Public bug reported: The user_enabled_invert setting is supposed to invert the meaning of True/False for the user enabled attribute. This makes "lock" attributes useful, where "False" indicates that an account is not locked.
The invert logic expects that we have a bool type that we then invert using 'not' in this snippet of code from UserApi._ldap_res_to_model: -------------------------------------------------------------------- elif self.enabled_invert and not self.enabled_emulation: enabled = obj.get('enabled', self.enabled_default) obj['enabled'] = not enabled -------------------------------------------------------------------- The problem is that we get a bool trype from the default value, and a str type from LDAP. Evaluating a string with 'not' will be False for any non-empty string. This means that we will fail to invert a string of "False" that is returned from LDAP, leading to accounts being inadvertently disabled. This code needs to handle converting a str type to bool before inverting the value. ** Affects: keystone Importance: Medium Assignee: Nathan Kinder (nkinder) Status: In Progress ** Tags: juno-rc-potential ** Tags added: juno-rc-candidate ** Changed in: keystone Status: New => In Progress ** Changed in: keystone Assignee: (unassigned) => Nathan Kinder (nkinder) ** Summary changed: - user_enabled_invert does notproperly handle string values + user_enabled_invert does not properly handle string values -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1376053 Title: user_enabled_invert does not properly handle string values Status in OpenStack Identity (Keystone): In Progress Bug description: The user_enabled_invert setting is supposed to invert the meaning of True/False for the user enabled attribute. This makes "lock" attributes useful, where "False" indicates that an account is not locked. The invert logic expects that we have a bool type that we then invert using 'not' in this snippet of code from UserApi._ldap_res_to_model: -------------------------------------------------------------------- elif self.enabled_invert and not self.enabled_emulation: enabled = obj.get('enabled', self.enabled_default) obj['enabled'] = not enabled -------------------------------------------------------------------- The problem is that we get a bool trype from the default value, and a str type from LDAP. Evaluating a string with 'not' will be False for any non-empty string. This means that we will fail to invert a string of "False" that is returned from LDAP, leading to accounts being inadvertently disabled. This code needs to handle converting a str type to bool before inverting the value. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1376053/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp