OpenStack Identity (keystone)

  1. Bug #1658641
  2. Comment #7

Comment 7 for bug 1658641

Revision history for this message
Andreas Karis (akaris) wrote :

Hi,

The same happens if users are deleted or their group membership is changed.

Users that are auto removed from LDAP break roles and cant easily be removed.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Followed: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/9/html/integrate_with_identity_service/sec-active-directory

User test was added to Active Directory:
~~~
[stack@undercloud-6 ~]$ openstack user list --domain redhat
+------------------------------------------------------------------+----------+
| ID | Name |
 +------------------------------------------------------------------+----------+
| 853a331554ea0fb6e938f39256beb9f8096625c29f34bc8d88990b4198205f90 | svc-ldap |
| 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | akaris |
| 39e5b866156f05d6b3f95409a663a44718bec62eeabc9ec6f08ff78ef5fd457d | nalmond |
| f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | test |
 +------------------------------------------------------------------+----------+
[stack@undercloud-6 ~]$ openstack project create demo
+-------------+----------------------------------+
| Field | Value |
 +-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | 1c3e304811d8457a871a6c67f6f63a75 |
| is_domain | False |
| name | demo |
| parent_id | default |
 +-------------+----------------------------------+
[stack@undercloud-6 ~]$ openstack role add --project demo --user f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 _member_
[stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457a871a6c67f6f63a75
| 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | | 1c3e304811d8457a871a6c67f6f63a75 | | False |
 [stack@undercloud-6 ~]$ openstack role assignment list --names
+---------------+------------------------------------+-------+-----------------+------------+-----------+
| Role | User | Group | Project | Domain | Inherited |
 +---------------+------------------------------------+-------+-----------------+------------+-----------+
| admin | cinderv2@Default | | service@Default | | False |
| _member_ | cinderv2@Default | | service@Default | | False |
| admin | ceilometer@Default | | service@Default | | False |
| _member_ | ceilometer@Default | | service@Default | | False |
| ResellerAdmin | ceilometer@Default | | service@Default | | False |
| admin | admin@Default | | admin@Default | | False |
| admin | nova@Default | | service@Default | | False |
| _member_ | nova@Default | | service@Default | | False |
| admin | glance@Default | | service@Default | | False |
| _member_ | glance@Default | | service@Default | | False |
| admin | neutron@Default | | service@Default | | False |
| _member_ | neutron@Default | | service@Default | | False |
| admin | sahara@Default | | service@Default | | False |
| _member_ | sahara@Default | | service@Default | | False |
| admin | gnocchi@Default | | service@Default | | False |
| _member_ | gnocchi@Default | | service@Default | | False |
| ResellerAdmin | gnocchi@Default | | service@Default | | False |
| admin | swift@Default | | service@Default | | False |
| _member_ | swift@Default | | service@Default | | False |
| admin | aodh@Default | | service@Default | | False |
| _member_ | aodh@Default | | service@Default | | False |
| _member_ | test@redhat | | demo@Default | | False |
| admin | cinder@Default | | service@Default | | False |
| _member_ | cinder@Default | | service@Default | | False |
| admin | heat@Default | | service@Default | | False |
| _member_ | heat@Default | | service@Default | | False |
| admin | admin@Default | | | redhat | False |
| admin | admin@Default | | | Default | False |
| admin | heat_stack_domain_admin@heat_stack | | | heat_stack | False |
 +---------------+------------------------------------+-------+-----------------+------------+-----------+
~~~

User test was removed from Active Directory:
~~~
[stack@undercloud-6 ~]$ openstack user list --domain redhat+------------------------------------------------------------------+----------+
| ID | Name |
 +------------------------------------------------------------------+----------+
| 853a331554ea0fb6e938f39256beb9f8096625c29f34bc8d88990b4198205f90 | svc-ldap |
| 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | akaris |
| 39e5b866156f05d6b3f95409a663a44718bec62eeabc9ec6f08ff78ef5fd457d | nalmond |
 [stack@undercloud-6 ~]$ openstack role assignment list | head -2
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+----------------------------------+-----------+
| Role | User | Group | Project | Domain | Inherited |
 [stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457a871a6c67f6f63a75
| 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | | 1c3e304811d8457a871a6c67f6f63a75 | | False |
 [stack@undercloud-6 ~]$ openstack role remove --project demo --user f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 9fe2ff9ee4384b1894a90878d3e92bab
No user with a name or ID of 'f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2' exists.
~~~

The role assignment cannot be removed:
~~~
[stack@undercloud-6 ~]$ openstack role remove --project demo --user 1c3e304811d8457a871a6c67f6f63a75 _member_
No user with a name or ID of '1c3e304811d8457a871a6c67f6f63a75' exists.
~~~

The user cannot be deleted:
~~~
[stack@undercloud-6 ~]$ openstack user delete f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2
No user with a name or ID of 'f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2' exists.
~~~