Comment 17 for bug 1718747

Reviewed: https://review.openstack.org/539347
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=62ee18b359cbb2e6a9469bdaac9057ef19de1bdf
Submitter: Zuul
Branch: master

commit 62ee18b359cbb2e6a9469bdaac9057ef19de1bdf
Author: Colleen Murphy <email address hidden>
Date: Tue Jan 30 23:23:15 2018 +0100

    Delete SQL users before deleting domain

    Since the users table has a foreign key to the projects table[1], users
    must be deleted before the domain can be deleted. However, the
    notification emitted from the domain deletion comes too late, and
    keystone runs into a foreign key reference error before it can delete
    the users. This patch addresses the problem by adding a new internal
    notification to alert the identity manager that users should be deleted.
    This uses a new notification rather than the existing notification
    because the existing one is used to alert listeners that the domain
    deletion has been fully completed, whereas this one must happen in the
    middle of the domain delete process.

    The callback must also only try to delete SQL users. The LDAP driver
    doesn't support deleting users, and we can't assume other drivers
    support it either. Moreover, the foreign key reference is only a problem
    for SQL users anyway.

    Because our backend unit tests run with SQLite and foreign keys do not
    work properly, we can't properly expose this bug in our unit tests, but
    there is an accompanying tempest test[2][3] to validate this fix.

    [1] https://github.com/openstack/keystone/blob/2bd88d3/keystone/common/sql/expand_repo/versions/014_expand_add_domain_id_to_user_table.py#L140-L141
    [2] https://review.openstack.org/#/c/509610
    [3] https://review.openstack.org/#/c/509947

    Change-Id: If5bdb6f5eef80b50b000aed5188ce7da4dfd1083
    Closes-bug: #1718747