yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #81310
[Bug 1859759] [NEW] Keystone is unable to remove role-assignment for deleted LDAP users
Public bug reported:
We are experiencing issues when trying to remove role-assignments for
users that were in our LDAP catalog, but now is deleted. We use LDAP as
a read-only source of usernames/passwords, and the rest is stored in
keystones mysql database. We are currently running keystone version
15.0.0-0ubuntu1.2~cloud0.
When listing role-assignments we get something like this:
$ openstack role assignment list --project project --names
+------------------+-----------------------+-------+---------------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+------------------+-----------------------+-------+---------------------+--------+--------+-----------+
| _member_ | @ | | project@LDAP-DOMAIN | | | False |
| _member_ | @ | | project@LDAP-DOMAIN | | | True |
| heat_stack_owner | @ | | project@LDAP-DOMAIN | | | False |
| heat_stack_owner | @ | | project@LDAP-DOMAIN | | | True |
| _member_ | @ | | project@LDAP-DOMAIN | | | False |
| _member_ | @ | | project@LDAP-DOMAIN | | | True |
| heat_stack_owner | @ | | project@LDAP-DOMAIN | | | False |
| heat_stack_owner | @ | | project@LDAP-DOMAIN | | | True |
| _member_ | defaultuser@Default | | project@LDAP-DOMAIN | | | False |
| _member_ | defaultuser@Default | | project@LDAP-DOMAIN | | | True |
| heat_stack_owner | defaultuser@Default | | project@LDAP-DOMAIN | | | False |
| heat_stack_owner | defaultuser@Default | | project@LDAP-DOMAIN | | | True |
| _member_ | ldapuser@LDAP-DOMAIN | | project@LDAP-DOMAIN | | | False |
| _member_ | ldapuser@LDAP-DOMAIN | | project@LDAP-DOMAIN | | | True |
| heat_stack_owner | ldapuser@LDAP-DOMAIN | | project@LDAP-DOMAIN | | | False |
| heat_stack_owner | ldapuser@LDAP-DOMAIN | | project@LDAP-DOMAIN | | | True |
+------------------+-----------------------+-------+---------------------+--------+--------+-----------+
Here the first 8 lines represents roles to two different users deleted
from LDAP. Listing the assignments without --names will give me the
users ID's:
$ openstack role assignment list --project project --names
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | 0f9389d48ed88c24656981beb9605c56346bdbf3a90420a9628db62c1e6241e5 | | 03b552df38d249f1b88a6cda1c008bcd | | | False |
| 9fe2ff9ee4384b1894a90878d3e92bab | 0f9389d48ed88c24656981beb9605c56346bdbf3a90420a9628db62c1e6241e5 | | 03b552df38d249f1b88a6cda1c008bcd | | | True |
| c5b14c3cf7014b4faa1aed52b36291f1 | 0f9389d48ed88c24656981beb9605c56346bdbf3a90420a9628db62c1e6241e5 | | 03b552df38d249f1b88a6cda1c008bcd | | | False |
| c5b14c3cf7014b4faa1aed52b36291f1 | 0f9389d48ed88c24656981beb9605c56346bdbf3a90420a9628db62c1e6241e5 | | 03b552df38d249f1b88a6cda1c008bcd | | | True |
| 9fe2ff9ee4384b1894a90878d3e92bab | 10e5b026e981c99e50dcb9c73d5860ed75a2e292acdf4cd9f3e06283820a84b0 | | 03b552df38d249f1b88a6cda1c008bcd | | | False |
| 9fe2ff9ee4384b1894a90878d3e92bab | 10e5b026e981c99e50dcb9c73d5860ed75a2e292acdf4cd9f3e06283820a84b0 | | 03b552df38d249f1b88a6cda1c008bcd | | | True |
| c5b14c3cf7014b4faa1aed52b36291f1 | 10e5b026e981c99e50dcb9c73d5860ed75a2e292acdf4cd9f3e06283820a84b0 | | 03b552df38d249f1b88a6cda1c008bcd | | | False |
| c5b14c3cf7014b4faa1aed52b36291f1 | 10e5b026e981c99e50dcb9c73d5860ed75a2e292acdf4cd9f3e06283820a84b0 | | 03b552df38d249f1b88a6cda1c008bcd | | | True |
| 9fe2ff9ee4384b1894a90878d3e92bab | abaa86ee4b7d48b2aafb1d31125108c6 | | 03b552df38d249f1b88a6cda1c008bcd | | | False |
