Bug 1291607
Summary: | [platformmanagement_public_549]Administrator can't remove groups which no longer present on the LDAP server from OpenShift records | ||
---|---|---|---|
Product: | OKD | Reporter: | zhou ying <yinzhou> |
Component: | oc | Assignee: | Steve Kuznetsov <skuznets> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Wei Sun <wsun> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.x | CC: | aos-bugs, deads, mmccomas, xiaocwan |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-05-12 17:11:10 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
This is a bug found when deleting the LDAP entry for group metadata in the Augmented AD schema. This occurs as we do not consider the presence of the group metadata object as indicative of group existence for this schema. When deleting the LDAP group entry for the RFC2307 schema, groups are pruned as expected. This should be simple to fix, ETA today or tomorrow. Bug fix in this pull request: https://github.com/openshift/origin/pull/6323 Verified on openshift origin: openshift v1.1-477-g0d4de0b oc v1.1-477-g0d4de0b kubernetes v1.1.0-origin-1107-g4c8e6f4 etcd 2.1.2 Hi Steve Kuznetsov,it's not reproduced on origin already, could you help to mark this status "ON_QA" and then it could be Verified Updating on Steve's behalf. Verified on openshift origin: openshift v1.1-477-g0d4de0b oc v1.1-477-g0d4de0b kubernetes v1.1.0-origin-1107-g4c8e6f4 |
Description of problem: Sync some groups from LDAP server, then delete one matched group in LDAP server; for OpenShift, the cluster-admin run 'prune-groups' command , but failed prune OpenShift Groups referencing missing records from the LDAP server. Version-Release number of selected component (if applicable): openshift v1.1-440-gfc1cff2 kubernetes v1.1.0-origin-1107-g4c8e6f4 etcd 2.1.2 How reproducible: Always Steps to Reproduce: 1. Start openshift; 2. Use command to sync some groups from LDAP server: `openshift ex sync-groups --sync-config=aad_config.yaml --confirm --config=openshift.local.config/master/admin.kubeconfig` 3. Check the groups, have successful sync 3 groups: [root@ip-172-18-15-96 amd64]# oc get groups --config=openshift.local.config/master/admin.kubeconfig NAME USERS extended-group1 person1smith, person2smith, person3smith, person4smith, person5smith extended-group2 person1smith, person2smith, person3smith extended-group3 person1smith, person5smith 4. Before delete group on LDAP server, search all the groups info and saved as "all"; `ldapsearch -x -b "dc=example,dc=com" > all` 5. Use command to delete 'extended-group1' group: `LDAPdelete -x -h 127.0.0.1 -p 389 -D cn=Manager,dc=example,dc=com -w admin "cn=group1,ou=groups,ou=adextended,dc=example,dc=com"` 6. On the LDAP server, search all the groups info again and saved as "no-ex-g1"; `ldapsearch -x -b "dc=example,dc=com" > no-ex-g1` 7. As cluster-admin prune the groups which was deleted on the LDAP server `openshift ex prune-groups --sync-config=aad_config.yaml` `openshift ex prune-groups --sync-config=aad_config.yaml --confirm` Actual results: 7. No groups was pruned. [root@ip-172-18-15-96 amd64]# oc get groups NAME USERS extended-group1 person1smith, person2smith, person3smith, person4smith, person5smith extended-group2 person1smith, person2smith, person3smith extended-group3 person1smith, person5smith Expected results: 7. The group "extended-group1" should be pruned, since on the LDAP server has deleted the group info. Additional info: [root@ip-172-18-15-96 amd64]# diff all no-ex-g1 277,285d276 < # group1, groups, adextended, example.com < dn: cn=group1,ou=groups,ou=adextended,dc=example,dc=com < objectClass: groupOfNames < cn: extended-group1 < cn: group1 < owner: cn=Person1,ou=people,ou=adextended,dc=example,dc=com < description: Person1's Group < member: cn=Person5,ou=people,ou=rfc2307,dc=example,dc=com < 308,309c299,300 < # numResponses: 31 < # numEntries: 30 --- > # numResponses: 30 > # numEntries: 29