OpenStack Identity (keystone)

  1. Bug #1658641
  2. Comment #10

Comment 10 for bug 1658641

Revision history for this message
Andreas Karis (akaris) wrote :

The same issue by the way happens when a user's membership is changed and thus removes him from the domain:

[stack@undercloud-6 ~]$ ^C
[stack@undercloud-6 ~]$ openstack role add --project demo --user f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 _member_
[stack@undercloud-6 ~]$ openstack role assignment list --names
+---------------+------------------------------------+-------+-----------------+------------+-----------+
| Role | User | Group | Project | Domain | Inherited |
 +---------------+------------------------------------+-------+-----------------+------------+-----------+
| admin | cinderv2@Default | | service@Default | | False |
| _member_ | cinderv2@Default | | service@Default | | False |
| admin | ceilometer@Default | | service@Default | | False |
| _member_ | ceilometer@Default | | service@Default | | False |
| ResellerAdmin | ceilometer@Default | | service@Default | | False |
| admin | admin@Default | | admin@Default | | False |
| admin | nova@Default | | service@Default | | False |
| _member_ | nova@Default | | service@Default | | False |
| admin | glance@Default | | service@Default | | False |
| _member_ | glance@Default | | service@Default | | False |
| admin | neutron@Default | | service@Default | | False |
| _member_ | neutron@Default | | service@Default | | False |
| admin | sahara@Default | | service@Default | | False |
| _member_ | sahara@Default | | service@Default | | False |
| admin | gnocchi@Default | | service@Default | | False |
| _member_ | gnocchi@Default | | service@Default | | False |
| ResellerAdmin | gnocchi@Default | | service@Default | | False |
| admin | swift@Default | | service@Default | | False |
| _member_ | swift@Default | | service@Default | | False |
| admin | aodh@Default | | service@Default | | False |
| _member_ | aodh@Default | | service@Default | | False |
| _member_ | test@redhat | | demo@Default | | False |
| admin | cinder@Default | | service@Default | | False |
| _member_ | cinder@Default | | service@Default | | False |
| admin | heat@Default | | service@Default | | False |
| _member_ | heat@Default | | service@Default | | False |
| admin | admin@Default | | | redhat | False |
| admin | admin@Default | | | Default | False |
| admin | heat_stack_domain_admin@heat_stack | | | heat_stack | False |
 +---------------+------------------------------------+-------+-----------------+------------+-----------+
[stack@undercloud-6 ~]$ openstack user list --domain redhat
+------------------------------------------------------------------+----------+
| ID | Name |
 +------------------------------------------------------------------+----------+
| 853a331554ea0fb6e938f39256beb9f8096625c29f34bc8d88990b4198205f90 | svc-ldap |
| 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | akaris |
| 39e5b866156f05d6b3f95409a663a44718bec62eeabc9ec6f08ff78ef5fd457d | nalmond |
 +------------------------------------------------------------------+----------+
[stack@undercloud-6 ~]$ openstack role assignment list --names
Could not find user: test (HTTP 404) (Request-ID: req-b12cbb45-e0a9-4971-96ab-fde229161bd9)
[stack@undercloud-6 ~]$

Disabling an account in Active Directory keeps the user in the user list and hence does not have the same effect. Everything is o.k. in this case.