| 9fe2ff9ee4384b1894a90878d3e92bab | abaa86ee4b7d48b2aafb1d31125108c6 | | 03b552df38d249f1b88a6cda1c008bcd | | | True |
| c5b14c3cf7014b4faa1aed52b36291f1 | abaa86ee4b7d48b2aafb1d31125108c6 | | 03b552df38d249f1b88a6cda1c008bcd | | | False |
| c5b14c3cf7014b4faa1aed52b36291f1 | abaa86ee4b7d48b2aafb1d31125108c6 | | 03b552df38d249f1b88a6cda1c008bcd | | | True |
| 9fe2ff9ee4384b1894a90878d3e92bab | bcd2364027255505c8c471139e92f75e78446641bbeb6ee18a279d730947be46 | | 03b552df38d249f1b88a6cda1c008bcd | | | False |
| 9fe2ff9ee4384b1894a90878d3e92bab | bcd2364027255505c8c471139e92f75e78446641bbeb6ee18a279d730947be46 | | 03b552df38d249f1b88a6cda1c008bcd | | | True |
| c5b14c3cf7014b4faa1aed52b36291f1 | bcd2364027255505c8c471139e92f75e78446641bbeb6ee18a279d730947be46 | | 03b552df38d249f1b88a6cda1c008bcd | | | False |
| c5b14c3cf7014b4faa1aed52b36291f1 | bcd2364027255505c8c471139e92f75e78446641bbeb6ee18a279d730947be46 | | 03b552df38d249f1b88a6cda1c008bcd | | | True |
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
Trying to delete the roles for one of the deleted users simply gives me
an error-message stating that the user dont exist:
$ openstack role remove --user 0f9389d48ed88c24656981beb9605c56346bdbf3a90420a9628db62c1e6241e5 --project 03b552df38d249f1b88a6cda1c008bcd _member_
No user with a name or ID of '0f9389d48ed88c24656981beb9605c56346bdbf3a90420a9628db62c1e6241e5' exists.
I have an understanding of the reasons why role-assignments and id-
mappings are not cleaned automaticly to allow the user get its old roles
back if it reappear; but as an adminstrator I should be able to remove a
role-assignments to prevent a re-appearing user from getting access to a
certain project.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1859759
Title:
Keystone is unable to remove role-assignment for deleted LDAP users
Status in OpenStack Identity (keystone):
New
Bug description:
We are experiencing issues when trying to remove role-assignments for
users that were in our LDAP catalog, but now is deleted. We use LDAP
as a read-only source of usernames/passwords, and the rest is stored
in keystones mysql database. We are currently running keystone version
15.0.0-0ubuntu1.2~cloud0.
When listing role-assignments we get something like this:
$ openstack role assignment list --project project --names
+------------------+-----------------------+-------+---------------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+------------------+-----------------------+-------+---------------------+--------+--------+-----------+
| _member_ | @ | | project@LDAP-DOMAIN | | | False |
| _member_ | @ | | project@LDAP-DOMAIN | | | True |
| heat_stack_owner | @ | | project@LDAP-DOMAIN | | | False |
| heat_stack_owner | @ | | project@LDAP-DOMAIN | | | True |
| _member_ | @ | | project@LDAP-DOMAIN | | | False |
| _member_ | @ | | project@LDAP-DOMAIN | | | True |
| heat_stack_owner | @ | | project@LDAP-DOMAIN | | | False |
| heat_stack_owner | @ | | project@LDAP-DOMAIN | | | True |
| _member_ | defaultuser@Default | | project@LDAP-DOMAIN | | | False |
| _member_ | defaultuser@Default | | project@LDAP-DOMAIN | | | True |
| heat_stack_owner | defaultuser@Default | | project@LDAP-DOMAIN | | | False |
| heat_stack_owner | defaultuser@Default | | project@LDAP-DOMAIN | | | True |
| _member_ | ldapuser@LDAP-DOMAIN | | project@LDAP-DOMAIN | | | False |
| _member_ | ldapuser@LDAP-DOMAIN | | project@LDAP-DOMAIN | | | True |
| heat_stack_owner | ldapuser@LDAP-DOMAIN | | project@LDAP-DOMAIN | | | False |
