yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1546834] Re: The deletion of an LDAP domain in keystone when write enabled should not clear the LDAP database

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Steve Martinelli <1546834@xxxxxxxxxxxxxxxxxx>
Date: Mon, 01 Aug 2016 20:57:38 -0000
Reply-to: Bug 1546834 <1546834@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Write support is deprecated and will be removed in 6 weeks. Marking this
as Opinion.

** Changed in: keystone
       Status: Triaged => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1546834

Title:
   The deletion of an LDAP domain in keystone when write enabled should
  not clear the LDAP database

Status in OpenStack Identity (keystone):
  Opinion

Bug description:
  Description of problem:
  Testing multi domain support in RHOS. The deletion of this domain when write enabled cleared the LDAP database entirely. Thankfully this was done in a lab, because LDAP was a total loss. 

  Version-Release number of selected component (if applicable):

  # rpm -qa | grep packstack
  openstack-packstack-puppet-2015.1-0.14.dev1589.g1d6372f.el7ost.noarch
  openstack-packstack-2015.1-0.14.dev1589.g1d6372f.el7ost.noarch

  # rpm -qa | grep keystone
  python-keystoneclient-1.3.0-2.el7ost.noarch
  python-keystone-2015.1.2-2.el7ost.noarch
  openstack-keystone-2015.1.2-2.el7ost.noarch
  python-keystonemiddleware-1.5.1-1.el7ost.noarch

  How reproducible:
  Assuming always? I was only able to do this once. 

  
  Steps to Reproduce:
  1. Enable multi domain support in keystone, ensure the following is in /etc/keystone.conf

  [identity]
  domain_specific_drivers_enabled = true 
  domain_config_dir = /etc/keystone/domains
  #default_domain_id = 7d9bed61b1564f2289296a4e9241482d

  2. Then add an LDAP domain and ensure that writes are permitted.

  vim /etc/keystone/domains/keystone.laboratory.conf

  [ldap]
  url=ldap://auth.lab.runlevelone.lan
  user=uid=keystone,cn=users,cn=accounts,dc=lab,dc=runlevelone,dc=lan
  password=xxxxxxx
  suffix=ccn=accounts,dc=lab,dc=runlevelone,dc=lan
  user_tree_dn=cn=users,cn=accounts,dc=lab,dc=runlevelone,dc=lan
  user_objectclass=person
  user_id_attribute=uid
  user_name_attribute=uid
  user_mail_attribute=mail
  user_allow_create=true
  user_allow_update=true
  user_allow_delete=true
  group_tree_dn=cn=groups,cn=accounts,dc=lab,dc=runlevelone,dc=lan
  group_objectclass=groupOfNames
  group_id_attribute=cn
  group_name_attribute=cn
  group_member_attribute=member
  group_desc_attribute=description
  group_allow_create=true
  group_allow_update=true
  group_allow_delete=true
  user_enabled_attribute=nsAccountLock
  user_enabled_default=false
  user_enabled_invert=true

  [identity]
  driver = keystone.identity.backends.ldap.Identity

  
  3. Remove the domain, using 'openstack domain delete #domain_id' 


  Actual results:
  Clears LDAP database, cn=users/groups,cn=accounts,dc=lab,dc=runlevelone,dc=lan was completely empty

  
  Expected results:
  Does not delete users on removal or prompt "THIS WILL DELETE ALL USERS, DO YOU WANT TO PROCEED"

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1546834/+subscriptions

References

[Bug 1546834] [NEW] The deletion of an LDAP domain in keystone when write enabled should not clear the LDAP database
From: Adam Young, 2016-02-18