Public bug reported: We have a service which communicates with Keystone using python-keystoneclient. Part of our tests is to check if it's possible to add a non-existent user to project (should not be possible)
I figured out, that Keystone responds with HTTP 200, but it should never respond with this status regarding the documentation (http://developer.openstack.org/api-ref/identity/v2-ext/?expanded=grant- roles-to-user-on-tenant-detail#grant-roles-to-user-on-tenant) Keystone Client Log: DEBUG:keystoneclient.session:REQ: curl -g -i --insecure -X PUT http://127.0.0.1:35357/v2.0/tenants/bef96294e70343eda7a329b76ee65100/users/doesnotexist/roles/OS-KSADM/2ed67dc256b34dd7a541fdce54e545da -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}dae012b5d2ca99a1e131a81b73204d813a569e7f" INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 127.0.0.1 DEBUG:requests.packages.urllib3.connectionpool:"PUT /v2.0/tenants/bef96294e70343eda7a329b76ee65100/users/doesnotexist/roles/OS-KSADM/2ed67dc256b34dd7a541fdce54e545da HTTP/1.1" 200 89 DEBUG:keystoneclient.session:RESP: [200] Content-Length: 89 Vary: X-Auth-Token X-Distribution: Ubuntu Connection: keep-alive Date: Wed, 17 Aug 2016 07:58:59 GMT Content-Type: application/json X-Openstack-Request-Id: req-2421f330-047b-4ff4-b7f6-25e05c4caeab RESP BODY: {"role": {"domain_id": null, "id": "2ed67dc256b34dd7a541fdce54e545da", "name": "Member"} Keystone Server Log: 2016-08-17 07:58:59.710 4668 INFO keystone.common.wsgi [req-2421f330-047b-4ff4-b7f6-25e05c4caeab - - - - -] PUT http://127.0.0.1:35357/v2.0/tenants/bef96294e70343eda7a329b76ee65100/users/doesnotexist/roles/OS-KSADM/2ed67dc256b34dd7a541fdce54e545da 2016-08-17 07:58:59.711 4668 WARNING oslo_log.versionutils [req-2421f330-047b-4ff4-b7f6-25e05c4caeab - - - - -] Deprecated: add_role_to_user of the v2 API is deprecated as of Mitaka in favor of a similar function in the v3 API and may be removed in Q. 2016-08-17 07:58:59.726 4668 INFO eventlet.wsgi.server [req-2421f330-047b-4ff4-b7f6-25e05c4caeab - - - - -] 10.0.2.2 - - [17/Aug/2016 07:58:59] "PUT /v2.0/tenants/bef96294e70343eda7a329b76ee65100/users/doesnotexist/roles/OS-KSADM/2ed67dc256b34dd7a541fdce54e545da HTTP/1.1" 200 331 0.018315 I had a look into the Keystone SQLite Database and found the entries with the user id "doesnotexist". sqlite3 /var/lib/keystone/keystone.db sqlite> select * from assignment; UserProject|b637d008b0e74086be5bf6636fa3f2ca|ad3471d18b2540e18ddb6afab29e5cb4|d170e6a8308a479cba94a95ca81c44d6|0 UserProject|a4865b8650424959bff41b91a01d0003|bef96294e70343eda7a329b76ee65100|2ed67dc256b34dd7a541fdce54e545da|0 UserProject|doesnotexist|bef96294e70343eda7a329b76ee65100|2ed67dc256b34dd7a541fdce54e545da|0 UserProject|a9532223c86c4d6aa6ac04453a95c7c4|70b794a5cbd1408a90b59da8cfa68cf1|2ed67dc256b34dd7a541fdce54e545da|0 UserProject|doesnotexist|70b794a5cbd1408a90b59da8cfa68cf1|2ed67dc256b34dd7a541fdce54e545da|0 Used Versions: OS: Ubuntu 16.04 Keystone: 9.0.0 python-keystoneclient: 3.4.0 ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1614069 Title: API v2.0 responds with HTTP 200 when trying to add a non-existent user to a project