Bug 1345838

Summary: Create user with wrong written default domain-id breaks v2 user list action
Product: Red Hat OpenStack Reporter: Martin Schuppert <mschuppe>
Component: openstack-keystoneAssignee: John Dennis <jdennis>
Status: CLOSED CURRENTRELEASE QA Contact: nlevinki <nlevinki>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0 (Liberty)CC: jdennis, nkinder, srevivo
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: 9.0 (Mitaka)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-10 17:36:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Schuppert 2016-06-13 09:51:05 UTC
Description of problem:
When create a user through API call the domain is not being verified and it is possible to create a user e.g. in Default or DEfauLT domain instead of id default.

This breaks the user list action using keystone v2 endpoint:
[root@localhost ~(keystone_admin)]# keystone user-list
Invalid OpenStack Identity credentials.

[root@localhost ~(keystone_admin)]# openstack user list
The request you have made requires authentication. (HTTP 401) (Request-ID: req-1d93f78b-049b-4908-9bf0-d495871b51b0)

The above output is confusing since other actions like get token still works.
[root@localhost ~(keystone_admin)]# openstack token issue
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2016-06-13T10:40:02Z             |
| id         | 1e113da98ddf4ac79cbe8da2183a3b7b |
| project_id | 211a8c1d7eaa4918a2bd5f2b6d7199ac |
| user_id    | bdbad07480b7464badedbd088b90d5f5 |
+------------+----------------------------------+

also 

Also user list using v3 works
[root@localhost ~(keystone_admin_v3)]# openstack user list
+----------------------------------+------------+
| ID                               | Name       |
+----------------------------------+------------+
| 1c1a6d94fd40444aa63c8d519f975837 | nova       |
| 3dc48adb127d4943bd6ebb4b8c41f589 | ceilometer |
| 448f9bfc33dc443e9ec2d18cd16af9f7 | newuser2   |
| 7782f6b519cc48408607fad38d576b4c | neutron    |
| 8b7eefaa2c6640f9a2ea112e6c70b9b1 | cinder     |
| bdbad07480b7464badedbd088b90d5f5 | admin      |
| c02020869fa74c7d86f8ed4dbc4e4568 | swift      |
| c37b97f3450e4244bf4270f344ff1535 | glance     |
| e09b96be98004999990c92c7aadaadea | newuser    |
+----------------------------------+------------+

Version-Release number of selected component (if applicable):
OSP7, OSP8

How reproducible:
always

Steps to Reproduce:
1. get token
$ export TOKEN=`curl -si   -H "Content-Type: application/json"   -d '{ "auth": { "identity": { "methods": ["password"], "password": { "user": { "name": "admin", "domain": { "id": "default" }, "password": "6e37dc4d28444c3a" }}}, "scope": { "project": { "name": "admin", "domain": { "id": "default" }}}}}' http://localhost:5000/v3/auth/tokens | awk '/X-Subject-Token/ {print $2}'`

2. create user
$ curl -s  -H "X-Auth-Token: $OS_TOKEN"  -H "Content-Type: application/json"  -d '{"user": {"name": "newuser", "password": "changeme", "domain_id": "DEfauLT"}}'  http://localhost:5000/v3/users | python -mjson.tool
{
    "user": {
        "domain_id": "DEfauLT",
        "enabled": true,
        "id": "6553a3cd71794157bef20bc82c98e2b8",
        "links": {
            "self": "http://localhost:5000/v3/users/6553a3cd71794157bef20bc82c98e2b8"
        },
        "name": "newuser"
    }
}

3. source keystone v2 user rc file and query users
[root@localhost ~(keystone_admin)]# keystone user-list
Invalid OpenStack Identity credentials.

[root@localhost ~(keystone_admin)]# openstack user list
The request you have made requires authentication. (HTTP 401) (Request-ID: req-1d93f78b-049b-4908-9bf0-d495871b51b0)

Actual results:
user list action is broken 

Expected results:
domain get verified on user create and wrong writing corrected

Additional info:
We can still create user with wrong written domain id in OSP9 , but from a really quick test it does not break the above action. Seems DB schema also changed.

Comment 1 Martin Schuppert 2016-06-13 09:54:09 UTC
Bellow patch could validate the domain during create_user call and correct ID is stored in DB:

# diff -u /usr/lib/python2.7/site-packages/keystone/identity/core.py /usr/lib/python2.7/site-packages/keystone/identity/core.py.new 
--- /usr/lib/python2.7/site-packages/keystone/identity/core.py  2016-06-13 04:28:21.231444614 -0400
+++ /usr/lib/python2.7/site-packages/keystone/identity/core.py.new      2016-06-13 04:28:15.067355905 -0400
@@ -823,12 +823,13 @@
         user['name'] = clean.user_name(user['name'])
         user.setdefault('enabled', True)
         user['enabled'] = clean.user_enabled(user['enabled'])
-        domain_id = user['domain_id']
-        self.resource_api.get_domain(domain_id)
 
-        # For creating a user, the domain is in the object itself
-        domain_id = user_ref['domain_id']
-        driver = self._select_identity_driver(domain_id)
+        # cleanup difference between domain_id provided and what is in DB
+        # to not break v2 when default is written in upper/lower case
+        user['domain_id'] = self.resource_api.get_domain(
+                                                 user_ref['domain_id'])['id']
+
+        driver = self._select_identity_driver(user['domain_id'])
         user = self._clear_domain_id_if_domain_unaware(driver, user)
         # Generate a local ID - in the future this might become a function of
         # the underlying driver so that it could conform to rules set down by
@@ -837,7 +838,7 @@
         ref = driver.create_user(user['id'], user)
         notifications.Audit.created(self._USER, user['id'], initiator)
         return self._set_domain_id_and_mapping(
-            ref, domain_id, driver, mapping.EntityType.USER)
+            ref, user['domain_id'], driver, mapping.EntityType.USER)
 
     @domains_configured
     @exception_translated('user')

SIDE node missed in description, user create action using keystone client validates domain. This is only seen when using direct api calls.

Comment 2 Martin Schuppert 2016-07-13 06:49:13 UTC
got a fix merged upstream in master at https://review.openstack.org/#/c/331567/

Comment 3 Adam Young 2016-09-30 01:48:36 UTC
Confirmed that this has been fixed in master (OSP 10):

{"error": {"message": "Could not find domain: DEfauLT", "code": 404, "title": "Not Found"}}[stack@undercloud ~]$ 


Submitting patch for Upstream releases that correspond to OSP 8 and 9

Comment 6 Nathan Kinder 2017-10-10 17:36:47 UTC
This was fixed in openstack-keystone-9.3.0-1.el7ost.src.rpm, which was released as a part of the following errata:

  https://access.redhat.com/errata/RHSA-2017:1461