OpenStack Identity (keystone)

System role assignments exist after removing groups

Series queens
Bug #1749267

Bug #1749267 reported by Lance Bragstad on 2018-02-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Lance Bragstad	OpenStack Identity (keystone) rocky-1
	Queens	Fix Committed	High	Lance Bragstad	OpenStack Identity (keystone) queens-rc2

Bug Description

Keystone cleans up role assignments a group has on projects and domains when deleting the group. This isn't true for system role assignments. Instead, they are left after the group is deleted. I recreate the issue by doing the following with a basic devstack install:

$ openstack group create testers
$ openstack role add --group testers --system all admin
$ openstack role assignment list --names (testers will have an assignment on the system)
$ openstack group delete testers
$ openstack role assignment list --names (an empty group assignment will exist on the system)

Paste recreating the issue [0].

[0] http://paste.openstack.org/raw/671041/

Tags:

Lance Bragstad (lbragstad) on 2018-02-13

Changed in keystone:
milestone:	none → queens-rc2

Lance Bragstad (lbragstad) on 2018-02-13

Changed in keystone:
status:	New → Triaged
importance:	Undecided → High

Lance Bragstad (lbragstad) on 2018-02-13

tags:	added: queens-backport-potential
no longer affects:	keystone/rocky

Lance Bragstad (lbragstad) on 2018-02-13

no longer affects:

keystone/rocky

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-13: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/544073

Changed in keystone:
assignee:	nobody → Lance Bragstad (lbragstad)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-13:

Fix proposed to branch: master
Review: https://review.openstack.org/544074

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-13: Fix proposed to keystone (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/544100

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-13:

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/544101

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-14: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/544073
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3fa997531f757a832aab209d585bb98503e72cc2
Submitter: Zuul
Branch: master

commit 3fa997531f757a832aab209d585bb98503e72cc2
Author: Lance Bragstad <email address hidden>
Date: Tue Feb 13 20:37:03 2018 +0000

Expose bug in system assignment when deleting groups

    Project and domain role assignment are cleaned up when deleting
    groups. This commit introduces a test case that shows this isn't the
    case for system role assignments. A subsequent patch will implement
    a fix to make sure system role assignments are removed when groups
    are deleted, to be consistent with project and domain assignments.

Change-Id: I9b452aff144fd8867cdac2f44cbcaa0d1de63a12
Partial-Bug: 1749267

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-14:

Reviewed: https://review.openstack.org/544074
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5a24b96d951537fb12deb7050eb2e7dd7d40fc81
Submitter: Zuul
Branch: master

commit 5a24b96d951537fb12deb7050eb2e7dd7d40fc81
Author: Lance Bragstad <email address hidden>
Date: Tue Feb 13 20:47:54 2018 +0000

Delete system role assignments when deleting groups

    Keystone removes role assignments that groups have on projects and
    domains when deleting groups. This should apply to system role
    assignments, too.

Change-Id: Iebedfcae0b77e350e5359b97fa87894af3f1c8ba
Closes-Bug: 1749267

Lance Bragstad (lbragstad) on 2018-02-14

Changed in keystone:
milestone:	queens-rc2 → rocky-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-14: Fix merged to keystone (stable/queens)

Reviewed: https://review.openstack.org/544100
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=89152d73ac167b71b11617bcf946c99c38956184
Submitter: Zuul
Branch: stable/queens

commit 89152d73ac167b71b11617bcf946c99c38956184
Author: Lance Bragstad <email address hidden>
Date: Tue Feb 13 20:37:03 2018 +0000

Expose bug in system assignment when deleting groups

    Change-Id: I9b452aff144fd8867cdac2f44cbcaa0d1de63a12
    Partial-Bug: 1749267
    (cherry picked from commit 3fa997531f757a832aab209d585bb98503e72cc2)

tags:

added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-20:

Reviewed: https://review.openstack.org/544101
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8646f40a4080eddb5f9cc58df2ce478ccfd38a77
Submitter: Zuul
Branch: stable/queens

commit 8646f40a4080eddb5f9cc58df2ce478ccfd38a77
Author: Lance Bragstad <email address hidden>
Date: Tue Feb 13 20:47:54 2018 +0000

Delete system role assignments when deleting groups

    Keystone removes role assignments that groups have on projects and
    domains when deleting groups. This should apply to system role
    assignments, too.

    Change-Id: Iebedfcae0b77e350e5359b97fa87894af3f1c8ba
    Closes-Bug: 1749267
    (cherry picked from commit 5a24b96d951537fb12deb7050eb2e7dd7d40fc81)