| heat_stack_owner | ldapuser@LDAP-DOMAIN | | project@LDAP-DOMAIN | | | True |
+------------------+-----------------------+-------+---------------------+--------+--------+-----------+
Here the first 8 lines represents roles to two different users deleted
from LDAP. Listing the assignments without --names will give me the
users ID's:
$ openstack role assignment list --project project --names
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | 0f9389d48ed88c24656981beb9605c56346bdbf3a90420a9628db62c1e6241e5 | | 03b552df38d249f1b88a6cda1c008bcd | | | False |
| 9fe2ff9ee4384b1894a90878d3e92bab | 0f9389d48ed88c24656981beb9605c56346bdbf3a90420a9628db62c1e6241e5 | | 03b552df38d249f1b88a6cda1c008bcd | | | True |
| c5b14c3cf7014b4faa1aed52b36291f1 | 0f9389d48ed88c24656981beb9605c56346bdbf3a90420a9628db62c1e6241e5 | | 03b552df38d249f1b88a6cda1c008bcd | | | False |
| c5b14c3cf7014b4faa1aed52b36291f1 | 0f9389d48ed88c24656981beb9605c56346bdbf3a90420a9628db62c1e6241e5 | | 03b552df38d249f1b88a6cda1c008bcd | | | True |
| 9fe2ff9ee4384b1894a90878d3e92bab | 10e5b026e981c99e50dcb9c73d5860ed75a2e292acdf4cd9f3e06283820a84b0 | | 03b552df38d249f1b88a6cda1c008bcd | | | False |
| 9fe2ff9ee4384b1894a90878d3e92bab | 10e5b026e981c99e50dcb9c73d5860ed75a2e292acdf4cd9f3e06283820a84b0 | | 03b552df38d249f1b88a6cda1c008bcd | | | True |
| c5b14c3cf7014b4faa1aed52b36291f1 | 10e5b026e981c99e50dcb9c73d5860ed75a2e292acdf4cd9f3e06283820a84b0 | | 03b552df38d249f1b88a6cda1c008bcd | | | False |
| c5b14c3cf7014b4faa1aed52b36291f1 | 10e5b026e981c99e50dcb9c73d5860ed75a2e292acdf4cd9f3e06283820a84b0 | | 03b552df38d249f1b88a6cda1c008bcd | | | True |
| 9fe2ff9ee4384b1894a90878d3e92bab | abaa86ee4b7d48b2aafb1d31125108c6 | | 03b552df38d249f1b88a6cda1c008bcd | | | False |
| 9fe2ff9ee4384b1894a90878d3e92bab | abaa86ee4b7d48b2aafb1d31125108c6 | | 03b552df38d249f1b88a6cda1c008bcd | | | True |
| c5b14c3cf7014b4faa1aed52b36291f1 | abaa86ee4b7d48b2aafb1d31125108c6 | | 03b552df38d249f1b88a6cda1c008bcd | | | False |
| c5b14c3cf7014b4faa1aed52b36291f1 | abaa86ee4b7d48b2aafb1d31125108c6 | | 03b552df38d249f1b88a6cda1c008bcd | | | True |
| 9fe2ff9ee4384b1894a90878d3e92bab | bcd2364027255505c8c471139e92f75e78446641bbeb6ee18a279d730947be46 | | 03b552df38d249f1b88a6cda1c008bcd | | | False |
| 9fe2ff9ee4384b1894a90878d3e92bab | bcd2364027255505c8c471139e92f75e78446641bbeb6ee18a279d730947be46 | | 03b552df38d249f1b88a6cda1c008bcd | | | True |
| c5b14c3cf7014b4faa1aed52b36291f1 | bcd2364027255505c8c471139e92f75e78446641bbeb6ee18a279d730947be46 | | 03b552df38d249f1b88a6cda1c008bcd | | | False |
| c5b14c3cf7014b4faa1aed52b36291f1 | bcd2364027255505c8c471139e92f75e78446641bbeb6ee18a279d730947be46 | | 03b552df38d249f1b88a6cda1c008bcd | | | True |
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
Trying to delete the roles for one of the deleted users simply gives
me an error-message stating that the user dont exist:
$ openstack role remove --user 0f9389d48ed88c24656981beb9605c56346bdbf3a90420a9628db62c1e6241e5 --project 03b552df38d249f1b88a6cda1c008bcd _member_
No user with a name or ID of '0f9389d48ed88c24656981beb9605c56346bdbf3a90420a9628db62c1e6241e5' exists.
I have an understanding of the reasons why role-assignments and id-
mappings are not cleaned automaticly to allow the user get its old
roles back if it reappear; but as an adminstrator I should be able to
remove a role-assignments to prevent a re-appearing user from getting
access to a certain project.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1859759/+subscriptions
