OpenStack Identity (keystone)

Bug #1622310
Comment #0

Comment 0 for bug 1622310

Revision history for this message

Dave Chen (wei-d-chen) wrote on 2016-09-11:

When a trust is created, it requires trustee, trustor exist in the DB, but when the associated user or project is deleted trust still exist.

The trust left in the DB is useless, and won't be used any longer since either id of user/project is a random number when it got created it not likely the trust will be effective any longer.

How to reproduce:
$ openstack user create trustor --password abc123
$ openstack user create trustee --password abc123
$ openstack project create trust_project
$ openstack role add 9cf8420ea5324f79b9d740e3ce5f0e04 --project 2c455f8756d04b9485ec0b344c0e2089 --user 3e56ae62d1c94ead9fe9a4b31aaee070 (Add role service to project trust with user trustor)
curl -g -i -X POST -H "Accept: application/json" -H "X-Auth-Token: 94d06939e65243f99cbfcf331bdf3e0b" -H "Content-Type: application/json" -d '{
    "trust": {
        "expires_at": "2017-02-27T18:30:59.999999Z",
        "impersonation": true,
        "allow_redelegation": true,
        "project_id": "2c455f8756d04b9485ec0b344c0e2089",
        "roles": [
            {
                "name": "admin"
            }
        ],
        "trustee_user_id": "9147c64ef0624477bfc9dba818aa569c",
        "trustor_user_id": "3e56ae62d1c94ead9fe9a4b31aaee070",
        "redelegation_count": 3
    }
}' http://10.239.159.68:5000/v3/OS-TRUST/trusts
$ openstack user delete trustor
$ openstack trust list
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+
| ID | Expires At | Impersonation | Project ID | Trustee User ID | Trustor User ID |
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+
| e7491ab063e247b6ad072b562 | 2017-02-27T18:30:59.00000 | True | 2c455f8756d04b9485ec0b344 | 9147c64ef0624477bfc9dba81 | 3e56ae62d1c94ead9fe9a4b31 |
| b32e37e | 0Z | | c0e2089 | 8aa569c | aaee070 |
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+

When a trust is created, it requires trustee, trustor exist in the DB, but when the associated user or project is deleted trust still exist.

The trust left in the DB is useless, and won't be used any longer since either id of user/project is a random number when it got created it not likely the trust will be effective any longer.

How to reproduce:
$ openstack user create trustor --password abc123
$ openstack user create trustee --password abc123
$ openstack project create trust_project
$ openstack role add 9cf8420ea5324f79b9d740e3ce5f0e04 --project 2c455f8756d04b9485ec0b344c0e2089 --user 3e56ae62d1c94ead9fe9a4b31aaee070  (Add role service to project trust with user trustor)
curl -g -i -X POST -H "Accept: application/json" -H "X-Auth-Token: 94d06939e65243f99cbfcf331bdf3e0b" -H "Content-Type: application/json" -d '{
    "trust": {
        "expires_at": "2017-02-27T18:30:59.999999Z",
        "impersonation": true,
        "allow_redelegation": true,
        "project_id": "2c455f8756d04b9485ec0b344c0e2089",
        "roles": [
            {
                "name": "admin"
            }
        ],
        "trustee_user_id": "9147c64ef0624477bfc9dba818aa569c",
        "trustor_user_id": "3e56ae62d1c94ead9fe9a4b31aaee070",
        "redelegation_count": 3
    }
}' http://10.239.159.68:5000/v3/OS-TRUST/trusts
$ openstack user delete trustor
$ openstack trust list
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+
| ID                        | Expires At                | Impersonation | Project ID                | Trustee User ID           | Trustor User ID           |
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+
| e7491ab063e247b6ad072b562 | 2017-02-27T18:30:59.00000 | True          | 2c455f8756d04b9485ec0b344 | 9147c64ef0624477bfc9dba81 | 3e56ae62d1c94ead9fe9a4b31 |
| b32e37e                   | 0Z                        |               | c0e2089                   | 8aa569c                   | aaee070                   |
+---------------------------+---------------------------+---------------+---------------------------+---------------------------+---------------------------+