yahoo-eng-team team mailing list archive

[Adam Young <1321378@xxxxxxxxxxxxxxxxxx>]

Reopening the issue against the Keystone server.  The fix was not
sufficient, as it was just a workaround, and one that we can't apply via
the CLI.

The real fix requires avoiding the exception from the identity backend
when performing any assignment-backend calls.

** Changed in: keystone
       Status: Fix Released => Confirmed

** Summary changed:

- keystone user-role-delete operation fails when user no longer exists in backend
+ keystone user-role-* operations fails when user no longer exists in backend

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1321378

Title:
  keystone user-role-* operations fails when user no longer exists in
  backend

Status in OpenStack Identity (keystone):
  Confirmed
Status in python-keystoneclient:
  New
Status in python-openstackclient:
  New

Bug description:
  When using an external user catalog (in our case, AD), if the user is
  removed on the backend catalog, the user-role-* keystone CLI commands
  no longer work, because keystone cannot look up the user.

  The specific situation is a user had been granted roles on some
  projects, but then that user left the company and was removed from the
  backend directory.  When going back to remove the roles assigned to
  that user, the keystone commands fail.

  It may still be possible to do these operations directly through the
  API, I didn't check that.  But ultimately was able to work around it
  by directly removing the entries in the keystone user_project_metadata
  table.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1321378/+subscriptions