[Yahoo-eng-team] [Bug 1810393] Re: shadow user cache is not cleaned when the related idp is deleted.

Fri, 04 Jan 2019 13:15:57 -0800 

Reviewed:  https://review.openstack.org/628132
Committed: 
https://git.openstack.org/cgit/openstack/keystone/commit/?id=3bcd8968e97a8efd8f9788a8840dd008c490cea1
Submitter: Zuul
Branch:    master

commit 3bcd8968e97a8efd8f9788a8840dd008c490cea1
Author: wangxiyuan <wangxiy...@huawei.com>
Date:   Thu Jan 3 17:40:15 2019 +0800

    Invalidate shadow_federated_user cache when deleting protocol
    
    When delete identity provider protocol, the related
    shadow_federated_user cache should be invalidated as well.
    
    Change-Id: Ia1a86724b7a6747fc5177476ee462d8d062978e0
    Closes-bug: 1810393


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1810393

Title:
  shadow user cache is not cleaned  when the related idp is deleted.

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  This bug is found in keystone tempest CI job when adding the domain
  clean-up step:https://review.openstack.org/#/c/579063/

  tempest error log:
  ft1.2: 
keystone_tempest_plugin.tests.scenario.test_federated_authentication.TestSaml2EcpFederatedAuthentication.test_request_unscoped_token_StringException:
 pythonlogging:'': {{{
  2019-01-03 02:34:45,765 4283 INFO     [tempest.lib.common.rest_client] 
Request (TestSaml2EcpFederatedAuthentication:setUp): 201 PUT 
http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest 0.130s
  2019-01-03 02:34:45,766 4283 DEBUG    [tempest.lib.common.rest_client] 
Request - Headers: {'Accept': 'application/json', 'X-Auth-Token': '<omitted>', 
'Content-Type': 'application/json'}
          Body: {"identity_provider": {"remote_ids": 
["https://samltest.id/saml/idp";], "enabled": true}}
      Response - Headers: {u'content-type': 'application/json', u'date': 'Thu, 
03 Jan 2019 02:34:45 GMT', u'connection': 'close', u'server': 'Apache/2.4.18 
(Ubuntu)', u'x-openstack-request-id': 
'req-d596a054-3b42-4580-88e0-d9f6cfe9be8f', u'content-length': '373', 
'content-location': 
'http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest', 
u'vary': 'X-Auth-Token', 'status': '201'}
          Body: {"identity_provider": {"description": null, "links": {"self": 
"http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest";, 
"protocols": 
"http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest/protocols"},
 "enabled": true, "domain_id": "e14d592e135046f180f94931c2f5f339", "id": 
"samltest", "remote_ids": ["https://samltest.id/saml/idp"]}}

  2019-01-03 02:34:45,865 4283 INFO     [tempest.lib.common.rest_client] 
Request (TestSaml2EcpFederatedAuthentication:setUp): 201 PUT 
http://38.108.68.96/identity/v3/OS-FEDERATION/mappings/8269b21476554bbdb196d7251d8566b9
 0.098s
  2019-01-03 02:34:45,866 4283 DEBUG    [tempest.lib.common.rest_client] 
Request - Headers: {'Accept': 'application/json', 'X-Auth-Token': '<omitted>', 
'Content-Type': 'application/json'}
          Body: {"mapping": {"rules": [{"remote": [{"type": "uid"}], "local": 
[{"user": {"name": "{0}"}}, {"group": {"domain": {"name": "federated_domain"}, 
"name": "federated_users"}}]}]}}
      Response - Headers: {u'content-type': 'application/json', u'date': 'Thu, 
03 Jan 2019 02:34:45 GMT', u'connection': 'close', u'server': 'Apache/2.4.18 
(Ubuntu)', u'x-openstack-request-id': 
'req-424b858c-57d1-4693-a5ea-2fb5a1d13b57', u'content-length': '326', 
'content-location': 
'http://38.108.68.96/identity/v3/OS-FEDERATION/mappings/8269b21476554bbdb196d7251d8566b9',
 u'vary': 'X-Auth-Token', 'status': '201'}
          Body: {"mapping": {"rules": [{"remote": [{"type": "uid"}], "local": 
[{"user": {"name": "{0}"}}, {"group": {"domain": {"name": "federated_domain"}, 
"name": "federated_users"}}]}], "id": "8269b21476554bbdb196d7251d8566b9", 
"links": {"self": 
"http://38.108.68.96/identity/v3/OS-FEDERATION/mappings/8269b21476554bbdb196d7251d8566b9"}}}

