[Bug 1844616] Re: federated user creation creates duplicates of existing user accounts
Ruben Simons
1844616 at bugs.launchpad.net
Fri Jan 31 12:39:44 UTC 2025
This is also affecting us, we try to migrate from LDAP to an OAuth
provider with the same user set.
We are using the following Python script to test the migration:
```
def create_user(clone_user: User, domain_id, idp_id):
role_assignments = list(conn.identity.role_assignments(user_id=clone_user.id))
new_user = keystone_client.users.create(
name={clone_user.name},
domain=domain_id,
email=clone_user.email,
enabled=True,
federated=[{
"idp_id": idp_id,
"protocols": [{
"protocol_id": "openid", "unique_id": {clone_user.name}
}]
}]
)
```
After user creation we get the issue that "More than one user exists
with the name '<username>'" when doing a `openstack user show --domain
<domain> <username>`. Did not find a workaround yet
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/1844616
Title:
federated user creation creates duplicates of existing user accounts
Status in OpenStack Identity (keystone):
New
Status in keystone package in Ubuntu:
New
Bug description:
Keystone 15.0.0-0ubuntu1~cloud0
DISTRIB_CODENAME=bionic
Charm cs:keystone-306 keystone-saml-mellon-3
We had a situation where two user accounts were found with the same
name and user ID in both the local_user and federated_user table.
This meant that running `openstack user show --domain mydomain
username2` would fail with "More than one user exists with the name
'username2'". Listing users would show only one user account, and
using the user uuid to 'user show' was working fine.
I ended up removing the two rows from local_user to work around this.
The bug however, is that federated users with the same name as one
that was already located in local_user shouldn't be created like that.
mysql> select * from local_user;
+-----+----------------------------------+----------------------------------+-------------------------------+-------------------+----------------+
| id | user_id | domain_id | name | failed_auth_count | failed_auth_at |
+-----+----------------------------------+----------------------------------+-------------------------------+-------------------+----------------+
| 3 | 1e0099400dd34adeba2ed6751064227a | 87fb238ef6d0430cbda59b08e3a1ea82 | admin | 0 | NULL |
| 6 | 8840d047cca346e6a00e435306f72ffc | a1effaa626284677ade0fbe3e85c59bd | cinderv2_cinderv3 | 0 | NULL |
| 9 | d71b70de0cdd4beba2e5f1d3842c93b1 | fa58dfa26889413e85b4855837952b74 | cinderv2_cinderv3 | 0 | NULL |
| 12 | d0750dcc890543918fe043eb5782e0ed | a1effaa626284677ade0fbe3e85c59bd | gnocchi | 0 | NULL |
| 15 | c870e8dc427841c08fbba94b824f5765 | fa58dfa26889413e85b4855837952b74 | gnocchi | 0 | NULL |
| 18 | 964d6a7b3d8d4a49ac2ef2accd5350d3 | a1effaa626284677ade0fbe3e85c59bd | neutron | 0 | NULL |
| 21 | e1e77e91a9ed4dde8230d80b752d4f5c | fa58dfa26889413e85b4855837952b74 | neutron | 0 | NULL |
| 24 | d090c19794dd4f27b08deab6713bd4ac | a1effaa626284677ade0fbe3e85c59bd | nova_placement | 0 | NULL |
| 27 | 9fbb011ce1fc495ebf716d5cb56cd007 | fa58dfa26889413e85b4855837952b74 | nova_placement | 0 | NULL |
| 30 | 1bad96de0fcd41a3b30d2c4e4ad9bb05 | a1effaa626284677ade0fbe3e85c59bd | octavia | 0 | NULL |
| 33 | f4da2edc5e8f461b8d71eee67eabe4c2 | fa58dfa26889413e85b4855837952b74 | octavia | 0 | NULL |
