user_project role assignement are not cleaned out when deleting a project/tenant

Bug #1208675 reported by Chmouel Boudjnah on 2013-08-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Chmouel Boudjnah

Bug Description

Following review https://review.openstack.org/#/c/39878/1/keystone/identity/controllers.py we should deleting roles assigned to user/projects when deleting a project

Changed in keystone:
assignee: nobody → Chmouel Boudjnah (chmouel)
Chmouel Boudjnah (chmouel) wrote :

I have actually started to write the test exepcting it to fail first :

http://paste.openstack.org/show/43275/

but the test pass so the clean-up is properly done (althought the test would be an addition for the test suite).

Dolph am I missing somehing ?

Dolph Mathews (dolph) wrote :

As an API test, I think that perfectly illustrates the scenario. However, the 404 might be raised because the project simply doesn't exist. An API-level test doesn't guarantee that there's no remaining role assignments still stored in the identity / assignment backend (we can't enforce FK constraints from projects to role assignments on projects, for example, because projects could come from LDAP while role assignments are persisted in SQL).

Dolph Mathews (dolph) wrote :

(p.s. if we don't already have such a test, put that one up for review as-is! easy +2)

Changed in keystone:
status: New → In Progress
importance: Undecided → Medium
Chmouel Boudjnah (chmouel) wrote :

Ok i have added that test here :

https://review.openstack.org/#/c/40448/

which should at least test it from the API level.

Chmouel Boudjnah (chmouel) wrote :

It seems that the roles are already removed from the backend when deleting a project :

https://git.openstack.org/cgit/openstack/keystone/tree/keystone/assignment/backends/sql.py?h=master#n396

I am not sure if this is still needed into the controller or directly in the backend.

In anyway implementing into the controller would need me to do tests that mix between controllers and backend since that would be the only way i can be sure the roles are really deleted.

Reviewed: https://review.openstack.org/40448
Committed: http://github.com/openstack/keystone/commit/eef6f029499c16c5db98a44eae9c22f51e5b60aa
Submitter: Jenkins
Branch: master

commit eef6f029499c16c5db98a44eae9c22f51e5b60aa
Author: Chmouel Boudjnah <email address hidden>
Date: Tue Aug 6 18:23:30 2013 +0200

    Add test test_deleting_project_delete_grants

    Check that grants are not accessible when we are deleting a project.

    Partial-Bug: #1208675
    Change-Id: Id4160007f41c04571e8c2b1e13d7c878ac654895

Adam Young (ayoung) wrote :

Actually, these constraints can and should be enforced in the manager, not the controller. Assignements and projects are both in the same backend. Thus, if a project is in LDAP, its assignments will be in the same LDAP directory. This is different from user and groups, which are ins a separate backend.

Dolph Mathews (dolph) on 2013-08-26
Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-09-05
Changed in keystone:
milestone: none → havana-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-3 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers