yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1718747] Re: Unable to delete domain with users in it

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1718747@xxxxxxxxxxxxxxxxxx>
Date: Thu, 08 Feb 2018 23:15:27 -0000
Reply-to: Bug 1718747 <1718747@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Reviewed:  https://review.openstack.org/539347
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=62ee18b359cbb2e6a9469bdaac9057ef19de1bdf
Submitter: Zuul
Branch:    master

commit 62ee18b359cbb2e6a9469bdaac9057ef19de1bdf
Author: Colleen Murphy <colleen@xxxxxxxxxxx>
Date:   Tue Jan 30 23:23:15 2018 +0100

    Delete SQL users before deleting domain
    
    Since the users table has a foreign key to the projects table[1], users
    must be deleted before the domain can be deleted. However, the
    notification emitted from the domain deletion comes too late, and
    keystone runs into a foreign key reference error before it can delete
    the users. This patch addresses the problem by adding a new internal
    notification to alert the identity manager that users should be deleted.
    This uses a new notification rather than the existing notification
    because the existing one is used to alert listeners that the domain
    deletion has been fully completed, whereas this one must happen in the
    middle of the domain delete process.
    
    The callback must also only try to delete SQL users. The LDAP driver
    doesn't support deleting users, and we can't assume other drivers
    support it either. Moreover, the foreign key reference is only a problem
    for SQL users anyway.
    
    Because our backend unit tests run with SQLite and foreign keys do not
    work properly, we can't properly expose this bug in our unit tests, but
    there is an accompanying tempest test[2][3] to validate this fix.
    
    [1] https://github.com/openstack/keystone/blob/2bd88d3/keystone/common/sql/expand_repo/versions/014_expand_add_domain_id_to_user_table.py#L140-L141
    [2] https://review.openstack.org/#/c/509610
    [3] https://review.openstack.org/#/c/509947
    
    Change-Id: If5bdb6f5eef80b50b000aed5188ce7da4dfd1083
    Closes-bug: #1718747


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1718747

Title:
  Unable to delete domain with users in it

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) newton series:
  Won't Fix
Status in OpenStack Identity (keystone) ocata series:
  Confirmed
Status in OpenStack Identity (keystone) pike series:
  Confirmed

Bug description:
  Attempting to delete a domain which contains users and projects may
  yield an UnexpectedError similiar to this

  Sep 21 19:37:17 vagrant-openSUSE-Leap devstack@keystone.service[23894]: DEBUG keystone.common.sql.core [None req-707ec264-b10c-4079-94bb-2af01db58aab None None] Conflict project: (pymysql.err.IntegrityError) (1451, u'Cannot delete or update a parent row: a foreign key constraint fails (`keystone`.`user`, CONSTRAINT `user_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `project` (`id`))') [SQL: u'DELETE FROM project WHERE project.id = %(id)s'] [parameters: {'id': u'63d2d5446e364f00b3181bf49c62c5b8'}] {{(pid=23897) wrapper /opt/stack/keystone/keystone/common/sql/core.py:550}}
  Sep 21 19:37:17 vagrant-openSUSE-Leap devstack@keystone.service[23894]: WARNING keystone.common.wsgi [None req-707ec264-b10c-4079-94bb-2af01db58aab None None] An unexpected error prevented the server from fulfilling your request.: UnexpectedError: An unexpected error prevented the server from fulfilling your request.

  Steps to reproduce:

  1. Install devstack
  2. create a domain 'foo'

    openstack domain create foo

  3. create a user in domain 'foo'

    openstack user create --password equifax --domain foo foo_user

  4. create a project in domain 'foo'

    openstack project create --domain foo foo_project

  5. enable domain user 'foo_user' access to project 'foo_project'

    openstack role add --user foo_user --project foo_project admin

  6. now disable domain 'foo'

    openstack domain set --disable foo

  7. attempt to delete domain 'foo' will yield an expected error
  mentioned above

    openstack domain delete foo


  This was introduced in:
  https://github.com/openstack/keystone/commit/2bd88d30e1d2873470af7f40db45a99e07e12ce6

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1718747/+subscriptions
References

[Bug 1718747] [NEW] Unable to delete domain with projects in it
From: Guang Yee, 2017-09-21