OpenStack Identity (keystone)

The deletion of an LDAP domain in keystone when write enabled should not clear the LDAP database

Bug #1546834 reported by Adam Young on 2016-02-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Opinion	Low	Adam Young

Bug Description

Description of problem:
Testing multi domain support in RHOS. The deletion of this domain when write enabled cleared the LDAP database entirely. Thankfully this was done in a lab, because LDAP was a total loss.

Version-Release number of selected component (if applicable):

# rpm -qa | grep packstack
openstack-packstack-puppet-2015.1-0.14.dev1589.g1d6372f.el7ost.noarch
openstack-packstack-2015.1-0.14.dev1589.g1d6372f.el7ost.noarch

# rpm -qa | grep keystone
python-keystoneclient-1.3.0-2.el7ost.noarch
python-keystone-2015.1.2-2.el7ost.noarch
openstack-keystone-2015.1.2-2.el7ost.noarch
python-keystonemiddleware-1.5.1-1.el7ost.noarch

How reproducible:
Assuming always? I was only able to do this once.

Steps to Reproduce:
1. Enable multi domain support in keystone, ensure the following is in /etc/keystone.conf

[identity]
domain_specific_drivers_enabled = true
domain_config_dir = /etc/keystone/domains
#default_domain_id = 7d9bed61b1564f2289296a4e9241482d

2. Then add an LDAP domain and ensure that writes are permitted.

vim /etc/keystone/domains/keystone.laboratory.conf

[ldap]
url=ldap://auth.lab.runlevelone.lan
user=uid=keystone,cn=users,cn=accounts,dc=lab,dc=runlevelone,dc=lan
password=xxxxxxx
suffix=ccn=accounts,dc=lab,dc=runlevelone,dc=lan
user_tree_dn=cn=users,cn=accounts,dc=lab,dc=runlevelone,dc=lan
user_objectclass=person
user_id_attribute=uid
user_name_attribute=uid
user_mail_attribute=mail
user_allow_create=true
user_allow_update=true
user_allow_delete=true
group_tree_dn=cn=groups,cn=accounts,dc=lab,dc=runlevelone,dc=lan
group_objectclass=groupOfNames
group_id_attribute=cn
group_name_attribute=cn
group_member_attribute=member
group_desc_attribute=description
group_allow_create=true
group_allow_update=true
group_allow_delete=true
user_enabled_attribute=nsAccountLock
user_enabled_default=false
user_enabled_invert=true

[identity]
driver = keystone.identity.backends.ldap.Identity

3. Remove the domain, using 'openstack domain delete #domain_id'

Actual results:
Clears LDAP database, cn=users/groups,cn=accounts,dc=lab,dc=runlevelone,dc=lan was completely empty

Expected results:
Does not delete users on removal or prompt "THIS WILL DELETE ALL USERS, DO YOU WANT TO PROCEED"

Tags:

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-02-18:

I don't know if this is doc'ed anywhere, but the following is set "user_allow_delete=true".

I could go various ways here: since write support is deprecated, I'm OK with just documenting this at docs.o.org/developer/keystone.

Alternatively, we could have a config option that allows deployers to specify if they want domain clean up to occur.

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-02-18:

Also: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html#delete-domain

Deleting a domain will delete all the entities owned by it (Users, Groups, and Projects), as well as any credentials and role grants that relate to these entities.

In order to minimize the risk of an inadvertent deletion of a domain and its entities, a domain must first be disabled (using the update domain API) before a successful delete domain API call can be made. Attempting to delete an enabled domain will result in an HTTP 403 Forbidden response.

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-02-18:

Marking this as medium, I'm not even sure if it's a bug. Definitely not necessary for mitaka3, it's been around for a long time, and we're removing write support for LDAP for just this kind of reason.

Changed in keystone:
importance:	Undecided → Medium

Steve Martinelli (stevemar) on 2016-02-21

Changed in keystone:
status:	New → Triaged
importance:	Medium → Low

Steve Martinelli (stevemar) on 2016-02-22

tags:

added: ldap

Nisha Yadav (ynisha11) on 2016-03-02

Changed in keystone:
assignee:	nobody → Nisha Yadav (ynisha11)

Morgan Fainberg (mdrnstm) on 2016-03-02

tags:

added: ldap-legacy

Steve Martinelli (stevemar) on 2016-03-09

tags:

added: documentation
removed: ldap-legacy

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-08-01:

Automatically unassigning due to inactivity.

Changed in keystone:
assignee:	Nisha Yadav (ynisha11) → nobody

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-08-01:

Write support is deprecated and will be removed in 6 weeks. Marking this as Opinion.

Changed in keystone:
status:	Triaged → Opinion

Adam Young (ayoung) on 2016-09-30

Changed in keystone:
assignee:	nobody → Adam Young (ayoung)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.