← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1632924] Re: Lingering sql backend role assignments after deletion of ldap user.

 

[Expired for OpenStack Identity (keystone) because there has been no
activity for 60 days.]

** Changed in: keystone
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1632924

Title:
  Lingering sql backend role assignments after deletion of ldap user.

Status in OpenStack Identity (keystone):
  Expired

Bug description:
  Greetings all,

  
  There is currently an issue in an Openstack Liberty environment where the keystone configuration is using a ldap driver for users and the sql driver for role assignments.  The issue being encountered is when a ldap user is removed, the id for that user(actor_id) remains in the keystone.assignment table.  The way this was discovered was that if we attempt to perform a user list on a specific project where a former ldap user existed the openstack client abruptly exits with an exception[1] regarding the resource or in this case the user id no longer being found as it was deleted from ldap while its role assignment for the user remains in the keystone.assignments table.  There was a similar bug found [2], however that one deals by both identity and assignment driver using ldap whereas this particular case identity is ldap and assignment is sql.  

  
  Environment details:
  Openstack Version: 12.2.0(Liberty)
  Keystone Version: 8.1.2
  identity driver: ldap
  assignment driver: sql


  
  [0]

  MariaDB [keystone]> select * from assignment where actor_id='50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47';
  +-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+
  | type        | actor_id                                                         | target_id                        | role_id                          | inherited |
  +-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+
  | UserProject | 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 | 14b2bc91832e455491a9fd4a42c8b19c | 9fe2ff9ee4384b1894a90878d3e92bab |         0 |
  | UserProject | 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 | 14b2bc91832e455491a9fd4a42c8b19c | bffeb621920e40feb18ce2c28b07d1a1 |         0 |
  +-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+

  [1]

  Request returned failure status: 401
  Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
  Traceback (most recent call last):
    File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
      result = cmd.run(parsed_args)
    File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
      column_names, data = self.take_action(parsed_args)
    File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 45, in wrapper
      return func(self, *args, **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py", line 251, in take_action
      user = utils.find_resource(identity_client.users, user_id)
    File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 141, in find_resource
      raise exceptions.CommandError(msg)
  CommandError: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
  clean_up ListUser: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
  Traceback (most recent call last):
    File "/usr/local/lib/python2.7/dist-packages/openstackclient/shell.py", line 112, in run
      ret_val = super(OpenStackShell, self).run(argv)
    File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 255, in run
      result = self.run_subcommand(remainder)
    File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand
      result = cmd.run(parsed_args)
    File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run
      column_names, data = self.take_action(parsed_args)
    File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 45, in wrapper
      return func(self, *args, **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py", line 251, in take_action
      user = utils.find_resource(identity_client.users, user_id)
    File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 141, in find_resource
      raise exceptions.CommandError(msg)
  CommandError: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47

  END return value: 1

  
  [2]
  https://bugs.launchpad.net/keystone/+bug/1366211

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1632924/+subscriptions


References