Public bug reported:
Greetings all,
There is currently an issue in an Openstack Liberty environment where the
keystone configuration is using a ldap driver for users and the sql driver for
role assignments. The issue being encountered is when a ldap user is removed,
the id for that user(actor_id) remains in the keystone.assignment table. The
way this was discovered was that if we attempt to perform a user list on a
specific project where a former ldap user existed the openstack client abruptly
exits with an exception[1] regarding the resource or in this case the user id
no longer being found as it was deleted from ldap while its role assignment for
the user remains in the keystone.assignments table. There was a similar bug
found [2], however that one deals by both identity and assignment driver using
ldap whereas this particular case identity is ldap and assignment is sql.
Environment details:
Openstack Version: 12.2.0(Liberty)
Keystone Version: 8.1.2
identity driver: ldap
assignment driver: sql
[0]
MariaDB [keystone]> select * from assignment where
actor_id='50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47';
+-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+
| type | actor_id
| target_id | role_id |
inherited |
+-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+
| UserProject |
50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 |
14b2bc91832e455491a9fd4a42c8b19c | 9fe2ff9ee4384b1894a90878d3e92bab | 0
|
| UserProject |
50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 |
14b2bc91832e455491a9fd4a42c8b19c | bffeb621920e40feb18ce2c28b07d1a1 | 0
|
+-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+
[1]
Request returned failure status: 401
Could not find resource
50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in
run_subcommand
result = cmd.run(parsed_args)
File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in
run
column_names, data = self.take_action(parsed_args)
File
"/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line
45, in wrapper
return func(self, *args, **kwargs)
File
"/usr/local/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py",
line 251, in take_action
user = utils.find_resource(identity_client.users, user_id)
File
"/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line
141, in find_resource
raise exceptions.CommandError(msg)
CommandError: Could not find resource
50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
clean_up ListUser: Could not find resource
50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/openstackclient/shell.py", line
112, in run
ret_val = super(OpenStackShell, self).run(argv)
File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 255, in run
result = self.run_subcommand(remainder)
File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in
run_subcommand
result = cmd.run(parsed_args)
File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in
run
column_names, data = self.take_action(parsed_args)
File
"/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line
45, in wrapper
return func(self, *args, **kwargs)
File
"/usr/local/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py",
line 251, in take_action
user = utils.find_resource(identity_client.users, user_id)
File
"/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line
141, in find_resource
raise exceptions.CommandError(msg)
CommandError: Could not find resource
50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
END return value: 1
[2]
https://bugs.launchpad.net/keystone/+bug/1366211
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1632924
Title:
Lingering sql backend role assignments after deletion of ldap user.
Status in OpenStack Identity (keystone):
New
Bug description:
Greetings all,
There is currently an issue in an Openstack Liberty environment where the
keystone configuration is using a ldap driver for users and the sql driver for
role assignments. The issue being encountered is when a ldap user is removed,
the id for that user(actor_id) remains in the keystone.assignment table. The
way this was discovered was that if we attempt to perform a user list on a
specific project where a former ldap user existed the openstack client abruptly
exits with an exception[1] regarding the resource or in this case the user id
no longer being found as it was deleted from ldap while its role assignment for
the user remains in the keystone.assignments table. There was a similar bug
found [2], however that one deals by both identity and assignment driver using
ldap whereas this particular case identity is ldap and assignment is sql.
Environment details:
Openstack Version: 12.2.0(Liberty)
Keystone Version: 8.1.2
identity driver: ldap
assignment driver: sql
[0]
MariaDB [keystone]> select * from assignment where
actor_id='50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47';
+-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+
| type | actor_id
| target_id | role_id |
inherited |
+-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+
| UserProject |
50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 |
14b2bc91832e455491a9fd4a42c8b19c | 9fe2ff9ee4384b1894a90878d3e92bab | 0
|
| UserProject |
50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 |
14b2bc91832e455491a9fd4a42c8b19c | bffeb621920e40feb18ce2c28b07d1a1 | 0
|
+-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+
[1]
Request returned failure status: 401
Could not find resource
50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in
run_subcommand
result = cmd.run(parsed_args)
File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in
run
column_names, data = self.take_action(parsed_args)
File
"/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line
45, in wrapper
return func(self, *args, **kwargs)
File
"/usr/local/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py",
line 251, in take_action
user = utils.find_resource(identity_client.users, user_id)
File
"/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line
141, in find_resource
raise exceptions.CommandError(msg)
CommandError: Could not find resource
50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
clean_up ListUser: Could not find resource
50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/openstackclient/shell.py",
line 112, in run
ret_val = super(OpenStackShell, self).run(argv)
File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 255, in run
result = self.run_subcommand(remainder)
File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in
run_subcommand
result = cmd.run(parsed_args)
File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in
run
column_names, data = self.take_action(parsed_args)
File
"/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line
45, in wrapper
return func(self, *args, **kwargs)
File
"/usr/local/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py",
line 251, in take_action
user = utils.find_resource(identity_client.users, user_id)
File
"/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line
141, in find_resource
raise exceptions.CommandError(msg)
CommandError: Could not find resource
50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47
END return value: 1
[2]
https://bugs.launchpad.net/keystone/+bug/1366211
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1632924/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
