The deletion of an LDAP domain in keystone when write enabled should not clear the LDAP database
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Opinion
|
Low
|
Adam Young |
Bug Description
Description of problem:
Testing multi domain support in RHOS. The deletion of this domain when write enabled cleared the LDAP database entirely. Thankfully this was done in a lab, because LDAP was a total loss.
Version-Release number of selected component (if applicable):
# rpm -qa | grep packstack
openstack-
openstack-
# rpm -qa | grep keystone
python-
python-
openstack-
python-
How reproducible:
Assuming always? I was only able to do this once.
Steps to Reproduce:
1. Enable multi domain support in keystone, ensure the following is in /etc/keystone.conf
[identity]
domain_
domain_config_dir = /etc/keystone/
#default_domain_id = 7d9bed61b1564f2
2. Then add an LDAP domain and ensure that writes are permitted.
vim /etc/keystone/
[ldap]
url=ldap:
user=uid=
password=xxxxxxx
suffix=
user_tree_
user_objectclas
user_id_
user_name_
user_mail_
user_allow_
user_allow_
user_allow_
group_tree_
group_objectcla
group_id_
group_name_
group_member_
group_desc_
group_allow_
group_allow_
group_allow_
user_enabled_
user_enabled_
user_enabled_
[identity]
driver = keystone.
3. Remove the domain, using 'openstack domain delete #domain_id'
Actual results:
Clears LDAP database, cn=users/
Expected results:
Does not delete users on removal or prompt "THIS WILL DELETE ALL USERS, DO YOU WANT TO PROCEED"
Changed in keystone: | |
status: | New → Triaged |
importance: | Medium → Low |
tags: | added: ldap |
Changed in keystone: | |
assignee: | nobody → Nisha Yadav (ynisha11) |
tags: | added: ldap-legacy |
tags: |
added: documentation removed: ldap-legacy |
Changed in keystone: | |
assignee: | nobody → Adam Young (ayoung) |
I don't know if this is doc'ed anywhere, but the following is set "user_allow_ delete= true".
I could go various ways here: since write support is deprecated, I'm OK with just documenting this at docs.o. org/developer/ keystone.
Alternatively, we could have a config option that allows deployers to specify if they want domain clean up to occur.