summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColleen Murphy <colleen@gazlene.net>2018-01-30 23:23:15 +0100
committerColleen Murphy <colleen@gazlene.net>2018-02-08 21:19:02 +0100
commit62ee18b359cbb2e6a9469bdaac9057ef19de1bdf (patch)
tree8f7c2749b23c8649486cb29f4881f46b1924e9f6
parente4c15a9c83fdebb5d7ee9f50bb0ce85141431ab9 (diff)
Delete SQL users before deleting domain
Since the users table has a foreign key to the projects table[1], users must be deleted before the domain can be deleted. However, the notification emitted from the domain deletion comes too late, and keystone runs into a foreign key reference error before it can delete the users. This patch addresses the problem by adding a new internal notification to alert the identity manager that users should be deleted. This uses a new notification rather than the existing notification because the existing one is used to alert listeners that the domain deletion has been fully completed, whereas this one must happen in the middle of the domain delete process. The callback must also only try to delete SQL users. The LDAP driver doesn't support deleting users, and we can't assume other drivers support it either. Moreover, the foreign key reference is only a problem for SQL users anyway. Because our backend unit tests run with SQLite and foreign keys do not work properly, we can't properly expose this bug in our unit tests, but there is an accompanying tempest test[2][3] to validate this fix. [1] https://github.com/openstack/keystone/blob/2bd88d3/keystone/common/sql/expand_repo/versions/014_expand_add_domain_id_to_user_table.py#L140-L141 [2] https://review.openstack.org/#/c/509610 [3] https://review.openstack.org/#/c/509947 Change-Id: If5bdb6f5eef80b50b000aed5188ce7da4dfd1083 Closes-bug: #1718747
Notes
Notes (review): Code-Review+2: Lance Bragstad <lbragstad@gmail.com> Code-Review+2: Morgan Fainberg <morgan.fainberg@gmail.com> Workflow+1: Morgan Fainberg <morgan.fainberg@gmail.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Thu, 08 Feb 2018 23:15:19 +0000 Reviewed-on: https://review.openstack.org/539347 Project: openstack/keystone Branch: refs/heads/master
-rw-r--r--keystone/identity/core.py16
-rw-r--r--keystone/notifications.py1
-rw-r--r--keystone/resource/core.py3
-rw-r--r--releasenotes/notes/bug-1718747-50d39fa87bdbb12b.yaml17
4 files changed, 35 insertions, 2 deletions
diff --git a/keystone/identity/core.py b/keystone/identity/core.py
index a95024e..ccc2f9e 100644
--- a/keystone/identity/core.py
+++ b/keystone/identity/core.py
@@ -486,10 +486,12 @@ class Manager(manager.Manager):
486 def __init__(self): 486 def __init__(self):
487 super(Manager, self).__init__(CONF.identity.driver) 487 super(Manager, self).__init__(CONF.identity.driver)
488 self.domain_configs = DomainConfigs() 488 self.domain_configs = DomainConfigs()
489 489 notifications.register_event_callback(
490 notifications.ACTIONS.internal, notifications.DOMAIN_DELETED,
491 self._domain_deleted
492 )
490 self.event_callbacks = { 493 self.event_callbacks = {
491 notifications.ACTIONS.deleted: { 494 notifications.ACTIONS.deleted: {
492 'domain': [self._domain_deleted],
493 'project': [self._unset_default_project], 495 'project': [self._unset_default_project],
494 }, 496 },
495 } 497 }
@@ -498,6 +500,16 @@ class Manager(manager.Manager):
498 payload): 500 payload):
499 domain_id = payload['resource_info'] 501 domain_id = payload['resource_info']
500 502
503 driver = self._select_identity_driver(domain_id)
504
505 if not driver.is_sql:
506 # The LDAP driver does not support deleting users or groups.
507 # Moreover, we shouldn't destroy users and groups in an unknown
508 # driver. The only time when we should delete users and groups is
509 # when the backend is SQL because the foreign key in the SQL table
510 # forces us to.
511 return
512
501 user_refs = self.list_users(domain_scope=domain_id) 513 user_refs = self.list_users(domain_scope=domain_id)
502 group_refs = self.list_groups(domain_scope=domain_id) 514 group_refs = self.list_groups(domain_scope=domain_id)
503 515
diff --git a/keystone/notifications.py b/keystone/notifications.py
index 40e7c31..cea86fc 100644
--- a/keystone/notifications.py
+++ b/keystone/notifications.py
@@ -80,6 +80,7 @@ INVALIDATE_USER_TOKEN_PERSISTENCE = 'invalidate_user_tokens'
80INVALIDATE_USER_PROJECT_TOKEN_PERSISTENCE = 'invalidate_user_project_tokens' 80INVALIDATE_USER_PROJECT_TOKEN_PERSISTENCE = 'invalidate_user_project_tokens'
81INVALIDATE_USER_OAUTH_CONSUMER_TOKENS = 'invalidate_user_consumer_tokens' 81INVALIDATE_USER_OAUTH_CONSUMER_TOKENS = 'invalidate_user_consumer_tokens'
82INVALIDATE_TOKEN_CACHE_DELETED_IDP = 'invalidate_token_cache_from_deleted_idp' 82INVALIDATE_TOKEN_CACHE_DELETED_IDP = 'invalidate_token_cache_from_deleted_idp'
83DOMAIN_DELETED = 'domain_deleted'
83 84
84 85
85class Audit(object): 86class Audit(object):
diff --git a/keystone/resource/core.py b/keystone/resource/core.py
index efd9077..e4ada76 100644
--- a/keystone/resource/core.py
+++ b/keystone/resource/core.py
@@ -773,6 +773,9 @@ class Manager(manager.Manager):
773 'first.')) 773 'first.'))
774 774
775 self._delete_domain_contents(domain_id) 775 self._delete_domain_contents(domain_id)
776 notifications.Audit.internal(
777 notifications.DOMAIN_DELETED, domain_id
778 )
776 self._delete_project(domain_id, initiator) 779 self._delete_project(domain_id, initiator)
777 try: 780 try:
778 self.get_domain.invalidate(self, domain_id) 781 self.get_domain.invalidate(self, domain_id)
diff --git a/releasenotes/notes/bug-1718747-50d39fa87bdbb12b.yaml b/releasenotes/notes/bug-1718747-50d39fa87bdbb12b.yaml
new file mode 100644
index 0000000..2ee2f44
--- /dev/null
+++ b/releasenotes/notes/bug-1718747-50d39fa87bdbb12b.yaml
@@ -0,0 +1,17 @@
1---
2fixes:
3 - |
4 [`bug 1718747 <https://bugs.launchpad.net/keystone/+bug/1718747>`_]
5 Fixes a regression where deleting a domain with users in it caues a server
6 error. This bugfix restores the previous behavior of deleting the users
7 namespaced in the domain. This only applies when using the SQL identity
8 backend.
9other:
10 - |
11 [`bug 1718747 <https://bugs.launchpad.net/keystone/+bug/1718747>`_]
12 As part of solving a regression in the identity SQL backend that prevented
13 domains containing users from being deleted, a notification callback was
14 altered so that users would only be deleted if the identity backend is SQL.
15 If you have a custom identity backend that is not read-only, deleting a
16 domain in keystone will not delete the users in your backend unless your
17 driver has an is_sql property that evaluates to true.