OpenStack Identity (keystone)

The removal of a role on a non existing group throws an error

Bug #1751045 reported by Jose Castro Leon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Jose Castro Leon
OpenStack Identity (keystone) rocky-2

Bug Description

In an environment with an ldap server as identity backend, if a group is deleted out-of-band, the role assignment entry cannot be deleted as it checks for the existence of the group in the backend.

Therefore the assignments on groups cannot be deleted.

There is already a parameter allow_no_user that handles these cases for users but it is not used at all for groups.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/546969

Changed in keystone:
assignee: nobody → Jose Castro Leon (jose-castro-leon)
status: New → In Progress
Jose Castro Leon (jose-castro-leon)
summary: - The removal of a role on a non existing group throws an error in LDAP
+ The removal of a role on a non existing group throws an error
Revision history for this message
Lance Bragstad (lbragstad) wrote :

I'm unable to recreate this. These are the steps I've taken, let me know if I missed something:

- create a group in ldap http://paste.openstack.org/show/718623/
- assign the group a role on a project within the Users domain http://paste.openstack.org/show/718625/
- delete the group from LDAP http://paste.openstack.org/show/718626/
- clean up the role assignment http://paste.openstack.org/show/718628/

I'm working off of commit: 1f477ea3b427e2e633d59ff02e7d73eeff03fd3e

http://paste.openstack.org/show/718630/

Is there another code path that doesn't allow this to be done?

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Ok - nevermind... Caching bit me again. Once I disabled caching I was able to recreate this.

OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Jose Castro Leon (jose-castro-leon) → Lance Bragstad (lbragstad)
Lance Bragstad (lbragstad)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Jose Castro Leon (jose-castro-leon)
importance: Undecided → Medium
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Jose Castro Leon (jose-castro-leon) → Lance Bragstad (lbragstad)
Lance Bragstad (lbragstad)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Jose Castro Leon (jose-castro-leon)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/546969
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1ab693ced85b8bf42fb6b9119225a7ef089e2670
Submitter: Zuul
Branch: master

commit 1ab693ced85b8bf42fb6b9119225a7ef089e2670
Author: Jose Castro Leon <email address hidden>
Date: Thu Feb 22 13:32:23 2018 +0100

    Allow cleaning up non-existant group assignments

    If a group gets deleted out-of-band in an LDAP environment, the role
    assignments cannot be cleaned as it checks the existence of the group
    before triggering the deletion. This fix adds the ability to ignore
    non-existant group and clean up stale role assignments. We take the
    same approach with user assignments.

    Co-Authored-By: Lance Bragstad <email address hidden>

    Change-Id: I975c8325f50b412c3aa256e1940a27082c009cce
    Closes-Bug: #1751045

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 14.0.0.0b2

This issue was fixed in the openstack/keystone 14.0.0.0b2 development milestone.

Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → rocky-2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.