OpenStack Identity (keystone)

Bug #1658641
Comment #11

Comment 11 for bug 1658641

Revision history for this message

Andreas Karis (akaris) wrote on 2017-06-30:

#11

I deleted the user to test the mapping_purge ...

~~~
[stack@undercloud-6 ~]$ openstack user list --domain redhat
+------------------------------------------------------------------+----------+
| ID | Name |
+------------------------------------------------------------------+----------+
| 853a331554ea0fb6e938f39256beb9f8096625c29f34bc8d88990b4198205f90 | svc-ldap |
| 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | akaris |
| 39e5b866156f05d6b3f95409a663a44718bec62eeabc9ec6f08ff78ef5fd457d | nalmond |
+------------------------------------------------------------------+----------+
[stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457a871a6c67f6f63a75
| 9fe2ff9ee4384b1894a90878d3e92bab | 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | | 1c3e304811d8457a871a6c67f6f63a75 | | False |
| 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | | 1c3e304811d8457a871a6c67f6f63a75 | | False |
[stack@undercloud-6 ~]$ openstack role assignment list --names
Could not find user: f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 (HTTP 404) (Request-ID: req-dacdaa34-d07c-40f7-ac7c-2864ca6d6608)
~~~

Note that this does not work:

~~~
[root@overcloud-controller-0 ~]# keystone-manage mapping_purge --domain-name redhat
[root@overcloud-controller-0 ~]#
~~~

~~~
[stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457a871a6c67f6f63a75
| 9fe2ff9ee4384b1894a90878d3e92bab | 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | | 1c3e304811d8457a871a6c67f6f63a75 | | False |
| 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | | 1c3e304811d8457a871a6c67f6f63a75 | | False |
[stack@undercloud-6 ~]$ openstack role assignment list --names
Could not find user: f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 (HTTP 404) (Request-ID: req-e53543a3-2164-4fa1-a86b-55a38d199d57)
~~~

I also tried `keystone-manage mapping_purge --domain-name redhat --local-id f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2`

Yes,. it purges the mapping table, but it does not touch the assignment table:
~~~
[root@overcloud-controller-0 ~]# mysql keystone -e 'show tables;' | awk '{print $1}' | while read t;do echo "XXXXX $t XXXXX"; mysql keystone -e "select * from $t \G" | grep f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 -C5 ; done
XXXXX Tables_in_keystone XXXXX
ERROR 1146 (42S02) at line 1: Table 'keystone.Tables_in_keystone' doesn't exist
XXXXX access_token XXXXX
XXXXX assignment XXXXX
target_id: dfc01178c51b4688be78188b5e8c9581
  role_id: 9fe2ff9ee4384b1894a90878d3e92bab
inherited: 0
*************************** 23. row ***************************
     type: UserProject
actor_id: f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2
target_id: 1c3e304811d8457a871a6c67f6f63a75
  role_id: 9fe2ff9ee4384b1894a90878d3e92bab
inherited: 0
*************************** 24. row ***************************
     type: UserProject
XXXXX config_register XXXXX
XXXXX consumer XXXXX
XXXXX credential XXXXX
XXXXX domain XXXXX
XXXXX endpoint XXXXX
XXXXX endpoint_group XXXXX
XXXXX federated_user XXXXX
XXXXX federation_protocol XXXXX
XXXXX group XXXXX
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'group' at line 1
XXXXX id_mapping XXXXX
XXXXX identity_provider XXXXX
XXXXX idp_remote_ids XXXXX
XXXXX implied_role XXXXX
XXXXX local_user XXXXX
XXXXX mapping XXXXX
XXXXX migrate_version XXXXX
XXXXX password XXXXX
XXXXX policy XXXXX
XXXXX policy_association XXXXX
XXXXX project XXXXX
XXXXX project_endpoint XXXXX
XXXXX project_endpoint_group XXXXX
XXXXX region XXXXX
XXXXX request_token XXXXX
XXXXX revocation_event XXXXX
XXXXX role XXXXX
XXXXX sensitive_config XXXXX
XXXXX service XXXXX
XXXXX service_provider XXXXX
XXXXX token XXXXX
XXXXX trust XXXXX
XXXXX trust_role XXXXX
XXXXX user XXXXX
XXXXX user_group_membership XXXXX
XXXXX whitelisted_config XXXXX
[root@overcloud-controller-0 ~]#
~~~

And role deletion still fails:
~~~
[stack@undercloud-6 ~]$ openstack role remove --project demo --user f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 9fe2ff9ee4384b1894a90878d3e92bab
No user with a name or ID of 'f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2' exists.
[stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457a871a6c67f6f63a75
| 9fe2ff9ee4384b1894a90878d3e92bab | 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | | 1c3e304811d8457a871a6c67f6f63a75 | | False |
| 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | | 1c3e304811d8457a871a6c67f6f63a75 | | False |
~~~

