keystone doesn't cleanly remove all data for a user when using SQL backend for Identity
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Eduardo Patrocinio |
Bug Description
Hello,
How can a user cleanly be removed from Keystone? Maybe I am missing a step - and I apologize if so - but I'm running into the following issue:
keystone tenant-create --name=ProjectX
keystone user-create --name=Foo --pass=password
keystone user-role-add --user=$USER_ID --tenant_
In the SQL database, I can now see entries under the user, tenant, user_tenant_
Now, if I do
keystone user-delete $USER_ID
The entry is removed from the user table, but no other tables.
If I do
keystone user-role-remove --user=$USER_ID --tenant_
The entry is removed from user_tenant_
keystone user-delete $USER_ID
removes the user from the user table, but still not metadata.
If I add the user to more than one role, the user will stay in the user_tenant_
Is this a bug or am I missing a step for cleanly removing a user?
Thanks,
Joe
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in keystone: | |
assignee: | nobody → Eduardo Patrocinio (epatro) |
Changed in keystone: | |
assignee: | nobody → Eduardo Patrocinio (epatro) |
status: | Invalid → In Progress |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
I think we should use foreign key and cascading deletion to make sure the clean deletion. In addition, since token table use extra column to save roles, tenants information, we will enhance auth process to deal with if the user, role or tenant has been deleted and then return the right information. 153acc701568bee ec8e", "85c54052d4dc41 aba5d1671216766 064", "3d3f2139ef5149 35ba698f40012dd aeb"]}, "user": {"email": "<email address hidden>", "enabled": true, "id": "44c3d88f257a4d c39790c318fcb1a 2cc", "name": "admin", "tenantId": null}, "tenant": {"enabled": true, "id": "36cf36c3972a43 7890e5df7bf9805 097", "name": "admin", "description": null}}
below is an extra field for a certain token:
{"metadata": {"roles": ["ca43893555be4