** Changed in: keystone
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1385405
Title:
Domain backed by a populated read-only domain-specific LDAP identity
backend cannot be deleted
Status in OpenStack Identity (Keystone):
Fix Released
Bug description:
I've set up a DevStack with Keystone using domain-specific backends.
I've then created a Domain-A with its domain-specific configuration
being:
[ldap]
url=ldap://ldap.server.com:389
user=cn=admin,dc=example,dc=com
password=secret
suffix=dc=example,dc=com
user_tree_dn="ou=Users,dc=example,dc=com"
user_id_attribute=cn
user_name_attribute=cn
user_objectclass=organizationalPerson
user_allow_create=false
user_allow_update=false
user_allow_delete=false
group_tree_dn=ou=Groups,dc=example,dc=com
group_id_attribute=cn
group_name_attribute=cn
group_objectclass=*
group_allow_create=false
group_allow_update=false
group_allow_delete=false
[identity]
driver = keystone.identity.backends.ldap.Identity
Now I cannot delete this domain. When I try that, Keystone returns this error:
{"error": {"message": "You are not authorized to perform the requested
action: LDAP group delete (Disable debug mode to suppress these details.)",
"code": 403, "title": "Forbidden"}
As I configured it not to allow the information to be deleted by Keystone,
I'd expect it to ignore the fact that it cannot delete the groups and users and
then delete the domain.
On the other hand, it is good to have it blocked until the not-needed-
anymore configuration file is removed.
See also the chat below on 2014-10-22 on #openstack-keystone:
14:53:45 gabriel-bezerra | ayoung: I cannot delete a domain that is backed by
a populated read-only LDAP database. It is a bug, right? (just asking before
filing)
14:56:11 ayoung | gabriel-bezerra, multi-backend?
14:56:52 gabriel-bezerra | ayoung: yes, domain-specific
14:57:37 ayoung | gabriel-bezerra, what error do you get? I'm not
certain its a bug or not. Suspect a foreign key constraint
14:57:50 ayoung | but you need to disable a domain before deleting
no matter what
14:58:15 gabriel-bezerra | ayoung: {"error": {"message": "You are not
authorized to perform the requested action: LDAP group delete (Disable debug
mode to suppress these details.)", "code": 403, "title": "Forbidden"}
14:58:39 ayoung | gabriel-bezerra, cuz deleting the domain trys to
delete all of the objects inside it
14:58:48 gabriel-bezerra | ayoung: it is being disabled
14:59:00 ayoung | You'd have to unmap the domain specific backend
part first
14:59:30 ayoung | so remove the file, restart the server,and I bet
it works...and I think that is as it should be under current ways of thinking
15:00:07 gabriel-bezerra | ayoung: ok. no bug then. thank you.
15:00:21 ayoung | yeah...but maybe something to document
15:00:59 ayoung | gabriel-bezerra, until we make the configuration
something that can be done on the fly and without restarting the server, I'd
say it "works as designed"
15:07:41 gabriel-bezerra | ayoung: I'll file the bug then, just to keep track
of the issue.
15:07:50 ayoung | ++
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1385405/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