  2019-01-03 02:34:45,918 4283 INFO     [tempest.lib.common.rest_client] 
Request (TestSaml2EcpFederatedAuthentication:setUp): 201 PUT 
http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest/protocols/mapped
 0.051s
  2019-01-03 02:34:45,919 4283 DEBUG    [tempest.lib.common.rest_client] 
Request - Headers: {'Accept': 'application/json', 'X-Auth-Token': '<omitted>', 
'Content-Type': 'application/json'}
          Body: {"protocol": {"mapping_id": "8269b21476554bbdb196d7251d8566b9"}}
      Response - Headers: {u'content-type': 'application/json', u'date': 'Thu, 
03 Jan 2019 02:34:45 GMT', u'connection': 'close', u'server': 'Apache/2.4.18 
(Ubuntu)', u'x-openstack-request-id': 
'req-b4cab609-d78f-43b1-9dd7-4039f2b08182', u'content-length': '259', 
'content-location': 
'http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest/protocols/mapped',
 u'vary': 'X-Auth-Token', 'status': '201'}
          Body: {"protocol": {"mapping_id": "8269b21476554bbdb196d7251d8566b9", 
"id": "mapped", "links": {"self": 
"http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest/protocols/mapped";,
 "identity_provider": "http://38.108.68.96/identity/v3/samltest"}}}

  2019-01-03 02:34:46,210 4283 INFO     [tempest.lib.common.rest_client] 
Request (TestSaml2EcpFederatedAuthentication:_run_cleanups): 204 DELETE 
http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest/protocols/mapped
 0.050s
  2019-01-03 02:34:46,210 4283 DEBUG    [tempest.lib.common.rest_client] 
Request - Headers: {'Accept': 'application/json', 'X-Auth-Token': '<omitted>', 
'Content-Type': 'application/json'}
          Body: None
      Response - Headers: {'content-location': 
'http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest/protocols/mapped',
 u'x-openstack-request-id': 'req-10dee6dc-dec0-4383-8aea-bbf097c5279b', 
u'date': 'Thu, 03 Jan 2019 02:34:46 GMT', u'connection': 'close', u'server': 
'Apache/2.4.18 (Ubuntu)', u'vary': 'X-Auth-Token', 'status': '204'}
          Body: 
  2019-01-03 02:34:46,256 4283 INFO     [tempest.lib.common.rest_client] 
Request (TestSaml2EcpFederatedAuthentication:_run_cleanups): 204 DELETE 
http://38.108.68.96/identity/v3/OS-FEDERATION/mappings/8269b21476554bbdb196d7251d8566b9
 0.045s
  2019-01-03 02:34:46,257 4283 DEBUG    [tempest.lib.common.rest_client] 
Request - Headers: {'Accept': 'application/json', 'X-Auth-Token': '<omitted>', 
'Content-Type': 'application/json'}
          Body: None
      Response - Headers: {'content-location': 
'http://38.108.68.96/identity/v3/OS-FEDERATION/mappings/8269b21476554bbdb196d7251d8566b9',
 u'x-openstack-request-id': 'req-989f407c-9b99-4a05-a92d-34deb01bedc0', 
u'date': 'Thu, 03 Jan 2019 02:34:46 GMT', u'connection': 'close', u'server': 
'Apache/2.4.18 (Ubuntu)', u'vary': 'X-Auth-Token', 'status': '204'}
          Body: 
  2019-01-03 02:34:46,306 4283 INFO     [tempest.lib.common.rest_client] 
Request (TestSaml2EcpFederatedAuthentication:_run_cleanups): 204 DELETE 
http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest 0.048s
  2019-01-03 02:34:46,306 4283 DEBUG    [tempest.lib.common.rest_client] 
Request - Headers: {'Accept': 'application/json', 'X-Auth-Token': '<omitted>', 
'Content-Type': 'application/json'}
          Body: None
      Response - Headers: {'content-location': 
'http://38.108.68.96/identity/v3/OS-FEDERATION/identity_providers/samltest', 
u'x-openstack-request-id': 'req-06795a5c-eddd-49e5-85c9-7ce85942b12e', u'date': 
'Thu, 03 Jan 2019 02:34:46 GMT', u'connection': 'close', u'server': 
'Apache/2.4.18 (Ubuntu)', u'vary': 'X-Auth-Token', 'status': '204'}
          Body: 
  2019-01-03 02:34:46,400 4283 INFO     [tempest.lib.common.rest_client] 
Request (TestSaml2EcpFederatedAuthentication:_run_cleanups): 200 PATCH 
http://38.108.68.96/identity/v3/domains/e14d592e135046f180f94931c2f5f339 0.093s
  2019-01-03 02:34:46,400 4283 DEBUG    [tempest.lib.common.rest_client] 
Request - Headers: {'Accept': 'application/json', 'X-Auth-Token': '<omitted>', 
'Content-Type': 'application/json'}
          Body: {"domain": {"enabled": false}}
      Response - Headers: {u'content-type': 'application/json', u'date': 'Thu, 
03 Jan 2019 02:34:46 GMT', u'connection': 'close', u'server': 'Apache/2.4.18 
(Ubuntu)', u'x-openstack-request-id': 
'req-ebfc5cdc-af5e-45fd-bca3-f500012489a1', u'content-length': '306', 
'content-location': 
'http://38.108.68.96/identity/v3/domains/e14d592e135046f180f94931c2f5f339', 
u'vary': 'X-Auth-Token', 'status': '200'}
          Body: {"domain": {"description": "Auto generated federated domain for 
Identity Provider: samltest", "links": {"self": 
"http://38.108.68.96/identity/v3/domains/e14d592e135046f180f94931c2f5f339"}, 
"tags": [], "enabled": false, "id": "e14d592e135046f180f94931c2f5f339", "name": 
"e14d592e135046f180f94931c2f5f339"}}

