Bug 1252817 - [RFE][keystone] Tool needed to manipulate the assignments directly
[RFE][keystone] Tool needed to manipulate the assignments directly
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone (Show other bugs)
6.0 (Juno)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 8.0 (Liberty)
Assigned To: Nathan Kinder
Shai Revivo
: FutureFeature, ZStream
: 1252816 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2015-08-12 05:46 EDT by Eduard Barrera
Modified: 2016-09-30 13:49 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-09-30 13:49:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eduard Barrera 2015-08-12 05:46:38 EDT
Description of problem:

When a user is deleted in a LDAP or AD backend it happens that some leftover information remains in the assignments table. When it happens we can see in the project the user uuid but we are not able to delete it.

We would like to have a tool to manipulate the assignments directly without having to go to the database in order to achieve this task, for example

# keystone assignment-delete <tenant> <user>

or a way to resync the current assignment with the backend and remove from the database the deleted users

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Starting from a keystone using AD backend:

1. Give a role in a project to the user
2. Delete the user from the backend

Actual results:
A uuid is displayed in the project users
It is not possible to delete it manually

Expected results:
- uuid not displayed in the project users
- a way to delete the assignement when it happens

Additional info:
Comment 5 Nathan Kinder 2015-08-31 16:49:16 EDT
*** Bug 1252816 has been marked as a duplicate of this bug. ***
Comment 6 Adam Young 2015-08-31 17:09:31 EDT
You should be able to use the V3 API to delete a role from a user:


DELETE /domains/{domain_id}/users/{user_id}/roles/{role_id}

Looking through the code, I do not think that it does any check for the user in the identity backend.

The Openstack common Client with OS_IDENTITY_API_VERSION=3 should be making that call.

Note You need to log in before you can comment on or make changes to this bug.