OpenStack Identity (keystone)

  1. Series grizzly
  2. Bug #1166670
  3. Comment #18

Comment 18 for bug 1166670

Revision history for this message
Adam Young (ayoung) wrote : Re: Deleted user can still create instances

I see that delete_user is not in the Identity manager, but is rather implemented by the individual backends. I suspect that they are not correctly propagating a token revocation event upon deletion:

A quick brows of the code seems to validate this:
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py#L760
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L215

The controller call is
def delete_user(self, context, user_id):
        self.assert_admin(context)
        self.identity_api.delete_user(context, user_id)

Where as the call set_user_enabled calls update_user has a call self._delete_tokens_for_user(context, user_id)

It looks like the fix is to put code into the manager, roughly here:

 https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L84

That calls the underlying driver's delete_user code, and then deletes the tokens for the user.

Or add a call to
            self._delete_tokens_for_user(context, user_id)

in delete_use