OpenStack Identity (keystone)

LDAP Identity Driver does not call delete_user or delete_group on the LDAP assignment api

Bug #1222675 reported by Morgan Fainberg on 2013-09-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Brant Knudson	OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

Likely the call to assignment_api.delete_user and assignment_api.delete_group should be moved to the identity manager to ensure it is called every time, the user_ref should also be passed to the assignment_api instead of just the user_id so that the assignment_api has no need to do a lookup via identity_api (if required).

The kvs identity driver does not call delete_user on assignment_api.
The kvs identity driver does not call delete_group on assignment_api.
The ldap identity driver does not call delete_group on assignment_api.

Tests should be added as well to confirm the assignment_api methods are called.

Related: Should delete_user called with the PAM identity driver still call assignment_api.delete_user? It would seem logical that it could be used to cleanup all assignments, and just handle the NotImplemented "deletion" from the identity store. If this is a valid use-case, the PAM identity driver does not call assignment_api.delete_user or delete_group when expected. This might also just warrant a deprecation of the PAM backend for a more feature-rich backend (such as SSSD/IPA) and ignore this shortcoming.

See original description

Tags:

Morgan Fainberg (mdrnstm) on 2013-09-09

description:

updated

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2013-09-09:

Looking into this further, KVS appears to be a non-issue as it (in most cases) shares a single in-memory DB. Though for correctness, it probably should still do so.

Revision history for this message

Dolph Mathews (dolph) wrote on 2013-09-09:

assignment_api.delete_user and assignment_api.delete_group are also not very intuitively named :( they handle the consequences of deleting users & groups, rather than actually deleting a user or group.

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2013-09-09:

Yeah, that is sub-optimal as well. Likely, this should just be renamed when moved to the manager.

Adam Young (ayoung) on 2013-09-19

summary:	- Some Identity Drivers do not call delete_user or delete_group on the - assignment api when expected + LDAP Identity Driver does not call delete_user or delete_group on the + LDAP assignment api
Changed in keystone:
importance:	Undecided → Medium
status:	New → Confirmed
milestone:	none → next

Pablo Fernando Cargnelutti (pablo-fernando-cargnelutti) on 2014-03-12

Changed in keystone:
assignee:	nobody → Pablo Fernando Cargnelutti (pablo-fernando-cargnelutti)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-13: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/80368

Changed in keystone:
status:	Confirmed → In Progress

Dolph Mathews (dolph) on 2014-04-04

tags:

added: ldap

OpenStack Infra (hudson-openstack) on 2014-06-26

Changed in keystone:
assignee:	Pablo Fernando Cargnelutti (pablo-fernando-cargnelutti) → Morgan Fainberg (mdrnstm)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-20: Change abandoned on keystone (master)

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: master
Review: https://review.openstack.org/80368
Reason: Will come back to this change down the road.

Brant Knudson (blk-u) on 2014-09-07

Changed in keystone:
assignee:	Morgan Fainberg (mdrnstm) → Brant Knudson (blk-u)
milestone:	next → juno-rc1
importance:	Medium → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-07: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/119629

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-13: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/119629
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5e8845bc179e969d0e2bf38298dc2eef348e6393
Submitter: Jenkins
Branch: master

commit 5e8845bc179e969d0e2bf38298dc2eef348e6393
Author: Brant Knudson <email address hidden>
Date: Sun Sep 7 11:05:44 2014 -0500

Fix using local ID to clean up user/group assignments

    When using ID mapping and a user or group is deleted, the mapped id
    was being passed to the assignment backend when it's told to clean up
    the role assignments for hte user or group. The role assignments are
    based on the external ID and not the mapped ID, so the role
    assignments wouldn't be cleaned up.

With this change, the external ID is passed to the assignment backend
methods.

Change-Id: I4405329df509f81c9c1178e91092955b16cd586b
Closes-Bug: #1222675

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-09-30

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in keystone:
milestone:	juno-rc1 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.