OpenStack Identity (keystone)

System role assignments exist after removing users

Series queens
Bug #1749264

Bug #1749264 reported by Lance Bragstad on 2018-02-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Lance Bragstad	OpenStack Identity (keystone) rocky-1
	Queens	Fix Committed	High	Lance Bragstad	OpenStack Identity (keystone) queens-rc2

Bug Description

Keystone cleans up role assignments a user has on projects and domains when deleting the user. This isn't true for system role assignments. Instead, they are left after the user is deleted. I recreate the issue by doing the following with a basic devstack install:

$ openstack user create bob
$ openstack role add --user bob --system all admin
$ openstack role assignment list --names (bob will have a role assignment on the system)
$ openstack user delete bob
$ openstack role assignment list --names (an empty assignment will exist on the system)

Paste recreating the issue [0].

[0] http://paste.openstack.org/raw/671038/

Tags:

Lance Bragstad (lbragstad) on 2018-02-13

Changed in keystone:
milestone:	none → queens-rc2
status:	New → Triaged
importance:	Undecided → High

Lance Bragstad (lbragstad) on 2018-02-13

tags:

added: queens-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-13: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/544067

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-13: Fix proposed to keystone (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/544098

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-13:

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/544099

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-14: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/544067
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=25596b874ce5b70a29ca53a95060f835fa1da955
Submitter: Zuul
Branch: master

commit 25596b874ce5b70a29ca53a95060f835fa1da955
Author: Lance Bragstad <email address hidden>
Date: Tue Feb 13 20:10:00 2018 +0000

Expose bug in system assignment when deleting users

    Project and domain role assignment are cleaned up when deleting
    users. This commit introduces a test case that shows this isn't the
    case for system role assignments. A subsequent patch will implement
    a fix to make sure system role assignments are removed when users
    are deleted, to be consistent with project and domain assignments.

Change-Id: I1a1e7395f462159037e939aa143e9e24aefb1841
Partial-Bug: 1749264

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-14:

Reviewed: https://review.openstack.org/543622
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3a3b3c5b5a35c93b9f3df79887805956208eaf5f
Submitter: Zuul
Branch: master

commit 3a3b3c5b5a35c93b9f3df79887805956208eaf5f
Author: Lance Bragstad <email address hidden>
Date: Mon Feb 12 21:23:45 2018 +0000

Delete system role assignments when deleting users

    Keystone removes role assignments that users have on projects and
    domains when deleting users. This should also apply to system role
    assignments, too.

Change-Id: Ied51b9c3b58714b2d5dbcb933eca1839d1351fc7
Closes-Bug: 1749264

Changed in keystone:
status:	In Progress → Fix Released

Lance Bragstad (lbragstad) on 2018-02-14

Changed in keystone:
milestone:	queens-rc2 → rocky-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-14: Fix merged to keystone (stable/queens)

Reviewed: https://review.openstack.org/544098
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=298f4458bafcb73be23a2812cc2cdda32ff38ce8
Submitter: Zuul
Branch: stable/queens

commit 298f4458bafcb73be23a2812cc2cdda32ff38ce8
Author: Lance Bragstad <email address hidden>
Date: Tue Feb 13 20:10:00 2018 +0000

Expose bug in system assignment when deleting users

    Change-Id: I1a1e7395f462159037e939aa143e9e24aefb1841
    Partial-Bug: 1749264
    (cherry picked from commit 25596b874ce5b70a29ca53a95060f835fa1da955)

tags:

added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-14:

Reviewed: https://review.openstack.org/544099
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=445837fd8bc89bbf0ade3abbfa21074a6c377581
Submitter: Zuul
Branch: stable/queens

commit 445837fd8bc89bbf0ade3abbfa21074a6c377581
Author: Lance Bragstad <email address hidden>
Date: Mon Feb 12 21:23:45 2018 +0000

Delete system role assignments when deleting users

    Keystone removes role assignments that users have on projects and
    domains when deleting users. This should also apply to system role
    assignments, too.

    Change-Id: Ied51b9c3b58714b2d5dbcb933eca1839d1351fc7
    Closes-Bug: 1749264
    (cherry picked from commit 3a3b3c5b5a35c93b9f3df79887805956208eaf5f)