yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #56315
[Bug 1622310] [NEW] trust still exist in the DB when the trustor/trustee/project is deleted
Public bug reported:
When a trust is created, it requires trustee, trustor exist in the DB,
but when the associated user or project is deleted trust still exist in
DB.
The trust left in the DB is useless, and won't be used any longer since
either id of user/project is a random number when it got created it not
likely the trust will be effective in the future.
How to reproduce:
$ openstack user create trustor --password abc123
$ openstack user create trustee --password abc123
$ openstack project create trust_project
$ openstack role add 9cf8420ea5324f79b9d740e3ce5f0e04 --project 2c455f8756d04b9485ec0b344c0e2089 --user 3e56ae62d1c94ead9fe9a4b31aaee070 (Add role service to project trust with user trustor)
curl -g -i -X POST -H "Accept: application/json" -H "X-Auth-Token: 94d06939e65243f99cbfcf331bdf3e0b" -H "Content-Type: application/json" -d '{
"trust": {
"expires_at": "2017-02-27T18:30:59.999999Z",
"impersonation": true,
"allow_redelegation": true,
"project_id": "2c455f8756d04b9485ec0b344c0e2089",
"roles": [
{
"name": "admin"
}
],
"trustee_user_id": "9147c64ef0624477bfc9dba818aa569c",
"trustor_user_id": "3e56ae62d1c94ead9fe9a4b31aaee070",
"redelegation_count": 3
}
}' http://10.239.159.68:5000/v3/OS-TRUST/trusts
$ openstack user delete trustor
$ openstack trust list
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+
| ID | Expires At | Impersonation | Project ID | Trustee User ID | Trustor User ID |
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+
| e7491ab063e247b6ad072b562 | 2017-02-27T18:30:59.00000 | True | 2c455f8756d04b9485ec0b344 | 9147c64ef0624477bfc9dba81 | 3e56ae62d1c94ead9fe9a4b31 |
| b32e37e | 0Z | | c0e2089 | 8aa569c | aaee070 |
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+
** Affects: keystone
Importance: Undecided
Status: New
** Description changed:
When a trust is created, it requires trustee, trustor exist in the DB,
- but when the associated user or project is deleted trust still exist.
+ but when the associated user or project is deleted trust still exist in
+ DB.
The trust left in the DB is useless, and won't be used any longer since
either id of user/project is a random number when it got created it not
- likely the trust will be effective any longer.
-
+ likely the trust will be effective in the future.
How to reproduce:
$ openstack user create trustor --password abc123
$ openstack user create trustee --password abc123
$ openstack project create trust_project
$ openstack role add 9cf8420ea5324f79b9d740e3ce5f0e04 --project 2c455f8756d04b9485ec0b344c0e2089 --user 3e56ae62d1c94ead9fe9a4b31aaee070 (Add role service to project trust with user trustor)
curl -g -i -X POST -H "Accept: application/json" -H "X-Auth-Token: 94d06939e65243f99cbfcf331bdf3e0b" -H "Content-Type: application/json" -d '{
- "trust": {
- "expires_at": "2017-02-27T18:30:59.999999Z",
- "impersonation": true,
- "allow_redelegation": true,
- "project_id": "2c455f8756d04b9485ec0b344c0e2089",
- "roles": [
- {
- "name": "admin"
- }
- ],
- "trustee_user_id": "9147c64ef0624477bfc9dba818aa569c",
- "trustor_user_id": "3e56ae62d1c94ead9fe9a4b31aaee070",
- "redelegation_count": 3
- }
+ "trust": {
+ "expires_at": "2017-02-27T18:30:59.999999Z",
+ "impersonation": true,
+ "allow_redelegation": true,
+ "project_id": "2c455f8756d04b9485ec0b344c0e2089",
+ "roles": [
+ {
+ "name": "admin"
+ }
+ ],
+ "trustee_user_id": "9147c64ef0624477bfc9dba818aa569c",
+ "trustor_user_id": "3e56ae62d1c94ead9fe9a4b31aaee070",
+ "redelegation_count": 3
+ }
}' http://10.239.159.68:5000/v3/OS-TRUST/trusts
$ openstack user delete trustor
$ openstack trust list
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+
| ID | Expires At | Impersonation | Project ID | Trustee User ID | Trustor User ID |
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+
| e7491ab063e247b6ad072b562 | 2017-02-27T18:30:59.00000 | True | 2c455f8756d04b9485ec0b344 | 9147c64ef0624477bfc9dba81 | 3e56ae62d1c94ead9fe9a4b31 |
| b32e37e | 0Z | | c0e2089 | 8aa569c | aaee070 |
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1622310
Title:
trust still exist in the DB when the trustor/trustee/project is
deleted
Status in OpenStack Identity (keystone):
New
Bug description:
When a trust is created, it requires trustee, trustor exist in the DB,
but when the associated user or project is deleted trust still exist
in DB.
The trust left in the DB is useless, and won't be used any longer
since either id of user/project is a random number when it got created
it not likely the trust will be effective in the future.
How to reproduce:
$ openstack user create trustor --password abc123
$ openstack user create trustee --password abc123
$ openstack project create trust_project
$ openstack role add 9cf8420ea5324f79b9d740e3ce5f0e04 --project 2c455f8756d04b9485ec0b344c0e2089 --user 3e56ae62d1c94ead9fe9a4b31aaee070 (Add role service to project trust with user trustor)
curl -g -i -X POST -H "Accept: application/json" -H "X-Auth-Token: 94d06939e65243f99cbfcf331bdf3e0b" -H "Content-Type: application/json" -d '{
"trust": {
"expires_at": "2017-02-27T18:30:59.999999Z",
"impersonation": true,
"allow_redelegation": true,
"project_id": "2c455f8756d04b9485ec0b344c0e2089",
"roles": [
{
"name": "admin"
}
],
"trustee_user_id": "9147c64ef0624477bfc9dba818aa569c",
"trustor_user_id": "3e56ae62d1c94ead9fe9a4b31aaee070",
"redelegation_count": 3
}
}' http://10.239.159.68:5000/v3/OS-TRUST/trusts
$ openstack user delete trustor
$ openstack trust list
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+
| ID | Expires At | Impersonation | Project ID | Trustee User ID | Trustor User ID |
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+
| e7491ab063e247b6ad072b562 | 2017-02-27T18:30:59.00000 | True | 2c455f8756d04b9485ec0b344 | 9147c64ef0624477bfc9dba81 | 3e56ae62d1c94ead9fe9a4b31 |
| b32e37e | 0Z | | c0e2089 | 8aa569c | aaee070 |
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1622310/+subscriptions
Follow ups
