Reviewed: https://review.openstack.org/468103 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d09c337619fed8664272848abb3a1351dd5e4c85 Submitter: Jenkins Branch: master
commit d09c337619fed8664272848abb3a1351dd5e4c85 Author: prashkre <[email protected]> Date: Thu May 25 21:41:55 2017 +0530 Handle group NotFound in effective assignment list When keystone is using an external identity backend such as LDAP for storing users and groups, but storing role assignments in the local db, and a group that has role assignments is deleted out-of-band, its assignments will still exist in the keystone database. If, after this, a user attempts to list effective role assignments, keystone will try to lookup the group and fail with NotFound. This catches the NotFound exception of the list_users_in_group call and returns an empty user list so that the effective assignments list does not fail. Closes-Bug: 1693510 Change-Id: Ie5f69b150d59287bd0bc68f1ce9eecfeab04c91a ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1693510 Title: GET /v3/role_assignments?effective&include_names API is blocked with 404 error when a group doesn't exists in identity backend Status in OpenStack Identity (keystone): Fix Released Bug description: In an environment like ldap server as identity backend, consider ldap group say "fakeGroup2" containing some users is assigned role which insert records in keystone.assignment table. After a while if an admin removes that group from identity backend, role assignment still persists in keystone.assignment table for that group. So when someone invokes [0], in the flow [1] of getting effective role assignments, since group "fakeGroup2" doesn't exits in ldap, it is throwing "Could not find group: fakeGroup2" with 404 error which we need to handle it by displaying other role_assignments instead of NotFound error. [0] GET /v3/role_assignments?effective&include_names&scope.project.id=proj1 [1] https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/assignment/core.py#L923 https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/assignment/core.py#L839 https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/assignment/core.py#L467 >> here it is trying to get the users for each of the ldap group. https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/identity/backends/ldap/core.py#L128 https://github.com/openstack/keystone/blob/c3ca06ff47cced16ea9de3d6ef1a6c583bb3cf38/keystone/identity/backends/ldap/core.py#L449 >> since the group is removed from ldap backend, it is throwing exception.GroupNotFound. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1693510/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
