OpenStack Identity (keystone)

Deleting a shadow user doesn't invalidate the cache

Bug #1760205 reported by Kristi Nikolla
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
wangxiyuan
OpenStack Identity (keystone) rocky-2

Bug Description

When you delete a shadow user and the user tries to log in again through federation, they'll get a can't find user error. Retrying after 10 (or so) minutes works.

My Setup
--------
1. devstack-idp is the identity provider for service provider devstack-sp1, using Keystone to Keystone (SAML) with Shibboleth
2. user-idp gets a SAML assertion from devstack-idp keystone and uses that to authenticate with devstack-sp1 keystone.
3. devstack-sp1 create shadow user user-sp1.
4. admin deletes user-sp1 in devstack-sp1.
5. Step two is performed again
6. user-idp gets a 'Could not find user <user-sp1_id>' from devstack-sp1.
7. After 10 (or so) minutes user tries again, this time it works and he is able to authenticate to <user-sp1> (id of this user-sp1 is different than the prior one).

Expected: After deleting a shadow user, the user should be able to re-authenticate immediately and have a new shadow user created.

Actual: After deleting a shadow user, the user can't log back into keystone if keystone is caching identity information (which is does by default). The user can re-authenticate only if the cache is disabled or the entry TTL has expired.

See original description
Revision history for this message
Kristi Nikolla (knikolla) wrote :

Logs from command line when attempting to authenticate http://paste.openstack.org/show/718036/
Logs from sp keystone http://paste.openstack.org/show/718037/

Revision history for this message
Lance Bragstad (lbragstad) wrote :

This might be related to caching. The default cache_time for the identity system (and most other systems in keystone) is 10 minutes [0].

If you disable caching, can the user log in right away in steps 5 and 6?

[0] https://github.com/openstack/keystone/blob/0c5242b6184aa37968266a2fbb1d490208d6a580/keystone/conf/identity.py#L88-L94

Revision history for this message
Kristi Nikolla (knikolla) wrote :

Disabling caching solved the issue, so somewhere along the way the cache isn't being invalidated.

Lance Bragstad (lbragstad)
tags: added: caching
summary: - A deleted federated user cannot be recreated for some time
+ Deleting a shadow user doesn't invalidate the cache
description: updated
Changed in keystone:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Setting this to medium, but I wouldn't be opposed to bumping it to high since it would be annoying to not be able to log in for 10 minutes for no apparent reason.

wangxiyuan (wangxiyuan)
Changed in keystone:
assignee: nobody → wangxiyuan (wangxiyuan)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/561908

Changed in keystone:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/561908
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3b701cdf70d7331c781a6b1a46dd8247906b9b63
Submitter: Zuul
Branch: master

commit 3b701cdf70d7331c781a6b1a46dd8247906b9b63
Author: wangxiyuan <email address hidden>
Date: Tue Apr 17 19:21:43 2018 +0800

    Invalidate the shadow user cache when deleting a user

    When deleting a user, the cache for the related shadow user should
    be invalidated as well. Otherwise the federation authentication
    will not work well and will raise 404 UserNotFound error.

    This patch fixes the bug and adds a new function for shadow backend
    to get the shadow user information.

    Change-Id: I3882f0dc6e8f8f618bb89ebd699736bc4b352261
    Closes-bug: #1760205

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 14.0.0.0b2

This issue was fixed in the openstack/keystone 14.0.0.0b2 development milestone.

Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → rocky-2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.