← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1705081] Re: DELETE project API is failing in forbidden(403) error message

 

Reviewed:  https://review.openstack.org/491546
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b068d71b59c092820b1e78dd87a3fb00b40802eb
Submitter: Jenkins
Branch:    master

commit b068d71b59c092820b1e78dd87a3fb00b40802eb
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Mon Aug 7 20:29:08 2017 +0000

    Except forbidden when clearing default project IDs
    
    The identity backend registers a callback that listens for when a
    project is deleted. When it receives a notification, it uses the
    project ID send in the notification and removes all references to it
    from the identity backend, where users might have it referenced in
    their `default_project_id` attribute. The original fix for this did
    not account for LDAP backends being read-only. This caused an issue
    where DELETE /v3/projects/{project_id} actually caused an HTTP 403
    Forbidden exception because the LDAP backend wasn't writeable,
    despite that project actually being deleted.
    
    This change makes the identity API manager handle the exception
    and tests it specifically for LDAP, or read-only, backends.
    
    Change-Id: I16f4fcb289dad2fe752f3188476329c95cf777c9
    Closes-Bug: 1705081


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1705081

Title:
  DELETE project API is failing in forbidden(403) error message

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  With ldap as identity backend driver, when some project is deleted using DELETE /v3/projects/{project_id} API, it is failing in 
  RESP BODY: {"error": {"message": "You are not authorized to perform the requested action.", "code": 403, "title": "Forbidden"}}

  In the delete project flow, with change-set[0] a notification action
  is configured at [1] to clear default project information on all users
  by invoking respective identity backend driver at [2] in method
  unset_default_project_id() but for ldap driver at [3] it is configured
  to throw forbidden error. Since ldap doesn't maintain project
  information on users, unset_default_project_id() method at [3] doesn't
  require any specific functionality to clean up project information on
  users.

  [0] https://github.com/openstack/keystone/commit/51d5597df729158d15b71e2ba80ab103df5d55f8
  [1] https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L492
  [2] https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L533
  [3] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L92

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1705081/+subscriptions


References