~~~
[stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457a871a6c67f6f63a75
| 9fe2ff9ee4384b1894a90878d3e92bab | 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | | 1c3e304811d8457a871a6c67f6f63a75 | | False |
| 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | | 1c3e304811d8457a871a6c67f6f63a75 | | False |
[stack@undercloud-6 ~]$ openstack role assignment list --names
Could not find user: f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 (HTTP 404) (Request-ID: req-e53543a3-2164-4fa1-a86b-55a38d199d57)
~~~
I also tried `keystone-manage mapping_purge --domain-name redhat --local-id f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2`
Yes,. it purges the mapping table, but it does not touch the assignment table:
~~~
[root@overcloud-controller-0 ~]# mysql keystone -e 'show tables;' | awk '{print $1}' | while read t;do echo "XXXXX $t XXXXX"; mysql keystone -e "select * from $t \G" | grep f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 -C5 ; done
XXXXX Tables_in_keystone XXXXX
ERROR 1146 (42S02) at line 1: Table 'keystone.Tables_in_keystone' doesn't exist
XXXXX access_token XXXXX
XXXXX assignment XXXXX
target_id: dfc01178c51b4688be78188b5e8c9581
role_id: 9fe2ff9ee4384b1894a90878d3e92bab
inherited: 0
*************************** 23. row ***************************
type: UserProject
actor_id: f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2
target_id: 1c3e304811d8457a871a6c67f6f63a75
role_id: 9fe2ff9ee4384b1894a90878d3e92bab
inherited: 0
*************************** 24. row ***************************
type: UserProject
XXXXX config_register XXXXX
XXXXX consumer XXXXX
XXXXX credential XXXXX
XXXXX domain XXXXX
XXXXX endpoint XXXXX
XXXXX endpoint_group XXXXX
XXXXX federated_user XXXXX
XXXXX federation_protocol XXXXX
XXXXX group XXXXX
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'group' at line 1
XXXXX id_mapping XXXXX
XXXXX identity_provider XXXXX
XXXXX idp_remote_ids XXXXX
XXXXX implied_role XXXXX
XXXXX local_user XXXXX
XXXXX mapping XXXXX
XXXXX migrate_version XXXXX
XXXXX password XXXXX
XXXXX policy XXXXX
XXXXX policy_association XXXXX
XXXXX project XXXXX
XXXXX project_endpoint XXXXX
XXXXX project_endpoint_group XXXXX
XXXXX region XXXXX
XXXXX request_token XXXXX
XXXXX revocation_event XXXXX
XXXXX role XXXXX
XXXXX sensitive_config XXXXX
XXXXX service XXXXX
XXXXX service_provider XXXXX
XXXXX token XXXXX
XXXXX trust XXXXX
XXXXX trust_role XXXXX
XXXXX user XXXXX
XXXXX user_group_membership XXXXX
XXXXX whitelisted_config XXXXX
[root@overcloud-controller-0 ~]#
~~~
And role deletion still fails:
~~~
[stack@undercloud-6 ~]$ openstack role remove --project demo --user f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 9fe2ff9ee4384b1894a90878d3e92bab
No user with a name or ID of 'f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2' exists.
[stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457a871a6c67f6f63a75
| 9fe2ff9ee4384b1894a90878d3e92bab | 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | | 1c3e304811d8457a871a6c67f6f63a75 | | False |
| 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | | 1c3e304811d8457a871a6c67f6f63a75 | | False |
~~~
I deleted the user to test the mapping_purge ...
~~~ ------- ------- ------- ------- ------- ------- ------- ------- ----+-- ------- -+ ------- ------- ------- ------- ------- ------- ------- ------- ----+-- ------- -+ 6e938f39256beb9 f8096625c29f34b c8d88990b419820 5f90 | svc-ldap | 55349c62705f750 634a1d0d6803864 44dbe0f7ffd9f15 b032 | akaris | 6b3f95409a663a4 4718bec62eeabc9 ec6f08ff78ef5fd 457d | nalmond | ------- ------- ------- ------- ------- ------- ------- ------- ----+-- ------- -+ a871a6c67f6f63a 75 894a90878d3e92b ab | 82ec6ba7034541d 55349c62705f750 634a1d0d6803864 44dbe0f7ffd9f15 b032 | | 1c3e304811d8457 a871a6c67f6f63a 75 | | False | 894a90878d3e92b ab | f3f3e1b1c01c792 99154f85f0821ce b0f7c149de8d983 6f86eceaaa38e9f 27c2 | | 1c3e304811d8457 a871a6c67f6f63a 75 | | False | 99154f85f0821ce b0f7c149de8d983 6f86eceaaa38e9f 27c2 (HTTP 404) (Request-ID: req-dacdaa34- d07c-40f7- ac7c-2864ca6d66 08)
