← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1366211] [NEW] Using LDAP assignments, delete group doesn't remove assignments

 

Public bug reported:


When Keystone is configured to use the LDAP backend for assignments, if a group with a role assignment is deleted then the role assignments are not deleted as they should be.

See bug 1365787 for instructions on creating the group role assignment.

Here's an example where I set up a group role assignment:

$ openstack role assignment list
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+
| Role                             | User                             | Group                            | Project                          | Domain |
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+
...
| fc4bf67b5d004581b375b98bbc31af38 |                                  | ae467ef324584807894ab52566db41f4 | 31e82447e7b2415f934a328e121595ce |        |
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+
bknudson@f1-ds:~$ openstack group delete blktest1
bknudson@f1-ds:~$ openstack role assignment list
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+
| Role                             | User                             | Group                            | Project                          | Domain |
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+
| fc4bf67b5d004581b375b98bbc31af38 |                                  | ae467ef324584807894ab52566db41f4 | 31e82447e7b2415f934a328e121595ce |        |
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+

That role assignment shouldn't be there anymore.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1366211

Title:
  Using LDAP assignments, delete group doesn't remove assignments

Status in OpenStack Identity (Keystone):
  New

Bug description:
  
  When Keystone is configured to use the LDAP backend for assignments, if a group with a role assignment is deleted then the role assignments are not deleted as they should be.

  See bug 1365787 for instructions on creating the group role
  assignment.

  Here's an example where I set up a group role assignment:

  $ openstack role assignment list
  +----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+
  | Role                             | User                             | Group                            | Project                          | Domain |
  +----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+
  ...
  | fc4bf67b5d004581b375b98bbc31af38 |                                  | ae467ef324584807894ab52566db41f4 | 31e82447e7b2415f934a328e121595ce |        |
  +----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+
  bknudson@f1-ds:~$ openstack group delete blktest1
  bknudson@f1-ds:~$ openstack role assignment list
  +----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+
  | Role                             | User                             | Group                            | Project                          | Domain |
  +----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+
  | fc4bf67b5d004581b375b98bbc31af38 |                                  | ae467ef324584807894ab52566db41f4 | 31e82447e7b2415f934a328e121595ce |        |
  +----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+

  That role assignment shouldn't be there anymore.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1366211/+subscriptions


Follow ups

References