I see that delete_user is not in the Identity manager, but is rather implemented by the individual backends. I suspect that they are not correctly propagating a token revocation event upon deletion:
A quick brows of the code seems to validate this: https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py#L760 https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L215
The controller call is def delete_user(self, context, user_id): self.assert_admin(context) self.identity_api.delete_user(context, user_id)
Where as the call set_user_enabled calls update_user has a call self._delete_tokens_for_user(context, user_id)
It looks like the fix is to put code into the manager, roughly here:
https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L84
That calls the underlying driver's delete_user code, and then deletes the tokens for the user.
Or add a call to self._delete_tokens_for_user(context, user_id)
in delete_use
I see that delete_user is not in the Identity manager, but is rather implemented by the individual backends. I suspect that they are not correctly propagating a token revocation event upon deletion:
A quick brows of the code seems to validate this: /github. com/openstack/ keystone/ blob/master/ keystone/ identity/ backends/ sql.py# L760 /github. com/openstack/ keystone/ blob/master/ keystone/ identity/ backends/ ldap/core. py#L215
https:/
https:/
The controller call is
self.assert_ admin(context)
self.identity_ api.delete_ user(context, user_id)
def delete_user(self, context, user_id):
Where as the call set_user_enabled calls update_user has a call self._delete_ tokens_ for_user( context, user_id)
It looks like the fix is to put code into the manager, roughly here:
https:/ /github. com/openstack/ keystone/ blob/master/ keystone/ identity/ core.py# L84
That calls the underlying driver's delete_user code, and then deletes the tokens for the user.
Or add a call to
self. _delete_ tokens_ for_user( context, user_id)
in delete_use