Public bug reported: Greetings all,
There is currently an issue in an Openstack Liberty environment where the keystone configuration is using a ldap driver for users and the sql driver for role assignments. The issue being encountered is when a ldap user is removed, the id for that user(actor_id) remains in the keystone.assignment table. The way this was discovered was that if we attempt to perform a user list on a specific project where a former ldap user existed the openstack client abruptly exits with an exception[1] regarding the resource or in this case the user id no longer being found as it was deleted from ldap while its role assignment for the user remains in the keystone.assignments table. There was a similar bug found [2], however that one deals by both identity and assignment driver using ldap whereas this particular case identity is ldap and assignment is sql. Environment details: Openstack Version: 12.2.0(Liberty) Keystone Version: 8.1.2 identity driver: ldap assignment driver: sql [0] MariaDB [keystone]> select * from assignment where actor_id='50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47'; +-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+ | type | actor_id | target_id | role_id | inherited | +-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+ | UserProject | 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 | 14b2bc91832e455491a9fd4a42c8b19c | 9fe2ff9ee4384b1894a90878d3e92bab | 0 | | UserProject | 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 | 14b2bc91832e455491a9fd4a42c8b19c | bffeb621920e40feb18ce2c28b07d1a1 | 0 | +-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+ [1] Request returned failure status: 401 Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand result = cmd.run(parsed_args) File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run column_names, data = self.take_action(parsed_args) File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 45, in wrapper return func(self, *args, **kwargs) File "/usr/local/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py", line 251, in take_action user = utils.find_resource(identity_client.users, user_id) File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 141, in find_resource raise exceptions.CommandError(msg) CommandError: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 clean_up ListUser: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/openstackclient/shell.py", line 112, in run ret_val = super(OpenStackShell, self).run(argv) File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 255, in run result = self.run_subcommand(remainder) File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand result = cmd.run(parsed_args) File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run column_names, data = self.take_action(parsed_args) File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 45, in wrapper return func(self, *args, **kwargs) File "/usr/local/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py", line 251, in take_action user = utils.find_resource(identity_client.users, user_id) File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 141, in find_resource raise exceptions.CommandError(msg) CommandError: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 END return value: 1 [2] https://bugs.launchpad.net/keystone/+bug/1366211 ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1632924 Title: Lingering sql backend role assignments after deletion of ldap user. Status in OpenStack Identity (keystone): New Bug description: Greetings all, There is currently an issue in an Openstack Liberty environment where the keystone configuration is using a ldap driver for users and the sql driver for role assignments. The issue being encountered is when a ldap user is removed, the id for that user(actor_id) remains in the keystone.assignment table. The way this was discovered was that if we attempt to perform a user list on a specific project where a former ldap user existed the openstack client abruptly exits with an exception[1] regarding the resource or in this case the user id no longer being found as it was deleted from ldap while its role assignment for the user remains in the keystone.assignments table. There was a similar bug found [2], however that one deals by both identity and assignment driver using ldap whereas this particular case identity is ldap and assignment is sql. Environment details: Openstack Version: 12.2.0(Liberty) Keystone Version: 8.1.2 identity driver: ldap assignment driver: sql [0] MariaDB [keystone]> select * from assignment where actor_id='50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47'; +-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+ | type | actor_id | target_id | role_id | inherited | +-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+ | UserProject | 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 | 14b2bc91832e455491a9fd4a42c8b19c | 9fe2ff9ee4384b1894a90878d3e92bab | 0 | | UserProject | 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 | 14b2bc91832e455491a9fd4a42c8b19c | bffeb621920e40feb18ce2c28b07d1a1 | 0 | +-------------+------------------------------------------------------------------+----------------------------------+----------------------------------+-----------+ [1] Request returned failure status: 401 Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand result = cmd.run(parsed_args) File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run column_names, data = self.take_action(parsed_args) File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 45, in wrapper return func(self, *args, **kwargs) File "/usr/local/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py", line 251, in take_action user = utils.find_resource(identity_client.users, user_id) File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 141, in find_resource raise exceptions.CommandError(msg) CommandError: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 clean_up ListUser: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/openstackclient/shell.py", line 112, in run ret_val = super(OpenStackShell, self).run(argv) File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 255, in run result = self.run_subcommand(remainder) File "/usr/local/lib/python2.7/dist-packages/cliff/app.py", line 374, in run_subcommand result = cmd.run(parsed_args) File "/usr/local/lib/python2.7/dist-packages/cliff/display.py", line 92, in run column_names, data = self.take_action(parsed_args) File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 45, in wrapper return func(self, *args, **kwargs) File "/usr/local/lib/python2.7/dist-packages/openstackclient/identity/v3/user.py", line 251, in take_action user = utils.find_resource(identity_client.users, user_id) File "/usr/local/lib/python2.7/dist-packages/openstackclient/common/utils.py", line 141, in find_resource raise exceptions.CommandError(msg) CommandError: Could not find resource 50327bfee89ace875a8ffbe4040cdbc9ec712859f5c8c39a73b36003407f9a47 END return value: 1 [2] https://bugs.launchpad.net/keystone/+bug/1366211 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1632924/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp