OpenStack Identity (keystone)

clearing default project_id from users using wrong driver implementation

Bug #1705072 reported by Matthew Edmonds on 2017-07-18

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) pike-rc1 "pike-rc1"

Bug Description

https://github.com/openstack/keystone/commit/51d5597df729158d15b71e2ba80ab103df5d55f8#diff-271e091a68fb7b6526431423e4efe6e5 attempts to clear the default project_id for users if/when the project to which that ID belongs is deleted. However it only calls the identity driver for a single backend (the default driver from /etc/keystone/keystone.conf) instead of doing this for all backends like it should. In a multiple-backend environment, this will mean that only users in the backend using the default driver configuration will have their default project_id field cleaned up. Any users in a different backend that were using that project_id as their default would not have that appropriately cleaned up.

Tags:

Revision history for this message

Matthew Edmonds (edmondsw) wrote on 2017-07-18:

#1

E.g.:

I create 3 domains, with the default using sql driver, 2nd using LDAP for ldap_server_1 and 3rd using LDAP for ldap_server_2. I have users in each of those, and some of the users in each of those are setup with default project_id as project foo. When foo gets deleted, I need to update the users in all of those backends to no longer use foo as their default project. Not just the users in the default domain using the sql driver.

Lance Bragstad (lbragstad) on 2017-07-18

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium
milestone:	none → pike-3
tags:	added: office-hours

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-07-20:

#2

We had another bug reported closely related to this [0]. I'm wondering if the other bug could be marked as a duplicate if the following cases are met:

- all identity backends are invoked from the callback, which will make sure we clean up the default project for everyone
- the Forbidden exception is handled from the LDAP backend, since we don't support writeable LDAP backends

That *should* leave us with a solution the ensures all users associated with a project via their default_project_id attribute will be handled regardless of the backend. Thoughts on marked that as a duplicate?

[0] https://bugs.launchpad.net/keystone/+bug/1705081

Revision history for this message

Matthew Edmonds (edmondsw) wrote on 2017-07-20:

#3

I think they're separate. This bug is about not calling every driver. The other bug is specific to the LDAP driver implementation.

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-07-20:

#4

That sounds fine - let's move forward with the fixes separately. Thanks!

Lance Bragstad (lbragstad) on 2017-07-25

Changed in keystone:
milestone:	pike-3 → pike-rc1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-08: Fix proposed to keystone (master)

#5

Fix proposed to branch: master
Review: https://review.openstack.org/491916

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-11: Fix merged to keystone (master)

#6

Reviewed: https://review.openstack.org/491916
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d0ad287df397513dd7cb8dd4da0cae383c6b49b0
Submitter: Jenkins
Branch: master

commit d0ad287df397513dd7cb8dd4da0cae383c6b49b0
Author: Lance Bragstad <email address hidden>
Date: Tue Aug 8 20:31:26 2017 +0000

Unset project ids for all identity backends

    Previously, the default behavior for the callback that unset
    default project ids was to only call the method for the default
    domain's identity driver. This meant that when a project was deleted,
    only the default identity backend would have references to that
    project removed. This means it would be possible for other identity
    backends to still have references to a project that doesn't exist
    because the callback wasn't invoked for that specific backend.

This commit ensures each backend clears project id from a user's
default_project_id attribute when a project is deleted.

Change-Id: Ibb5396f20101a3956fa91d6ff68155d4c00ab0f9
Closes-Bug: 1705072

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-11: Fix included in openstack/keystone 12.0.0.0rc1

#7

This issue was fixed in the openstack/keystone 12.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.