api: Remove constraints on user IDs

Per the comment added inline, this is not valid when LDAP is in use. Change-Id: Idcc0bdf7d0e73fa608ebf6b32d6e016c7b9a8997 Signed-off-by: Stephen Finucane <stephenfin@redhat.com> Closes-bug: #2112112
2025-05-29 14:14:51 +01:00
parent 9f47af17e1
commit 7830e89dfb
3 changed files with 13 additions and 3 deletions
--- a/keystone/api/validation/parameter_types.py
+++ b/keystone/api/validation/parameter_types.py
@@ -56,6 +56,16 @@ description: dict[str, Any] = {
    "description": "The resource description.",
 }

+# User IDs can come from LDAP and LDAP has no constraints on length or format.
+# Therefore we have no minLength, maxLength, or pattern here. Note that this
+# only applies to read-operations (the LDAP backend is read-only) and write
+# operations that hit the database *can* impose these constraints, but we
+# (thankfully!) don't let people set their own IDs anyway so...
+user_id: dict[str, Any] = {
+    "type": "string",
+    "description": "The ID of the user.",
+}
+
 domain_id: dict[str, Any] = {
    "type": "string",
    "minLength": 1,
--- a/keystone/assignment/schema.py
+++ b/keystone/assignment/schema.py
@@ -313,7 +313,7 @@ role_assignment_schema: dict[str, Any] = {
                    "required": ["id"],
                    "additionalProperties": False,
                },
-                "id": parameter_types.id_string,
+                "id": parameter_types.user_id,
                "name": parameter_types.name,
            },
            "required": ["id"],
@@ -362,7 +362,7 @@ role_assignments_index_request_query: dict[str, Any] = {
        "scope.system": {},
        "scope.domain.id": parameter_types.domain_id,
        "scope.project.id": parameter_types.project_id,
-        "user.id": parameter_types.id_string,
+        "user.id": parameter_types.user_id,
        # NOTE(0weng): `scope.OS-INHERIT:inherited_to` accepts anything,
        # but it will only show inherited role assignments if its value is
        # `projects`; otherwise, only non-inherited role assignments are shown.
--- a/keystone/identity/schema.py
+++ b/keystone/identity/schema.py
@@ -87,7 +87,7 @@ user_index_request_query: dict[str, Any] = {
 }

 _user_properties: dict[str, Any] = {
-    'id': {"type": "string", "description": "The user ID.", "readOnly": True},
+    'id': parameter_types.user_id,
    'default_project_id': validation.nullable(parameter_types.id_string),
    'description': validation.nullable(parameter_types.description),
    'domain_id': parameter_types.id_string,