yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1705081] [NEW] DELETE project API is failing in forbidden(403) error message

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: prashkre <1705081@xxxxxxxxxxxxxxxxxx>
Date: Tue, 18 Jul 2017 18:04:21 -0000
Reply-to: Bug 1705081 <1705081@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

With ldap as identity backend driver, when some project is deleted using DELETE /v3/projects/{project_id} API, it is failing in 
RESP BODY: {"error": {"message": "You are not authorized to perform the requested action.", "code": 403, "title": "Forbidden"}}

In the delete project flow, with change-set[0] a notification action is
configured at [1] to clear default project information on all users by
invoking respective identity backend driver at [2] in method
unset_default_project_id() but for ldap driver at [3] it is configured
to throw forbidden error. Since ldap doesn't maintain project
information on users, unset_default_project_id() method at [3] doesn't
require any specific functionality to clean up project information on
users.

[0] https://github.com/openstack/keystone/commit/51d5597df729158d15b71e2ba80ab103df5d55f8
[1] https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L492
[2] https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L533
[3] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L92

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1705081

Title:
  DELETE project API is failing in forbidden(403) error message

Status in OpenStack Identity (keystone):
  New

Bug description:
  With ldap as identity backend driver, when some project is deleted using DELETE /v3/projects/{project_id} API, it is failing in 
  RESP BODY: {"error": {"message": "You are not authorized to perform the requested action.", "code": 403, "title": "Forbidden"}}

  In the delete project flow, with change-set[0] a notification action
  is configured at [1] to clear default project information on all users
  by invoking respective identity backend driver at [2] in method
  unset_default_project_id() but for ldap driver at [3] it is configured
  to throw forbidden error. Since ldap doesn't maintain project
  information on users, unset_default_project_id() method at [3] doesn't
  require any specific functionality to clean up project information on
  users.

  [0] https://github.com/openstack/keystone/commit/51d5597df729158d15b71e2ba80ab103df5d55f8
  [1] https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L492
  [2] https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L533
  [3] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L92

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1705081/+subscriptions

Follow ups

[Bug 1705081] Re: DELETE project API is failing in forbidden(403) error message
From: OpenStack Infra, 2017-08-08