Deleting a shadow user doesn't invalidate the cache
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
wangxiyuan |
Bug Description
When you delete a shadow user and the user tries to log in again through federation, they'll get a can't find user error. Retrying after 10 (or so) minutes works.
My Setup
--------
1. devstack-idp is the identity provider for service provider devstack-sp1, using Keystone to Keystone (SAML) with Shibboleth
2. user-idp gets a SAML assertion from devstack-idp keystone and uses that to authenticate with devstack-sp1 keystone.
3. devstack-sp1 create shadow user user-sp1.
4. admin deletes user-sp1 in devstack-sp1.
5. Step two is performed again
6. user-idp gets a 'Could not find user <user-sp1_id>' from devstack-sp1.
7. After 10 (or so) minutes user tries again, this time it works and he is able to authenticate to <user-sp1> (id of this user-sp1 is different than the prior one).
Expected: After deleting a shadow user, the user should be able to re-authenticate immediately and have a new shadow user created.
Actual: After deleting a shadow user, the user can't log back into keystone if keystone is caching identity information (which is does by default). The user can re-authenticate only if the cache is disabled or the entry TTL has expired.
tags: | added: caching |
summary: |
- A deleted federated user cannot be recreated for some time + Deleting a shadow user doesn't invalidate the cache |
description: | updated |
Changed in keystone: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in keystone: | |
assignee: | nobody → wangxiyuan (wangxiyuan) |
Changed in keystone: | |
milestone: | none → rocky-2 |
Logs from command line when attempting to authenticate http:// paste.openstack .org/show/ 718036/ paste.openstack .org/show/ 718037/
Logs from sp keystone http://