Domain backed by a populated read-only domain-specific LDAP identity backend cannot be deleted
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Low
|
Rodrigo Duarte |
Bug Description
I've set up a DevStack with Keystone using domain-specific backends.
I've then created a Domain-A with its domain-specific configuration being:
[ldap]
url=ldap:
user=cn=
password=secret
suffix=
user_tree_
user_id_
user_name_
user_objectclas
user_allow_
user_allow_
user_allow_
group_tree_
group_id_
group_name_
group_objectclass=*
group_allow_
group_allow_
group_allow_
[identity]
driver = keystone.
Now I cannot delete this domain. When I try that, Keystone returns this error:
{"error": {"message": "You are not authorized to perform the requested action: LDAP group delete (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}
As I configured it not to allow the information to be deleted by Keystone, I'd expect it to ignore the fact that it cannot delete the groups and users and then delete the domain.
On the other hand, it is good to have it blocked until the not-needed-anymore configuration file is removed.
See also the chat below on 2014-10-22 on #openstack-
14:53:45 gabriel-bezerra | ayoung: I cannot delete a domain that is backed by a populated read-only LDAP database. It is a bug, right? (just asking before filing)
14:56:11 ayoung | gabriel-bezerra, multi-backend?
14:56:52 gabriel-bezerra | ayoung: yes, domain-specific
14:57:37 ayoung | gabriel-bezerra, what error do you get? I'm not certain its a bug or not. Suspect a foreign key constraint
14:57:50 ayoung | but you need to disable a domain before deleting no matter what
14:58:15 gabriel-bezerra | ayoung: {"error": {"message": "You are not authorized to perform the requested action: LDAP group delete (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}
14:58:39 ayoung | gabriel-bezerra, cuz deleting the domain trys to delete all of the objects inside it
14:58:48 gabriel-bezerra | ayoung: it is being disabled
14:59:00 ayoung | You'd have to unmap the domain specific backend part first
14:59:30 ayoung | so remove the file, restart the server,and I bet it works...and I think that is as it should be under current ways of thinking
15:00:07 gabriel-bezerra | ayoung: ok. no bug then. thank you.
15:00:21 ayoung | yeah...but maybe something to document
15:00:59 ayoung | gabriel-bezerra, until we make the configuration something that can be done on the fly and without restarting the server, I'd say it "works as designed"
15:07:41 gabriel-bezerra | ayoung: I'll file the bug then, just to keep track of the issue.
15:07:50 ayoung | ++
Changed in keystone: | |
milestone: | none → kilo-1 |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | kilo-1 → 2015.1.0 |
This is documentation bug as young pointed out in the IRC log in the bug.