Status in OpenStack Identity (keystone): New Bug description: We have a service which communicates with Keystone using python-keystoneclient. Part of our tests is to check if it's possible to add a non-existent user to project (should not be possible) I figured out, that Keystone responds with HTTP 200, but it should never respond with this status regarding the documentation (http://developer.openstack.org/api-ref/identity/v2-ext/?expanded =grant-roles-to-user-on-tenant-detail#grant-roles-to-user-on-tenant) Keystone Client Log: DEBUG:keystoneclient.session:REQ: curl -g -i --insecure -X PUT http://127.0.0.1:35357/v2.0/tenants/bef96294e70343eda7a329b76ee65100/users/doesnotexist/roles/OS-KSADM/2ed67dc256b34dd7a541fdce54e545da -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}dae012b5d2ca99a1e131a81b73204d813a569e7f" INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 127.0.0.1 DEBUG:requests.packages.urllib3.connectionpool:"PUT /v2.0/tenants/bef96294e70343eda7a329b76ee65100/users/doesnotexist/roles/OS-KSADM/2ed67dc256b34dd7a541fdce54e545da HTTP/1.1" 200 89 DEBUG:keystoneclient.session:RESP: [200] Content-Length: 89 Vary: X-Auth-Token X-Distribution: Ubuntu Connection: keep-alive Date: Wed, 17 Aug 2016 07:58:59 GMT Content-Type: application/json X-Openstack-Request-Id: req-2421f330-047b-4ff4-b7f6-25e05c4caeab RESP BODY: {"role": {"domain_id": null, "id": "2ed67dc256b34dd7a541fdce54e545da", "name": "Member"} Keystone Server Log: 2016-08-17 07:58:59.710 4668 INFO keystone.common.wsgi [req-2421f330-047b-4ff4-b7f6-25e05c4caeab - - - - -] PUT http://127.0.0.1:35357/v2.0/tenants/bef96294e70343eda7a329b76ee65100/users/doesnotexist/roles/OS-KSADM/2ed67dc256b34dd7a541fdce54e545da 2016-08-17 07:58:59.711 4668 WARNING oslo_log.versionutils [req-2421f330-047b-4ff4-b7f6-25e05c4caeab - - - - -] Deprecated: add_role_to_user of the v2 API is deprecated as of Mitaka in favor of a similar function in the v3 API and may be removed in Q. 2016-08-17 07:58:59.726 4668 INFO eventlet.wsgi.server [req-2421f330-047b-4ff4-b7f6-25e05c4caeab - - - - -] 10.0.2.2 - - [17/Aug/2016 07:58:59] "PUT /v2.0/tenants/bef96294e70343eda7a329b76ee65100/users/doesnotexist/roles/OS-KSADM/2ed67dc256b34dd7a541fdce54e545da HTTP/1.1" 200 331 0.018315 I had a look into the Keystone SQLite Database and found the entries with the user id "doesnotexist". sqlite3 /var/lib/keystone/keystone.db sqlite> select * from assignment; UserProject|b637d008b0e74086be5bf6636fa3f2ca|ad3471d18b2540e18ddb6afab29e5cb4|d170e6a8308a479cba94a95ca81c44d6|0 UserProject|a4865b8650424959bff41b91a01d0003|bef96294e70343eda7a329b76ee65100|2ed67dc256b34dd7a541fdce54e545da|0 UserProject|doesnotexist|bef96294e70343eda7a329b76ee65100|2ed67dc256b34dd7a541fdce54e545da|0 UserProject|a9532223c86c4d6aa6ac04453a95c7c4|70b794a5cbd1408a90b59da8cfa68cf1|2ed67dc256b34dd7a541fdce54e545da|0 UserProject|doesnotexist|70b794a5cbd1408a90b59da8cfa68cf1|2ed67dc256b34dd7a541fdce54e545da|0 Used Versions: OS: Ubuntu 16.04 Keystone: 9.0.0 python-keystoneclient: 3.4.0 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1614069/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp