yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #22620
[Bug 1222675] Re: LDAP Identity Driver does not call delete_user or delete_group on the LDAP assignment api
** Changed in: keystone
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1222675
Title:
LDAP Identity Driver does not call delete_user or delete_group on the
LDAP assignment api
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
Likely the call to assignment_api.delete_user and
assignment_api.delete_group should be moved to the identity manager to
ensure it is called every time, the user_ref should also be passed to
the assignment_api instead of just the user_id so that the
assignment_api has no need to do a lookup via identity_api (if
required).
The kvs identity driver does not call delete_user on assignment_api.
The kvs identity driver does not call delete_group on assignment_api.
The ldap identity driver does not call delete_group on assignment_api.
Tests should be added as well to confirm the assignment_api methods
are called.
Related: Should delete_user called with the PAM identity driver still
call assignment_api.delete_user? It would seem logical that it could
be used to cleanup all assignments, and just handle the NotImplemented
"deletion" from the identity store. If this is a valid use-case, the
PAM identity driver does not call assignment_api.delete_user or
delete_group when expected. This might also just warrant a
deprecation of the PAM backend for a more feature-rich backend (such
as SSSD/IPA) and ignore this shortcoming.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1222675/+subscriptions
