← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1385405] Re: Domain backed by a populated read-only domain-specific LDAP identity backend cannot be deleted

 

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1385405

Title:
  Domain backed by a populated read-only domain-specific LDAP identity
  backend cannot be deleted

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  I've set up a DevStack with Keystone using domain-specific backends.

  I've then created a Domain-A with its domain-specific configuration
  being:

  [ldap]
  url=ldap://ldap.server.com:389
  user=cn=admin,dc=example,dc=com
  password=secret
  suffix=dc=example,dc=com

  user_tree_dn="ou=Users,dc=example,dc=com" 
  user_id_attribute=cn
  user_name_attribute=cn
  user_objectclass=organizationalPerson
  user_allow_create=false
  user_allow_update=false
  user_allow_delete=false

  group_tree_dn=ou=Groups,dc=example,dc=com
  group_id_attribute=cn
  group_name_attribute=cn
  group_objectclass=*
  group_allow_create=false
  group_allow_update=false
  group_allow_delete=false

  [identity]
  driver = keystone.identity.backends.ldap.Identity

  
  Now I cannot delete this domain. When I try that, Keystone returns this error:
  {"error": {"message": "You are not authorized to perform the requested action: LDAP group delete (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}

  
  As I configured it not to allow the information to be deleted by Keystone, I'd expect it to ignore the fact that it cannot delete the groups and users and then delete the domain.

  On the other hand, it is good to have it blocked until the not-needed-
  anymore configuration file is removed.

  
  See also the chat below on 2014-10-22 on #openstack-keystone:

  14:53:45 gabriel-bezerra | ayoung: I cannot delete a domain that is backed by a populated read-only LDAP database. It is a bug, right? (just asking before filing)
  14:56:11          ayoung | gabriel-bezerra, multi-backend?
  14:56:52 gabriel-bezerra | ayoung: yes, domain-specific
  14:57:37          ayoung | gabriel-bezerra, what error do you get?  I'm not certain its a bug or not.  Suspect a foreign key constraint
  14:57:50          ayoung | but you need to disable a domain before deleting no matter what
  14:58:15 gabriel-bezerra | ayoung: {"error": {"message": "You are not authorized to perform the requested action: LDAP group delete (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}
  14:58:39          ayoung | gabriel-bezerra, cuz deleting the domain trys to delete all of the objects inside it
  14:58:48 gabriel-bezerra | ayoung: it is being disabled
  14:59:00          ayoung | You'd have to unmap the domain specific backend part first 
  14:59:30          ayoung | so remove the file, restart the server,and I bet it works...and I think that is as it should be under current ways of thinking
  15:00:07 gabriel-bezerra | ayoung: ok. no bug then. thank you.
  15:00:21          ayoung | yeah...but maybe something to document
  15:00:59          ayoung | gabriel-bezerra, until we make the configuration something that can be done on the fly and without restarting the server, I'd say it "works as designed"
  15:07:41 gabriel-bezerra | ayoung: I'll file the bug then, just to keep track of the issue.
  15:07:50          ayoung | ++

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1385405/+subscriptions


References