yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #77533
[Bug 1810393] Re: shadow user cache is not cleaned when the related idp is deleted.
** Also affects: keystone/rocky
Importance: Undecided
Status: New
** Also affects: keystone/stein
Importance: Low
Assignee: wangxiyuan (wangxiyuan)
Status: Fix Released
** Changed in: keystone/rocky
Status: New => In Progress
** Changed in: keystone/rocky
Importance: Undecided => High
** Changed in: keystone/rocky
Assignee: (unassigned) => Colleen Murphy (krinkle)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1810393
Title:
shadow user cache is not cleaned when the related idp is deleted.
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) rocky series:
In Progress
Status in OpenStack Identity (keystone) stein series:
Fix Released
Bug description:
This bug is found in keystone tempest CI job when adding the domain
clean-up step:https://review.openstack.org/#/c/579063/
tempest error log:
ft1.2: keystone_tempest_plugin.tests.scenario.test_federated_authentication.TestSaml2EcpFederatedAuthentication.test_request_unscoped_token_StringException: pythonlogging:'': {{{
2019-01-03 02:34:45,765 4283 INFO [tempest.lib.common.rest_client] Request (TestSaml2EcpFederatedAuthentication:setUp): 201 PUT http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest 0.130s
2019-01-03 02:34:45,766 4283 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Accept': 'application/json', 'X-Auth-Token': '<omitted>', 'Content-Type': 'application/json'}
Body: {"identity_provider": {"remote_ids": ["https://samltest.id/saml/idp";], "enabled": true}}
Response - Headers: {u'content-type': 'application/json', u'date': 'Thu, 03 Jan 2019 02:34:45 GMT', u'connection': 'close', u'server': 'Apache/2.4.18 (Ubuntu)', u'x-openstack-request-id': 'req-d596a054-3b42-4580-88e0-d9f6cfe9be8f', u'content-length': '373', 'content-location': 'http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest', u'vary': 'X-Auth-Token', 'status': '201'}
Body: {"identity_provider": {"description": null, "links": {"self": "http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest";, "protocols": "http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest/protocols"}, "enabled": true, "domain_id": "e14d592e135046f180f94931c2f5f339", "id": "samltest", "remote_ids": ["https://samltest.id/saml/idp"]}}
2019-01-03 02:34:45,865 4283 INFO [tempest.lib.common.rest_client] Request (TestSaml2EcpFederatedAuthentication:setUp): 201 PUT http://38.108.68.96/identity/v3/OS-FEDERATION/mappings/8269b21476554bbdb196d7251d8566b9 0.098s
2019-01-03 02:34:45,866 4283 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Accept': 'application/json', 'X-Auth-Token': '<omitted>', 'Content-Type': 'application/json'}
Body: {"mapping": {"rules": [{"remote": [{"type": "uid"}], "local": [{"user": {"name": "{0}"}}, {"group": {"domain": {"name": "federated_domain"}, "name": "federated_users"}}]}]}}
Response - Headers: {u'content-type': 'application/json', u'date': 'Thu, 03 Jan 2019 02:34:45 GMT', u'connection': 'close', u'server': 'Apache/2.4.18 (Ubuntu)', u'x-openstack-request-id': 'req-424b858c-57d1-4693-a5ea-2fb5a1d13b57', u'content-length': '326', 'content-location': 'http://38.108.68.96/identity/v3/OS-FEDERATION/mappings/8269b21476554bbdb196d7251d8566b9', u'vary': 'X-Auth-Token', 'status': '201'}
Body: {"mapping": {"rules": [{"remote": [{"type": "uid"}], "local": [{"user": {"name": "{0}"}}, {"group": {"domain": {"name": "federated_domain"}, "name": "federated_users"}}]}], "id": "8269b21476554bbdb196d7251d8566b9", "links": {"self": "http://38.108.68.96/identity/v3/OS-FEDERATION/mappings/8269b21476554bbdb196d7251d8566b9"}}}
2019-01-03 02:34:45,918 4283 INFO [tempest.lib.common.rest_client] Request (TestSaml2EcpFederatedAuthentication:setUp): 201 PUT http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest/protocols/mapped 0.051s
2019-01-03 02:34:45,919 4283 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Accept': 'application/json', 'X-Auth-Token': '<omitted>', 'Content-Type': 'application/json'}
Body: {"protocol": {"mapping_id": "8269b21476554bbdb196d7251d8566b9"}}
Response - Headers: {u'content-type': 'application/json', u'date': 'Thu, 03 Jan 2019 02:34:45 GMT', u'connection': 'close', u'server': 'Apache/2.4.18 (Ubuntu)', u'x-openstack-request-id': 'req-b4cab609-d78f-43b1-9dd7-4039f2b08182', u'content-length': '259', 'content-location': 'http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest/protocols/mapped', u'vary': 'X-Auth-Token', 'status': '201'}
Body: {"protocol": {"mapping_id": "8269b21476554bbdb196d7251d8566b9", "id": "mapped", "links": {"self": "http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest/protocols/mapped";, "identity_provider": "http://38.108.68.96/identity/v3/samltest"}}}
2019-01-03 02:34:46,210 4283 INFO [tempest.lib.common.rest_client] Request (TestSaml2EcpFederatedAuthentication:_run_cleanups): 204 DELETE http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest/protocols/mapped 0.050s
