yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #57713
[Bug 1632924] [NEW] Lingering sql backend role assignments after deletion of ldap user.
Public bug reported:
Greetings all,
There is currently an issue in an Openstack Liberty environment where the keystone configuration is using a ldap driver for users and the sql driver for role assignments. The issue being encountered is when a ldap user is removed, the id for that user(actor_id) remains in the keystone.assignment table. The way this was discovered was that if we attempt to perform a user list on a specific project where a former ldap user existed the openstack client abruptly exits with an exception[1] regarding the resource or in this case the user id no longer being found as it was deleted from ldap while its role assignment for the user remains in the keystone.assignments table. There was a similar bug found [2], however that one deals by both identity and assignment driver using ldap whereas this particular case identity is ldap and assignment is sql.
Environment details:
Openstack Version: 12.2.0(Liberty)
Keystone Version: 8.1.2
identity driver: ldap
assignment driver: sql
[0]
MariaDB [keystone]> select * from assignment where actor_id='50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47';
+-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+
| type | actor_id | target_id | role_id | inherited |
+-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+
| UserProject | 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 | 14b2bc91832e455491a9fd4a42c8b19c | 9fe2ff9ee4384b1894a90878d3e92bab | 0 |
| UserProject | 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 | 14b2bc91832e455491a9fd4a42c8b19c | bffeb621920e40feb18ce2c28b07d1a1 | 0 |
+-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+
[1]
Request returned failure status: 401
Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
result = cmd.run(parsed_args)
File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
column_names, data = self.take_action(parsed_args)
File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 45, in wrapper
return func(self, *args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py", line 251, in take_action
user = utils.find_resource(identity_client.users, user_id)
File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 141, in find_resource
raise exceptions.CommandError(msg)
CommandError: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
clean_up ListUser: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/openstackclient/shell.py", line 112, in run
ret_val = super(OpenStackShell, self).run(argv)
File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 255, in run
result = self.run_subcommand(remainder)
File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
result = cmd.run(parsed_args)
File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
column_names, data = self.take_action(parsed_args)
File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 45, in wrapper
return func(self, *args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py", line 251, in take_action
user = utils.find_resource(identity_client.users, user_id)
File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 141, in find_resource
raise exceptions.CommandError(msg)
CommandError: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
END return value: 1
[2]
https://bugs.launchpad.net/keystone/+bug/1366211
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1632924
Title:
Lingering sql backend role assignments after deletion of ldap user.
Status in OpenStack Identity (keystone):
New
Bug description:
Greetings all,
There is currently an issue in an Openstack Liberty environment where the keystone configuration is using a ldap driver for users and the sql driver for role assignments. The issue being encountered is when a ldap user is removed, the id for that user(actor_id) remains in the keystone.assignment table. The way this was discovered was that if we attempt to perform a user list on a specific project where a former ldap user existed the openstack client abruptly exits with an exception[1] regarding the resource or in this case the user id no longer being found as it was deleted from ldap while its role assignment for the user remains in the keystone.assignments table. There was a similar bug found [2], however that one deals by both identity and assignment driver using ldap whereas this particular case identity is ldap and assignment is sql.
Environment details:
Openstack Version: 12.2.0(Liberty)
Keystone Version: 8.1.2
identity driver: ldap
assignment driver: sql
[0]
MariaDB [keystone]> select * from assignment where actor_id='50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47';
+-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+
| type | actor_id | target_id | role_id | inherited |
+-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+
| UserProject | 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 | 14b2bc91832e455491a9fd4a42c8b19c | 9fe2ff9ee4384b1894a90878d3e92bab | 0 |
| UserProject | 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 | 14b2bc91832e455491a9fd4a42c8b19c | bffeb621920e40feb18ce2c28b07d1a1 | 0 |
+-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+
[1]
Request returned failure status: 401
Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
result = cmd.run(parsed_args)
File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
column_names, data = self.take_action(parsed_args)
File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 45, in wrapper
return func(self, *args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py", line 251, in take_action
user = utils.find_resource(identity_client.users, user_id)
File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 141, in find_resource
raise exceptions.CommandError(msg)
CommandError: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
clean_up ListUser: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/openstackclient/shell.py", line 112, in run
ret_val = super(OpenStackShell, self).run(argv)
File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 255, in run
result = self.run_subcommand(remainder)
File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
result = cmd.run(parsed_args)
File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
column_names, data = self.take_action(parsed_args)
File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 45, in wrapper
return func(self, *args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py", line 251, in take_action
user = utils.find_resource(identity_client.users, user_id)
File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 141, in find_resource
raise exceptions.CommandError(msg)
CommandError: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
END return value: 1
[2]
https://bugs.launchpad.net/keystone/+bug/1366211
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1632924/+subscriptions
Follow ups