Public bug reported: In an environment like ldap server as identity backend, consider ldap group say "fakeGroup2" containing some users is assigned role which insert records in keystone.assignment table. After a while if an admin removes that group from identity backend, role assignment still persists in keystone.assignment table for that group.
So when someone invokes [0], in the flow [1] of getting effective role assignments, since group "fakeGroup2" doesn't exits in ldap, it is throwing "Could not find group: fakeGroup2" with 404 error which we need to handle it by displaying other role_assignments instead of NotFound error. [0] GET /v3/role_assignments?effective&include_names&scope.project.id=proj1 [1] https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L923 https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L839 https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L467 >> here it is trying to get the users for each of the ldap group. https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L128 https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L449 >> since the group is removed from ldap backend, it is throwing exception.GroupNotFound. ** Affects: keystone Importance: Undecided Assignee: prashkre (prashkre) Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1693510 Title: GET /v3/role_assignments?effective&include_names API is blocked with 404 error when a group doesn't exists in identity backend Status in OpenStack Identity (keystone): New Bug description: In an environment like ldap server as identity backend, consider ldap group say "fakeGroup2" containing some users is assigned role which insert records in keystone.assignment table. After a while if an admin removes that group from identity backend, role assignment still persists in keystone.assignment table for that group. So when someone invokes [0], in the flow [1] of getting effective role assignments, since group "fakeGroup2" doesn't exits in ldap, it is throwing "Could not find group: fakeGroup2" with 404 error which we need to handle it by displaying other role_assignments instead of NotFound error. [0] GET /v3/role_assignments?effective&include_names&scope.project.id=proj1 [1] https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L923 https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L839 https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L467 >> here it is trying to get the users for each of the ldap group. https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L128 https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L449 >> since the group is removed from ldap backend, it is throwing exception.GroupNotFound. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1693510/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
