yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #25665
[Bug 1385405] Re: Domain backed by a populated read-only domain-specific LDAP identity backend cannot be deleted
** Changed in: keystone
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1385405
Title:
Domain backed by a populated read-only domain-specific LDAP identity
backend cannot be deleted
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
I've set up a DevStack with Keystone using domain-specific backends.
I've then created a Domain-A with its domain-specific configuration
being:
[ldap]
url=ldap://ldap.server.com:389
user=cn=admin,dc=example,dc=com
password=secret
suffix=dc=example,dc=com
user_tree_dn="ou=Users,dc=example,dc=com"
user_id_attribute=cn
user_name_attribute=cn
user_objectclass=organizationalPerson
user_allow_create=false
user_allow_update=false
user_allow_delete=false
group_tree_dn=ou=Groups,dc=example,dc=com
group_id_attribute=cn
group_name_attribute=cn
group_objectclass=*
group_allow_create=false
group_allow_update=false
group_allow_delete=false
[identity]
driver = keystone.identity.backends.ldap.Identity
Now I cannot delete this domain. When I try that, Keystone returns this error:
{"error": {"message": "You are not authorized to perform the requested action: LDAP group delete (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}
As I configured it not to allow the information to be deleted by Keystone, I'd expect it to ignore the fact that it cannot delete the groups and users and then delete the domain.
On the other hand, it is good to have it blocked until the not-needed-
anymore configuration file is removed.
See also the chat below on 2014-10-22 on #openstack-keystone:
14:53:45 gabriel-bezerra | ayoung: I cannot delete a domain that is backed by a populated read-only LDAP database. It is a bug, right? (just asking before filing)
14:56:11 ayoung | gabriel-bezerra, multi-backend?
14:56:52 gabriel-bezerra | ayoung: yes, domain-specific
14:57:37 ayoung | gabriel-bezerra, what error do you get? I'm not certain its a bug or not. Suspect a foreign key constraint
14:57:50 ayoung | but you need to disable a domain before deleting no matter what
14:58:15 gabriel-bezerra | ayoung: {"error": {"message": "You are not authorized to perform the requested action: LDAP group delete (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}
14:58:39 ayoung | gabriel-bezerra, cuz deleting the domain trys to delete all of the objects inside it
14:58:48 gabriel-bezerra | ayoung: it is being disabled
14:59:00 ayoung | You'd have to unmap the domain specific backend part first
14:59:30 ayoung | so remove the file, restart the server,and I bet it works...and I think that is as it should be under current ways of thinking
15:00:07 gabriel-bezerra | ayoung: ok. no bug then. thank you.
15:00:21 ayoung | yeah...but maybe something to document
15:00:59 ayoung | gabriel-bezerra, until we make the configuration something that can be done on the fly and without restarting the server, I'd say it "works as designed"
15:07:41 gabriel-bezerra | ayoung: I'll file the bug then, just to keep track of the issue.
15:07:50 ayoung | ++
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1385405/+subscriptions
References