File: api_Remove_constraints_on_user_IDs.patch

package info (click to toggle)
keystone 2%3A27.0.0-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 13,296 kB
  • sloc: python: 124,343; pascal: 2,239; sh: 888; xml: 335; makefile: 216
file content (66 lines) | stat: -rw-r--r-- 3,055 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
Author: Stephen Finucane <stephenfin@redhat.com>
Date: Thu, 29 May 2025 14:14:51 +0100
Subject: api: Remove constraints on user IDs
 Per the comment added inline, this is not valid when LDAP is in use.
Change-Id: Idcc0bdf7d0e73fa608ebf6b32d6e016c7b9a8997
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Bug: https://launchpad.net/bugs/2112112
Origin: upstream, https://review.opendev.org/c/openstack/keystone/+/951282
Last-Update: 2025-05-20

Index: keystone/keystone/api/validation/parameter_types.py
===================================================================
--- keystone.orig/keystone/api/validation/parameter_types.py
+++ keystone/keystone/api/validation/parameter_types.py
@@ -56,6 +56,16 @@ description: dict[str, Any] = {
     "description": "The resource description.",
 }
 
+# User IDs can come from LDAP and LDAP has no constraints on length or format.
+# Therefore we have no minLength, maxLength, or pattern here. Note that this
+# only applies to read-operations (the LDAP backend is read-only) and write
+# operations that hit the database *can* impose these constraints, but we
+# (thankfully!) don't let people set their own IDs anyway so...
+user_id: dict[str, Any] = {
+    "type": "string",
+    "description": "The ID of the user.",
+}
+
 domain_id: dict[str, Any] = {
     "type": "string",
     "minLength": 1,
Index: keystone/keystone/assignment/schema.py
===================================================================
--- keystone.orig/keystone/assignment/schema.py
+++ keystone/keystone/assignment/schema.py
@@ -311,7 +311,7 @@ role_assignment_schema: dict[str, Any] =
                     "required": ["id"],
                     "additionalProperties": False,
                 },
-                "id": parameter_types.id_string,
+                "id": parameter_types.user_id,
                 "name": parameter_types.name,
             },
             "required": ["id"],
@@ -360,7 +360,7 @@ role_assignments_index_request_query: di
         "scope.system": {},
         "scope.domain.id": parameter_types.domain_id,
         "scope.project.id": parameter_types.project_id,
-        "user.id": parameter_types.id_string,
+        "user.id": parameter_types.user_id,
         # NOTE(0weng): `scope.OS-INHERIT:inherited_to` accepts anything,
         # but it will only show inherited role assignments if its value is
         # `projects`; otherwise, only non-inherited role assignments are shown.
Index: keystone/keystone/identity/schema.py
===================================================================
--- keystone.orig/keystone/identity/schema.py
+++ keystone/keystone/identity/schema.py
@@ -85,7 +85,7 @@ user_index_request_query: dict[str, Any]
 }
 
 _user_properties: dict[str, Any] = {
-    'id': {"type": "string", "description": "The user ID.", "readOnly": True},
+    'id': parameter_types.user_id,
     'default_project_id': validation.nullable(parameter_types.id_string),
     'description': validation.nullable(parameter_types.description),
     'domain_id': parameter_types.id_string,