2019-01-03 02:34:46,210 4283 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Accept': 'application/json', 'X-Auth-Token': '<omitted>', 'Content-Type': 'application/json'}
Body: None
Response - Headers: {'content-location': 'http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest/protocols/mapped', u'x-openstack-request-id': 'req-10dee6dc-dec0-4383-8aea-bbf097c5279b', u'date': 'Thu, 03 Jan 2019 02:34:46 GMT', u'connection': 'close', u'server': 'Apache/2.4.18 (Ubuntu)', u'vary': 'X-Auth-Token', 'status': '204'}
Body:
2019-01-03 02:34:46,256 4283 INFO [tempest.lib.common.rest_client] Request (TestSaml2EcpFederatedAuthentication:_run_cleanups): 204 DELETE http://38.108.68.96/identity/v3/OS-FEDERATION/mappings/8269b21476554bbdb196d7251d8566b9 0.045s
2019-01-03 02:34:46,257 4283 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Accept': 'application/json', 'X-Auth-Token': '<omitted>', 'Content-Type': 'application/json'}
Body: None
Response - Headers: {'content-location': 'http://38.108.68.96/identity/v3/OS-FEDERATION/mappings/8269b21476554bbdb196d7251d8566b9', u'x-openstack-request-id': 'req-989f407c-9b99-4a05-a92d-34deb01bedc0', u'date': 'Thu, 03 Jan 2019 02:34:46 GMT', u'connection': 'close', u'server': 'Apache/2.4.18 (Ubuntu)', u'vary': 'X-Auth-Token', 'status': '204'}
Body:
2019-01-03 02:34:46,306 4283 INFO [tempest.lib.common.rest_client] Request (TestSaml2EcpFederatedAuthentication:_run_cleanups): 204 DELETE http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest 0.048s
2019-01-03 02:34:46,306 4283 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Accept': 'application/json', 'X-Auth-Token': '<omitted>', 'Content-Type': 'application/json'}
Body: None
Response - Headers: {'content-location': 'http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest', u'x-openstack-request-id': 'req-06795a5c-eddd-49e5-85c9-7ce85942b12e', u'date': 'Thu, 03 Jan 2019 02:34:46 GMT', u'connection': 'close', u'server': 'Apache/2.4.18 (Ubuntu)', u'vary': 'X-Auth-Token', 'status': '204'}
Body:
2019-01-03 02:34:46,400 4283 INFO [tempest.lib.common.rest_client] Request (TestSaml2EcpFederatedAuthentication:_run_cleanups): 200 PATCH http://38.108.68.96/identity/v3/domains/e14d592e135046f180f94931c2f5f339 0.093s
2019-01-03 02:34:46,400 4283 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Accept': 'application/json', 'X-Auth-Token': '<omitted>', 'Content-Type': 'application/json'}
Body: {"domain": {"enabled": false}}
Response - Headers: {u'content-type': 'application/json', u'date': 'Thu, 03 Jan 2019 02:34:46 GMT', u'connection': 'close', u'server': 'Apache/2.4.18 (Ubuntu)', u'x-openstack-request-id': 'req-ebfc5cdc-af5e-45fd-bca3-f500012489a1', u'content-length': '306', 'content-location': 'http://38.108.68.96/identity/v3/domains/e14d592e135046f180f94931c2f5f339', u'vary': 'X-Auth-Token', 'status': '200'}
Body: {"domain": {"description": "Auto generated federated domain for Identity Provider: samltest", "links": {"self": "http://38.108.68.96/identity/v3/domains/e14d592e135046f180f94931c2f5f339"}, "tags": [], "enabled": false, "id": "e14d592e135046f180f94931c2f5f339", "name": "e14d592e135046f180f94931c2f5f339"}}
2019-01-03 02:34:46,656 4283 INFO [tempest.lib.common.rest_client] Request (TestSaml2EcpFederatedAuthentication:_run_cleanups): 204 DELETE http://38.108.68.96/identity/v3/domains/e14d592e135046f180f94931c2f5f339 0.255s
2019-01-03 02:34:46,657 4283 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Accept': 'application/json', 'X-Auth-Token': '<omitted>', 'Content-Type': 'application/json'}
Body: None
Response - Headers: {'content-location': 'http://38.108.68.96/identity/v3/domains/e14d592e135046f180f94931c2f5f339', u'x-openstack-request-id': 'req-41df84a1-40f5-4105-9034-1ed63d91dc43', u'date': 'Thu, 03 Jan 2019 02:34:46 GMT', u'connection': 'close', u'server': 'Apache/2.4.18 (Ubuntu)', u'vary': 'X-Auth-Token', 'status': '204'}
Body:
}}}
Traceback (most recent call last):
File "/opt/stack/tempest/.tox/tempest/local/lib/python2.7/site-packages/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py", line 168, in test_request_unscoped_token
self._request_unscoped_token()
File "/opt/stack/tempest/.tox/tempest/local/lib/python2.7/site-packages/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py", line 159, in _request_unscoped_token
self.assertEqual(http_client.CREATED, resp.status_code)
File "/opt/stack/tempest/.tox/tempest/local/lib/python2.7/site-packages/testtools/testcase.py", line 411, in assertEqual
self.assertThat(observed, matcher, message)
File "/opt/stack/tempest/.tox/tempest/local/lib/python2.7/site-packages/testtools/testcase.py", line 498, in assertThat
raise mismatch_error
testtools.matchers._impl.MismatchError: 201 != 404
The reason is that once the identity protocol is deleted, the related shadow uses are cascading deleted. But the related federation auth cache is not cleaned. So that once the same idp and protocol are created during the caching time, the caching user which is deleted already will be always returned.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1810393/+subscriptions
References
