yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2053137] Re: Application credentials with a deleted role are unusable

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2053137@xxxxxxxxxxxxxxxxxx>
Date: Tue, 12 Mar 2024 17:22:40 -0000
Reply-to: Bug 2053137 <2053137@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/keystone/+/908998
Committed: https://opendev.org/openstack/keystone/commit/63556be0e3b995a2a232a0b180c932a97736350e
Submitter: "Zuul (22348)"
Branch:    master

commit 63556be0e3b995a2a232a0b180c932a97736350e
Author: Boris Bobrov <b.bobrov@xxxxxxx>
Date:   Wed Feb 14 16:11:41 2024 +0100

    Fix operation order in role deletion
    
    Deletion of a role leads to deletion of role assignments and entries in
    the application credentials. However, deletion of the entries in
    application credentials depends on the existence of the assignment, so
    the order of deletion is important.
    
    Delete the entries from application credentials first and then clean up
    role assignment.
    
    Closes-Bug: 2053137
    Change-Id: Ibba9063c729961cd4155f8b55dbabd4789d7a438


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2053137

Title:
  Application credentials with a deleted role are unusable

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Steps to reproduce:

  1. Create role R
  2. Create an application credential with role R in it
  3. Delete role R
  4. Try to list the application credentials

  Observed: list fails with 404: Role Not Found
  Expected: not sure

  I see the following potential behaviors:
  1. The role can be removed from the application credential when the role is deleted, leaving the application credential intact; however, the application credential might remain without roles, and i am not sure what it means;
  2. The application credential could be immediately deleted when a role is deleted, because it references an invalid role;
  3. The non-existing role can stay with the application credential in the database and can simply be ignored when processing the application credential internally

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2053137/+subscriptions

References

[Bug 2053137] [NEW] Application credentials with a deleted role are unusable
From: Boris Bobrov, 2024-02-14