Reviewed: https://review.openstack.org/539347 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=62ee18b359cbb2e6a9469bdaac9057ef19de1bdf Submitter: Zuul Branch: master
commit 62ee18b359cbb2e6a9469bdaac9057ef19de1bdf Author: Colleen Murphy <[email protected]> Date: Tue Jan 30 23:23:15 2018 +0100 Delete SQL users before deleting domain Since the users table has a foreign key to the projects table[1], users must be deleted before the domain can be deleted. However, the notification emitted from the domain deletion comes too late, and keystone runs into a foreign key reference error before it can delete the users. This patch addresses the problem by adding a new internal notification to alert the identity manager that users should be deleted. This uses a new notification rather than the existing notification because the existing one is used to alert listeners that the domain deletion has been fully completed, whereas this one must happen in the middle of the domain delete process. The callback must also only try to delete SQL users. The LDAP driver doesn't support deleting users, and we can't assume other drivers support it either. Moreover, the foreign key reference is only a problem for SQL users anyway. Because our backend unit tests run with SQLite and foreign keys do not work properly, we can't properly expose this bug in our unit tests, but there is an accompanying tempest test[2][3] to validate this fix. [1] https://github.com/openstack/keystone/blob/2bd88d3/keystone/common/sql/expand_repo/versions/014_expand_add_domain_id_to_user_table.py#L140-L141 [2] https://review.openstack.org/#/c/509610 [3] https://review.openstack.org/#/c/509947 Change-Id: If5bdb6f5eef80b50b000aed5188ce7da4dfd1083 Closes-bug: #1718747 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1718747 Title: Unable to delete domain with users in it Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Identity (keystone) newton series: Won't Fix Status in OpenStack Identity (keystone) ocata series: Confirmed Status in OpenStack Identity (keystone) pike series: Confirmed Bug description: Attempting to delete a domain which contains users and projects may yield an UnexpectedError similiar to this Sep 21 19:37:17 vagrant-openSUSE-Leap [email protected][23894]: DEBUG keystone.common.sql.core [None req-707ec264-b10c-4079-94bb-2af01db58aab None None] Conflict project: (pymysql.err.IntegrityError) (1451, u'Cannot delete or update a parent row: a foreign key constraint fails (`keystone`.`user`, CONSTRAINT `user_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `project` (`id`))') [SQL: u'DELETE FROM project WHERE project.id = %(id)s'] [parameters: {'id': u'63d2d5446e364f00b3181bf49c62c5b8'}] {{(pid=23897) wrapper /opt/stack/keystone/keystone/common/sql/core.py:550}} Sep 21 19:37:17 vagrant-openSUSE-Leap [email protected][23894]: WARNING keystone.common.wsgi [None req-707ec264-b10c-4079-94bb-2af01db58aab None None] An unexpected error prevented the server from fulfilling your request.: UnexpectedError: An unexpected error prevented the server from fulfilling your request. Steps to reproduce: 1. Install devstack 2. create a domain 'foo' openstack domain create foo 3. create a user in domain 'foo' openstack user create --password equifax --domain foo foo_user 4. create a project in domain 'foo' openstack project create --domain foo foo_project 5. enable domain user 'foo_user' access to project 'foo_project' openstack role add --user foo_user --project foo_project admin 6. now disable domain 'foo' openstack domain set --disable foo 7. attempt to delete domain 'foo' will yield an expected error mentioned above openstack domain delete foo This was introduced in: https://github.com/openstack/keystone/commit/2bd88d30e1d2873470af7f40db45a99e07e12ce6 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1718747/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
