From 4eb8233d9c6b73cedf25ea66edaccbcd092e13aa Mon Sep 17 00:00:00 2001 From: Brant Knudson Date: Mon, 29 Apr 2013 19:19:27 -0500 Subject: LDAP list groups with missing member entry Using the LDAP identity backend, if a group member entry doesn't exist in the LDAP server anymore and the group's members are listed using GET /v3/groups/{groupId}/users, Keystone returns 404 Not Found. The server should return all the group members that do exist and ignore the missing members, and probably log a warning message about the missing user. Fixes bug 1174585 Change-Id: Idf7c8c7f87affc4a72c5fe5e18e09a0f362e2646 --- keystone/identity/backends/ldap/core.py | 13 ++++++++++-- tests/test_backend_ldap.py | 36 +++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 2 deletions(-) diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py index faaed168..58ab3bd0 100644 --- a/keystone/identity/backends/ldap/core.py +++ b/keystone/identity/backends/ldap/core.py @@ -21,6 +21,7 @@ import ldap from keystone import clean from keystone.common import ldap as common_ldap from keystone.common.ldap import fakeldap +from keystone.common import logging from keystone.common import models from keystone.common import utils from keystone import config @@ -29,6 +30,8 @@ from keystone import identity CONF = config.CONF +LOG = logging.getLogger(__name__) + class Identity(identity.Driver): def __init__(self): @@ -922,8 +925,14 @@ class GroupApi(common_ldap.BaseLdap, ApiShimMixin): for user_dn in user_dns: if self.use_dumb_member and user_dn == self.dumb_member: continue - user_id = self.user_api._dn_to_id(user_dn) - users.append(self.user_api.get(user_id)) + try: + user_id = self.user_api._dn_to_id(user_dn) + users.append(self.user_api.get(user_id)) + except exception.UserNotFound: + LOG.debug(_("Group member '%(user_dn)s' not found in" + " '%(group_dn)s'. The user should be removed" + " from the group. The user will be ignored.") % + dict(user_dn=user_dn, group_dn=group_dn)) return users diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py index fbecab63..ef409902 100644 --- a/tests/test_backend_ldap.py +++ b/tests/test_backend_ldap.py @@ -1,6 +1,7 @@ # vim: tabstop=4 shiftwidth=4 softtabstop=4 # Copyright 2012 OpenStack LLC +# Copyright 2013 IBM Corp. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain @@ -533,6 +534,41 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests): def test_get_roles_for_user_and_domain(self): raise nose.exc.SkipTest('Blocked by bug 1101287') + def test_list_group_members_missing_entry(self): + """List group members with deleted user. + + If a group has a deleted entry for a member, the non-deleted members + are returned. + + """ + + # Create a group + group_id = None + group = dict(name=uuid.uuid4().hex) + group_id = self.identity_api.create_group(group_id, group)['id'] + + # Create a couple of users and add them to the group. + user_id = None + user = dict(name=uuid.uuid4().hex, id=uuid.uuid4().hex) + user_1_id = self.identity_api.create_user(user_id, user)['id'] + + self.identity_api.add_user_to_group(user_1_id, group_id) + + user_id = None + user = dict(name=uuid.uuid4().hex, id=uuid.uuid4().hex) + user_2_id = self.identity_api.create_user(user_id, user)['id'] + + self.identity_api.add_user_to_group(user_2_id, group_id) + + # Delete user 2. + self.identity_api.user.delete(user_2_id) + + # List group users and verify only user 1. + res = self.identity_api.list_users_in_group(group_id) + + self.assertEqual(len(res), 1, "Expected 1 entry (user_1)") + self.assertEqual(res[0]['id'], user_1_id, "Expected user 1 id") + class LDAPIdentityEnabledEmulation(LDAPIdentity): def setUp(self): -- cgit