I deleted the user to test the mapping_purge ...

~~~
[stack@undercloud-6 ~]$ openstack user list --domain redhat
+------------------------------------------------------------------+----------+
| ID                                                               | Name     |
+------------------------------------------------------------------+----------+
| 853a331554ea0fb6e938f39256beb9f8096625c29f34bc8d88990b4198205f90 | svc-ldap |
| 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | akaris   |
| 39e5b866156f05d6b3f95409a663a44718bec62eeabc9ec6f08ff78ef5fd457d | nalmond  |
+------------------------------------------------------------------+----------+
[stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457a871a6c67f6f63a75
| 9fe2ff9ee4384b1894a90878d3e92bab | 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 |       | 1c3e304811d8457a871a6c67f6f63a75 |                                  | False     |
| 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 |       | 1c3e304811d8457a871a6c67f6f63a75 |                                  | False     |
[stack@undercloud-6 ~]$ openstack role assignment list --names
Could not find user: f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 (HTTP 404) (Request-ID: req-dacdaa34-d07c-40f7-ac7c-2864ca6d6608)
~~~

Note that this does not work:

~~~
[root@overcloud-controller-0 ~]# keystone-manage mapping_purge --domain-name redhat
[root@overcloud-controller-0 ~]# 
~~~

~~~
[stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457a871a6c67f6f63a75
| 9fe2ff9ee4384b1894a90878d3e92bab | 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 |       | 1c3e304811d8457a871a6c67f6f63a75 |                                  | False     |
| 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 |       | 1c3e304811d8457a871a6c67f6f63a75 |                                  | False     |
[stack@undercloud-6 ~]$ openstack role assignment list --names
Could not find user: f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 (HTTP 404) (Request-ID: req-e53543a3-2164-4fa1-a86b-55a38d199d57)
~~~

I also tried `keystone-manage mapping_purge --domain-name redhat --local-id f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2`

Yes,. it purges the mapping table, but it does not touch the assignment table:
~~~
[root@overcloud-controller-0 ~]#  mysql keystone -e 'show tables;' | awk '{print $1}' | while read t;do echo "XXXXX $t XXXXX";  mysql keystone -e "select * from $t \G" | grep f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 -C5 ; done
XXXXX Tables_in_keystone XXXXX
ERROR 1146 (42S02) at line 1: Table 'keystone.Tables_in_keystone' doesn't exist
XXXXX access_token XXXXX
XXXXX assignment XXXXX
target_id: dfc01178c51b4688be78188b5e8c9581
  role_id: 9fe2ff9ee4384b1894a90878d3e92bab
inherited: 0
*************************** 23. row ***************************
     type: UserProject
 actor_id: f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2
target_id: 1c3e304811d8457a871a6c67f6f63a75
  role_id: 9fe2ff9ee4384b1894a90878d3e92bab
inherited: 0
*************************** 24. row ***************************
     type: UserProject
XXXXX config_register XXXXX
XXXXX consumer XXXXX
XXXXX credential XXXXX
XXXXX domain XXXXX
XXXXX endpoint XXXXX
XXXXX endpoint_group XXXXX
XXXXX federated_user XXXXX
XXXXX federation_protocol XXXXX
XXXXX group XXXXX
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'group' at line 1
XXXXX id_mapping XXXXX
XXXXX identity_provider XXXXX
XXXXX idp_remote_ids XXXXX
XXXXX implied_role XXXXX
XXXXX local_user XXXXX
XXXXX mapping XXXXX
XXXXX migrate_version XXXXX
XXXXX password XXXXX
XXXXX policy XXXXX
XXXXX policy_association XXXXX
XXXXX project XXXXX
XXXXX project_endpoint XXXXX
XXXXX project_endpoint_group XXXXX
XXXXX region XXXXX
XXXXX request_token XXXXX
XXXXX revocation_event XXXXX
XXXXX role XXXXX
XXXXX sensitive_config XXXXX
XXXXX service XXXXX
XXXXX service_provider XXXXX
XXXXX token XXXXX
XXXXX trust XXXXX
XXXXX trust_role XXXXX
XXXXX user XXXXX
XXXXX user_group_membership XXXXX
XXXXX whitelisted_config XXXXX
[root@overcloud-controller-0 ~]# 
~~~

And role deletion still fails:
~~~
[stack@undercloud-6 ~]$ openstack role remove --project demo --user f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 9fe2ff9ee4384b1894a90878d3e92bab
No user with a name or ID of 'f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2' exists.
[stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457a871a6c67f6f63a75
| 9fe2ff9ee4384b1894a90878d3e92bab | 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 |       | 1c3e304811d8457a871a6c67f6f63a75 |                                  | False     |
| 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 |       | 1c3e304811d8457a871a6c67f6f63a75 |                                  | False     |
~~~