| 36 | a4d97a3a5a6644eb92848b9ea40ba71f | a1effaa626284677ade0fbe3e85c59bd | barbican | 0 | NULL |
| 39 | 4d827a03abb24855b6cc37602fe346a5 | fa58dfa26889413e85b4855837952b74 | barbican | 0 | NULL |
| 42 | 63b4389e35e446199b4e6a57a789e89c | a1effaa626284677ade0fbe3e85c59bd | aodh | 0 | NULL |
| 45 | 3222d274dd0347a080b5371a348356b3 | fa58dfa26889413e85b4855837952b74 | aodh | 0 | NULL |
| 48 | 957f4a409dec46c6b44f38a80949f7d1 | a1effaa626284677ade0fbe3e85c59bd | swift | 0 | NULL |
| 51 | 8a89ed1cd1984814b544070295a2854f | fa58dfa26889413e85b4855837952b74 | swift | 0 | NULL |
| 54 | 1ee61ad58f0948eab3c43fdf95790dcd | a1effaa626284677ade0fbe3e85c59bd | designate | 0 | NULL |
| 57 | 32475aeb4dc0469080581f9acc9f7905 | fa58dfa26889413e85b4855837952b74 | designate | 0 | NULL |
| 60 | 79b9411206524f00b0d05d3112a03840 | a1effaa626284677ade0fbe3e85c59bd | glance | 0 | NULL |
| 63 | 35257eb811d84e0091381e74d4fbca21 | fa58dfa26889413e85b4855837952b74 | glance | 0 | NULL |
| 66 | d07d3c3c619c4478b196bb81b8a4ced5 | a1effaa626284677ade0fbe3e85c59bd | heat_heat-cfn | 0 | NULL |
| 69 | 5f35abc07a2141d1aad22c3beb59c802 | fa58dfa26889413e85b4855837952b74 | heat_heat-cfn | 0 | NULL |
| 72 | 6a615b68427a480a98cca6807ba2388d | fa58dfa26889413e85b4855837952b74 | nagios | 0 | NULL |
| 75 | 82762b9e71b0423888833e3a13df80ff | fa58dfa26889413e85b4855837952b74 | prometheus-openstack-exporter | 0 | NULL |
| 78 | 0f04dc8d78e045c0915cf9a08a53aa96 | fa58dfa26889413e85b4855837952b74 | ceilometer | 0 | NULL |
| 81 | d3b07f907b454f7294bbf168c28c38aa | 12ba878696e54f7c91a2ef9001d93e99 | heat_domain_admin | 0 | NULL |
| 84 | e367233542454164ac8b90dc1722d9f2 | 87fb238ef6d0430cbda59b08e3a1ea82 | cloudadmin | 0 | NULL |
| 141 | 77e255c3967c400a8a8d7de55338d09b | 6d4704c1a6164c70a4763ac886bcf228 | landscape | NULL | NULL |
| 165 | 713a08bae9dc4640ace34da1cffb2b77 | 6d4704c1a6164c70a4763ac886bcf228 | domainadmin | 0 | NULL |
| 168 | e17783fa996a4ff9b4563c9d69360c86 | 6d4704c1a6164c70a4763ac886bcf228 | username1 | 0 | NULL |
| 171 | f110007ded3548efaf46e89146951524 | 6d4704c1a6164c70a4763ac886bcf228 | username2 | 0 | NULL |
| 175 | af7dd6f186a3407f9f200bc40c51eeb6 | 6d4704c1a6164c70a4763ac886bcf228 | demouser | 0 | NULL |
+-----+----------------------------------+----------------------------------+-------------------------------+-------------------+----------------+
mysql> select * from federated_user;
+----+----------------------------------+----------+-------------+-------------------------------+-----------------------------+
| id | user_id | idp_id | protocol_id | unique_id | display_name |
+----+----------------------------------+----------+-------------+-------------------------------+-----------------------------+
| 3 | e17783fa996a4ff9b4563c9d69360c86 | fs-domain | mapped | username1 | username1 |
| 6 | af0c5dd0f10b46d89189a5b004829d11 | fs-domain | mapped | username3 | username3 |
| 51 | f110007ded3548efaf46e89146951524 | fs-domain | mapped | username2 | username2 |
| 52 | abdbfae630834c0a92385620a283760d | fs-domain | mapped | username4 | username4 |
+----+----------------------------------+----------+-------------+-------------------------------+-----------------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1844616/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list