2017-05-25 19:53:58 |
Lance Bragstad |
description |
In an environment like ldap server as identity backend, consider ldap group say "fakeGroup2" containing some users is assigned role which insert records in keystone.assignment table. After a while if an admin removes that group from identity backend, role assignment still persists in keystone.assignment table for that group.
So when someone invokes [0], in the flow [1] of getting effective role assignments, since group "fakeGroup2" doesn't exits in ldap, it is throwing "Could not find group: fakeGroup2" with 404 error which we need to handle it by displaying other role_assignments instead of NotFound error.
[0] GET /v3/role_assignments?effective&include_names&scope.project.id=proj1
[1]
https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L923
https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L839
https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L467 >> here it is trying to get the users for each of the ldap group.
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L128
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L449 >> since the group is removed from ldap backend, it is throwing exception.GroupNotFound. |
In an environment like ldap server as identity backend, consider ldap group say "fakeGroup2" containing some users is assigned role which insert records in keystone.assignment table. After a while if an admin removes that group from identity backend, role assignment still persists in keystone.assignment table for that group.
So when someone invokes [0], in the flow [1] of getting effective role assignments, since group "fakeGroup2" doesn't exits in ldap, it is throwing "Could not find group: fakeGroup2" with 404 error which we need to handle it by displaying other role_assignments instead of NotFound error.
[0] GET /v3/role_assignments?effective&include_names&scope.project.id=proj1
[1]
https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/assignment/core.py#L923
https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/assignment/core.py#L839
https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/assignment/core.py#L467 >> here it is trying to get the users for each of the ldap group.
https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/identity/backends/ldap/core.py#L128
https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/identity/backends/ldap/core.py#L449 >> since the group is removed from ldap backend, it is throwing exception.GroupNotFound. |
|