yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1705072] Re: clearing default project_id from users using wrong driver implementation

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1705072@xxxxxxxxxxxxxxxxxx>
Date: Fri, 11 Aug 2017 01:52:47 -0000
Reply-to: Bug 1705072 <1705072@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/491916
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d0ad287df397513dd7cb8dd4da0cae383c6b49b0
Submitter: Jenkins
Branch:    master

commit d0ad287df397513dd7cb8dd4da0cae383c6b49b0
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Tue Aug 8 20:31:26 2017 +0000

    Unset project ids for all identity backends
    
    Previously, the default behavior for the callback that unset
    default project ids was to only call the method for the default
    domain's identity driver. This meant that when a project was deleted,
    only the default identity backend would have references to that
    project removed. This means it would be possible for other identity
    backends to still have references to a project that doesn't exist
    because the callback wasn't invoked for that specific backend.
    
    This commit ensures each backend clears project id from a user's
    default_project_id attribute when a project is deleted.
    
    Change-Id: Ibb5396f20101a3956fa91d6ff68155d4c00ab0f9
    Closes-Bug: 1705072


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1705072

Title:
  clearing default project_id from users using wrong driver
  implementation

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  https://github.com/openstack/keystone/commit/51d5597df729158d15b71e2ba80ab103df5d55f8
  #diff-271e091a68fb7b6526431423e4efe6e5 attempts to clear the default
  project_id for users if/when the project to which that ID belongs is
  deleted. However it only calls the identity driver for a single
  backend (the default driver from /etc/keystone/keystone.conf) instead
  of doing this for all backends like it should. In a multiple-backend
  environment, this will mean that only users in the backend using the
  default driver configuration will have their default project_id field
  cleaned up. Any users in a different backend that were using that
  project_id as their default would not have that appropriately cleaned
  up.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1705072/+subscriptions

References

[Bug 1705072] [NEW] clearing default project_id from users using wrong driver implementation
From: Matthew Edmonds, 2017-07-18