OpenStack Identity (keystone)

trust still exist in the DB when the trustor/trustee/project is deleted

Bug #1622310 reported by Dave Chen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Low
Dave Chen
OpenStack Identity (keystone) ocata-1 "o1"

Bug Description

When a trust is created, it requires trustee, trustor exist in the DB, but when the associated user or project is deleted trust still exist in DB.

The trust left in the DB is useless, and won't be used any longer since either id of user/project is a random number when it got created it not likely the trust will be effective in the future.

How to reproduce:
$ openstack user create trustor --password abc123
$ openstack user create trustee --password abc123
$ openstack project create trust_project
$ openstack role add 9cf8420ea5324f79b9d740e3ce5f0e04 --project 2c455f8756d04b9485ec0b344c0e2089 --user 3e56ae62d1c94ead9fe9a4b31aaee070 (Add role service to project trust with user trustor)
curl -g -i -X POST -H "Accept: application/json" -H "X-Auth-Token: 94d06939e65243f99cbfcf331bdf3e0b" -H "Content-Type: application/json" -d '{
    "trust": {
        "expires_at": "2017-02-27T18:30:59.999999Z",
        "impersonation": true,
        "allow_redelegation": true,
        "project_id": "2c455f8756d04b9485ec0b344c0e2089",
        "roles": [
            {
                "name": "admin"
            }
        ],
        "trustee_user_id": "9147c64ef0624477bfc9dba818aa569c",
        "trustor_user_id": "3e56ae62d1c94ead9fe9a4b31aaee070",
        "redelegation_count": 3
    }
}' http://10.239.159.68:5000/v3/OS-TRUST/trusts
$ openstack user delete trustor
$ openstack trust list
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+
| ID | Expires At | Impersonation | Project ID | Trustee User ID | Trustor User ID |
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+
| e7491ab063e247b6ad072b562 | 2017-02-27T18:30:59.00000 | True | 2c455f8756d04b9485ec0b344 | 9147c64ef0624477bfc9dba81 | 3e56ae62d1c94ead9fe9a4b31 |
| b32e37e | 0Z | | c0e2089 | 8aa569c | aaee070 |
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+

See original description
Dave Chen (wei-d-chen)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/368422

Changed in keystone:
assignee: nobody → Dave Chen (wei-d-chen)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/369354

Revision history for this message
Steve Martinelli (stevemar) wrote :

Marking this as low; we've lived with this behaviour for many releases and no end-users have created bugs about this issue.

Changed in keystone:
importance: Undecided → Low
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/384444

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Dave Chen (<email address hidden>) on branch: master
Review: https://review.openstack.org/368422
Reason: In favor of this one: https://review.openstack.org/#/c/384444/

OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Dave Chen (wei-d-chen) → Steve Martinelli (stevemar)
Steve Martinelli (stevemar)
Changed in keystone:
assignee: Steve Martinelli (stevemar) → Dave Chen (wei-d-chen)
milestone: none → ocata-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/369354
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=52642cc562f9398a145eda49b832fd55e39377fb
Submitter: Jenkins
Branch: master

commit 52642cc562f9398a145eda49b832fd55e39377fb
Author: Dave Chen <email address hidden>
Date: Tue Sep 13 19:00:11 2016 +0800

    Invalidate trust when the trustor or trustee is deleted

    The trust without a valid trustee, trustor is useless and will
    no longer be active since the id of user is a random number and
    only assigned when it created.

    The patch delete trust if the related trustee or trustor is
    deleted if the user is maintained by keystone.

    Change-Id: I67dac6b7bac8cb94575ceda4a3277847a2bcc2d8
    Partial-Bug: #1622310

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/384444
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f0319c752aab6241b0b2aa52e4e91c17878f98d9
Submitter: Jenkins
Branch: master

commit f0319c752aab6241b0b2aa52e4e91c17878f98d9
Author: Dave Chen <email address hidden>
Date: Mon Oct 10 19:29:31 2016 +0800

    Invalidate trust when the related project is deleted

    The trust without a valid project is useless and will no longer
    be active since the id of project is a random number and only
    assigned when it created.

    The patch invalidate the trust if the related project is deleted.

    Change-Id: I51214c46ef5332c159b1e18bbd7046d12aba4a65
    Closes-Bug: #1622310

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 11.0.0.0b1

This issue was fixed in the openstack/keystone 11.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.