[stack@undercloud-6 ~]$ openstack user list --domain redhat
+------
| ID | Name |
+------
| 853a331554ea0fb
| 82ec6ba7034541d
| 39e5b866156f05d
+------
[stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457
| 9fe2ff9ee4384b1
| 9fe2ff9ee4384b1
[stack@undercloud-6 ~]$ openstack role assignment list --names
Could not find user: f3f3e1b1c01c792
~~~
Note that this does not work:
~~~ -controller- 0 ~]# keystone-manage mapping_purge --domain-name redhat -controller- 0 ~]#
[root@overcloud
[root@overcloud
~~~
~~~ a871a6c67f6f63a 75 894a90878d3e92b ab | 82ec6ba7034541d 55349c62705f750 634a1d0d6803864 44dbe0f7ffd9f15 b032 | | 1c3e304811d8457 a871a6c67f6f63a 75 | | False | 894a90878d3e92b ab | f3f3e1b1c01c792 99154f85f0821ce b0f7c149de8d983 6f86eceaaa38e9f 27c2 | | 1c3e304811d8457 a871a6c67f6f63a 75 | | False | 99154f85f0821ce b0f7c149de8d983 6f86eceaaa38e9f 27c2 (HTTP 404) (Request-ID: req-e53543a3- 2164-4fa1- a86b-55a38d199d 57)
[stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457
| 9fe2ff9ee4384b1
| 9fe2ff9ee4384b1
[stack@undercloud-6 ~]$ openstack role assignment list --names
Could not find user: f3f3e1b1c01c792
~~~
I also tried `keystone-manage mapping_purge --domain-name redhat --local-id f3f3e1b1c01c792 99154f85f0821ce b0f7c149de8d983 6f86eceaaa38e9f 27c2`
Yes,. it purges the mapping table, but it does not touch the assignment table: -controller- 0 ~]# mysql keystone -e 'show tables;' | awk '{print $1}' | while read t;do echo "XXXXX $t XXXXX"; mysql keystone -e "select * from $t \G" | grep f3f3e1b1c01c792 99154f85f0821ce b0f7c149de8d983 6f86eceaaa38e9f 27c2 -C5 ; done Tables_ in_keystone' doesn't exist 8be78188b5e8c95 81 894a90878d3e92b ab ******* ******* ****** 23. row ******* ******* ******* ****** 99154f85f0821ce b0f7c149de8d983 6f86eceaaa38e9f 27c2 a871a6c67f6f63a 75 894a90878d3e92b ab ******* ******* ****** 24. row ******* ******* ******* ****** endpoint_ group XXXXX membership XXXXX -controller- 0 ~]#
~~~
[root@overcloud
XXXXX Tables_in_keystone XXXXX
ERROR 1146 (42S02) at line 1: Table 'keystone.
XXXXX access_token XXXXX
XXXXX assignment XXXXX
target_id: dfc01178c51b468
role_id: 9fe2ff9ee4384b1
inherited: 0
*******
type: UserProject
actor_id: f3f3e1b1c01c792
target_id: 1c3e304811d8457
role_id: 9fe2ff9ee4384b1
inherited: 0
*******
type: UserProject
XXXXX config_register XXXXX
XXXXX consumer XXXXX
XXXXX credential XXXXX
XXXXX domain XXXXX
XXXXX endpoint XXXXX
XXXXX endpoint_group XXXXX
XXXXX federated_user XXXXX
XXXXX federation_protocol XXXXX
XXXXX group XXXXX
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'group' at line 1
XXXXX id_mapping XXXXX
XXXXX identity_provider XXXXX
XXXXX idp_remote_ids XXXXX
XXXXX implied_role XXXXX
XXXXX local_user XXXXX
XXXXX mapping XXXXX
XXXXX migrate_version XXXXX
XXXXX password XXXXX
XXXXX policy XXXXX
XXXXX policy_association XXXXX
XXXXX project XXXXX
XXXXX project_endpoint XXXXX
XXXXX project_
XXXXX region XXXXX
XXXXX request_token XXXXX
XXXXX revocation_event XXXXX
XXXXX role XXXXX
XXXXX sensitive_config XXXXX
XXXXX service XXXXX
XXXXX service_provider XXXXX
XXXXX token XXXXX
XXXXX trust XXXXX
XXXXX trust_role XXXXX
XXXXX user XXXXX
XXXXX user_group_
XXXXX whitelisted_config XXXXX
[root@overcloud
~~~
And role deletion still fails: 99154f85f0821ce b0f7c149de8d983 6f86eceaaa38e9f 27c2 9fe2ff9ee4384b1 894a90878d3e92b ab 299154f85f0821c eb0f7c149de8d98 36f86eceaaa38e9 f27c2' exists. a871a6c67f6f63a 75 894a90878d3e92b ab | 82ec6ba7034541d 55349c62705f750 634a1d0d6803864 44dbe0f7ffd9f15 b032 | | 1c3e304811d8457 a871a6c67f6f63a 75 | | False | 894a90878d3e92b ab | f3f3e1b1c01c792 99154f85f0821ce b0f7c149de8d983 6f86eceaaa38e9f 27c2 | | 1c3e304811d8457 a871a6c67f6f63a 75 | | False |
~~~
[stack@undercloud-6 ~]$ openstack role remove --project demo --user f3f3e1b1c01c792
No user with a name or ID of 'f3f3e1b1c01c79
[stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457
| 9fe2ff9ee4384b1
| 9fe2ff9ee4384b1
~~~