  2019-01-03 02:34:46,656 4283 INFO     [tempest.lib.common.rest_client] 
Request (TestSaml2EcpFederatedAuthentication:_run_cleanups): 204 DELETE 
http://38.108.68.96/identity/v3/domains/e14d592e135046f180f94931c2f5f339 0.255s
  2019-01-03 02:34:46,657 4283 DEBUG    [tempest.lib.common.rest_client] 
Request - Headers: {'Accept': 'application/json', 'X-Auth-Token': '<omitted>', 
'Content-Type': 'application/json'}
          Body: None
      Response - Headers: {'content-location': 
'http://38.108.68.96/identity/v3/domains/e14d592e135046f180f94931c2f5f339', 
u'x-openstack-request-id': 'req-41df84a1-40f5-4105-9034-1ed63d91dc43', u'date': 
'Thu, 03 Jan 2019 02:34:46 GMT', u'connection': 'close', u'server': 
'Apache/2.4.18 (Ubuntu)', u'vary': 'X-Auth-Token', 'status': '204'}
          Body:
  }}}

  Traceback (most recent call last):
    File 
"/opt/stack/tempest/.tox/tempest/local/lib/python2.7/site-packages/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py",
 line 168, in test_request_unscoped_token
      self._request_unscoped_token()
    File 
"/opt/stack/tempest/.tox/tempest/local/lib/python2.7/site-packages/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py",
 line 159, in _request_unscoped_token
      self.assertEqual(http_client.CREATED, resp.status_code)
    File 
"/opt/stack/tempest/.tox/tempest/local/lib/python2.7/site-packages/testtools/testcase.py",
 line 411, in assertEqual
      self.assertThat(observed, matcher, message)
    File 
"/opt/stack/tempest/.tox/tempest/local/lib/python2.7/site-packages/testtools/testcase.py",
 line 498, in assertThat
      raise mismatch_error
  testtools.matchers._impl.MismatchError: 201 != 404

  
  The reason is that once the identity protocol is deleted, the related shadow 
uses are cascading deleted. But the related federation auth cache is not 
cleaned. So that once the same idp and protocol are created during the caching 
time, the caching user which is deleted already will be always returned.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1810393/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to