cannot delete a ldap domain with groups

Bug #1848238 reported by Sami Makki
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Colleen Murphy

Bug Description

I setup a domain with domain-specific backends, and configured one with ldap driver.

When I tried to delete the domain, I got an error message:

Failed to delete domain with name or ID '1d97d0d6fdcd402fa058549d7f297b8b': LDAP does not support write operations.

After some investigation ( thanks @cmurphy ), it turned out that there was an exception raised during the group deletion, here: https://opendev.org/openstack/keystone/src/branch/stable/stein/keystone/identity/core.py#L509

Removing groups made the deletion possible.

Dealing with this deletion the same way a user is deleted ( by checking the backend type ) should fix it: https://opendev.org/openstack/keystone/src/branch/stable/stein/keystone/identity/core.py#L519-L522

Colleen Murphy (krinkle)
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/688939

Changed in keystone:
assignee: nobody → Sami Makki (smakki)
status: Triaged → In Progress
Changed in keystone:
assignee: Sami Makki (smakki) → Colleen Murphy (krinkle)
Changed in keystone:
assignee: Colleen Murphy (krinkle) → Sami Makki (smakki)
Changed in keystone:
assignee: Sami Makki (smakki) → Colleen Murphy (krinkle)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/688939
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d6977a0e9b3ed8ae80527d6f6ace67b687b46c60
Submitter: Zuul
Branch: master

commit d6977a0e9b3ed8ae80527d6f6ace67b687b46c60
Author: Sami MAKKI <email address hidden>
Date: Wed Oct 16 16:10:15 2019 +0200

    Remove group deletion for non-sql driver when removing domains.

    As LDAP is now read-only, trying to remove it was throwing an error.
    We now only try to delete it when the driver is sql-based.

    Change-Id: I15b92b35b31d0e5d735a629e7c154ddd7bdda03d
    Closes-bug: #1848238

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/keystone/+/800861

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/train)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/800861
Committed: https://opendev.org/openstack/keystone/commit/acef9c60722edf78bcb85328ca5ab23331ab9273
Submitter: "Zuul (22348)"
Branch: stable/train

commit acef9c60722edf78bcb85328ca5ab23331ab9273
Author: Sami MAKKI <email address hidden>
Date: Wed Oct 16 16:10:15 2019 +0200

    Remove group deletion for non-sql driver when removing domains.

    As LDAP is now read-only, trying to remove it was throwing an error.
    We now only try to delete it when the driver is sql-based.

    Change-Id: I15b92b35b31d0e5d735a629e7c154ddd7bdda03d
    Closes-bug: #1848238
    (cherry picked from commit d6977a0e9b3ed8ae80527d6f6ace67b687b46c60)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone train-eol

This issue was fixed in the openstack/keystone train-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.