OpenStack Identity (keystone)

Using LDAP assignments, delete group doesn't remove assignments

Bug #1366211 reported by Brant Knudson on 2014-09-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Low	Brant Knudson	OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

When Keystone is configured to use the LDAP backend for assignments, if a group with a role assignment is deleted then the role assignments are not deleted as they should be.

See bug 1365787 for instructions on creating the group role assignment.

Here's an example where I set up a group role assignment:

$ openstack role assignment list
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+
| Role | User | Group | Project | Domain |
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+
...
| fc4bf67b5d004581b375b98bbc31af38 | | ae467ef324584807894ab52566db41f4 | 31e82447e7b2415f934a328e121595ce | |
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+
bknudson@f1-ds:~$ openstack group delete blktest1
bknudson@f1-ds:~$ openstack role assignment list
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+
| Role | User | Group | Project | Domain |
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+
| fc4bf67b5d004581b375b98bbc31af38 | | ae467ef324584807894ab52566db41f4 | 31e82447e7b2415f934a328e121595ce | |
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+--------+

That role assignment shouldn't be there anymore.

Tags:

Revision history for this message

Brant Knudson (blk-u) wrote on 2014-09-05:

There's an odd comment in keystone.assignment.backends.ldap for delete_group[1] that says that assignments would already be deleted, but by my testing the assignment isn't already deleted.

[1] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/assignment/backends/ldap.py#n289

Brant Knudson (blk-u) on 2014-09-07

Changed in keystone:
assignee:	nobody → Brant Knudson (blk-u)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-07: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/119630

Changed in keystone:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-07:

Fix proposed to branch: master
Review: https://review.openstack.org/119631

Dolph Mathews (dolph) on 2014-09-08

Changed in keystone:
importance:	Undecided → Medium
importance:	Medium → Low

Dolph Mathews (dolph) on 2014-09-10

tags:

added: juno-rc-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-13: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/119630
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8fd1aa433e30909cf5194ffd982fe55590568439
Submitter: Jenkins
Branch: master

commit 8fd1aa433e30909cf5194ffd982fe55590568439
Author: Brant Knudson <email address hidden>
Date: Sun Sep 7 09:49:24 2014 -0500

Add characterization test for cleanup role assignments for group

    There was no test that showed that when a group is deleted the
    role assignments for the group are expected to also be removed.
    The test shows that the role assignments are not removed for the
    LDAP and KVS assignment backends.

Change-Id: I7a11edcf516740fd2e73f0482ce6bbd67f5ab23f
Partial-Bug: #1366211

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-15:

Reviewed: https://review.openstack.org/119631
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2379360d32b0abf3fd92e391fc42c3ff3d3368e0
Submitter: Jenkins
Branch: master

commit 2379360d32b0abf3fd92e391fc42c3ff3d3368e0
Author: Brant Knudson <email address hidden>
Date: Sun Sep 7 10:12:48 2014 -0500

Fix delete group cleans up role assignments with LDAP

    When the LDAP assignment backend was used and a group was deleted,
    the role assignments for the group were not getting cleaned up. The
    role assignments for the group should have been removed along with the
    group.

Change-Id: Ie506659c2b21e6a816335b00642fa4d0921a184d
Closes-Bug: #1366211

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-17: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/122037

Dolph Mathews (dolph) on 2014-09-26

Changed in keystone:
milestone:	none → juno-rc1

Thierry Carrez (ttx) on 2014-09-30

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in keystone:
milestone:	juno-rc1 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.