May 25 21:41:55 2017 +0530

Handle group NotFound in effective assignment list

    This catches the NotFound exception of the list_users_in_group call and
    returns an empty user list so that the effective assignments list does
    not fail.

    Closes-Bug: 1693510
    Change-Id: Ie5f69b150d59287bd0bc68f1ce9eecfeab04c91a
    (cherry picked from commit d09c337619fed8664272848abb3a1351dd5e4c85)