DELETE project API is failing in forbidden(403) error message

One possible solution would be to except the Forbidden [0], log a message, and continue on. I'm not sure how much sense it makes to do anything in that case since we don't support writable LDAP.

Keystone must have been configured for ldap as the identity backend and sql as the resource backend, right?

[0] https://github.com/openstack/keystone/blob/025e844fc485c23be1de033473f3cadd7486b642/keystone/identity/backends/ldap/core.py#L157

This is very similar to another bug we had opened recently [0]. We might be able to close this bug as a duplicate of 1705072 if we take steps similar to what I outlined in comment #2 [1].

[0] https://bugs.launchpad.net/keystone/+bug/1705072
[1] https://bugs.launchpad.net/keystone/+bug/1705072/comments/2

I think the solution here is just to "pass" in the ldap driver impementation instead of calling _disallow_write. This is specific to the LDAP driver and not really tied to the other bug.

I would assume the callback to understand the drivers it needs to call, somehow. In the event it detects an LDAP driver it can continue to the next driver, knowing it will fail.

We use a similar pattern with the token providers and persistence. Each token provider implements a persistence property that return True or False depending on if the token needs to be written somewhere. This makes it so the manager understand if it needs to pull the token reference before handing it to the token provider. We could use a similar pattern here. This would also leave things open enough for people writing their own backends (all they have to do is implement the property and the callback does the right thing).

Based on some discussion in IRC - I've opened this up as a ML thread [0] to get some more feedback from the API-WG. The proper solution to this fix will result in a 403 -> 204 status code change.

[0] http://lists.openstack.org/pipermail/openstack-dev/2017-August/120678.html

Relevant IRC logs where this was discussed:

#openstack-keystone: http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-08-04.log.html#t2017-08-04T16:37:48
#openstack-tc: http://eavesdrop.openstack.org/irclogs/%23openstack-tc/%23openstack-tc.2017-08-04.log.html#t2017-08-04T18:09:45

this is due to a bug introduced in Pike, so NOT fixing this would be breaking the API guidelines (changing the response from 2xx to 403). Need to fix this before Pike goes out.

Fix proposed to branch: master
Review: https://review.openstack.org/491546

Reviewed: https://review.openstack.org/491546
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b068d71b59c092820b1e78dd87a3fb00b40802eb
Submitter: Jenkins
Branch: master

commit b068d71b59c092820b1e78dd87a3fb00b40802eb
Author: Lance Bragstad <email address hidden>
Date: Mon Aug 7 20:29:08 2017 +0000

    Except forbidden when clearing default project IDs

    The identity backend registers a callback that listens for when a
    project is deleted. When it receives a notification, it uses the
    project ID send in the notification and removes all references to it
    from the identity backend, where users might have it referenced in
    their `default_project_id` attribute. The original fix for this did
    not account for LDAP backends being read-only. This caused an issue
    where DELETE /v3/projects/{project_id} actually caused an HTTP 403
    Forbidden exception because the LDAP backend wasn't writeable,
    despite that project actually being deleted.

    This change makes the identity API manager handle the exception
    and tests it specifically for LDAP, or read-only, backends.

    Change-Id: I16f4fcb289dad2fe752f3188476329c95cf777c9
    Closes-Bug: 1705081

This issue was fixed in the openstack/keystone 12.0.0.0rc1 release candidate.