Bug 1291607 - [platformmanagement_public_549]Administrator can't remove groups which no longer present on the LDAP server from OpenShift records
[platformmanagement_public_549]Administrator can't remove groups which no lon...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Command Line Interface (Show other bugs)
3.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Steve Kuznetsov
Wei Sun
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-15 04:25 EST by zhou ying
Modified: 2016-05-12 13:11 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-12 13:11:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description zhou ying 2015-12-15 04:25:18 EST
Description of problem:
Sync some groups from LDAP server, then delete one matched group in LDAP server; for OpenShift, the cluster-admin run 'prune-groups' command , but failed prune OpenShift Groups referencing missing records from the LDAP server.


Version-Release number of selected component (if applicable):
openshift v1.1-440-gfc1cff2
kubernetes v1.1.0-origin-1107-g4c8e6f4
etcd 2.1.2

How reproducible:
Always

Steps to Reproduce:
1. Start openshift;
2. Use command to sync some groups from LDAP server:
   `openshift ex sync-groups --sync-config=aad_config.yaml --confirm --config=openshift.local.config/master/admin.kubeconfig`
3. Check the groups, have successful sync 3 groups:
  [root@ip-172-18-15-96 amd64]# oc get groups --config=openshift.local.config/master/admin.kubeconfig
NAME              USERS
extended-group1   person1smith@example.com, person2smith@example.com, person3smith@example.com, person4smith@example.com, person5smith@example.com
extended-group2   person1smith@example.com, person2smith@example.com, person3smith@example.com
extended-group3   person1smith@example.com, person5smith@example.com

4. Before delete group on LDAP server, search all the groups info and saved as "all";
  `ldapsearch -x -b "dc=example,dc=com" > all`
5. Use command to delete 'extended-group1' group:
  `LDAPdelete -x -h 127.0.0.1 -p 389 -D cn=Manager,dc=example,dc=com -w admin "cn=group1,ou=groups,ou=adextended,dc=example,dc=com"`
6. On the LDAP server, search all the groups info again and saved as "no-ex-g1";
  `ldapsearch -x -b "dc=example,dc=com" > no-ex-g1`
7. As cluster-admin prune the groups which was deleted on the LDAP server
   `openshift ex prune-groups --sync-config=aad_config.yaml`
   `openshift ex prune-groups --sync-config=aad_config.yaml  --confirm`

Actual results:
7. No groups was pruned.
[root@ip-172-18-15-96 amd64]# oc get groups
NAME              USERS
extended-group1   person1smith@example.com, person2smith@example.com, person3smith@example.com, person4smith@example.com, person5smith@example.com
extended-group2   person1smith@example.com, person2smith@example.com, person3smith@example.com
extended-group3   person1smith@example.com, person5smith@example.com

Expected results:
7. The group "extended-group1" should be pruned, since on the LDAP server has deleted the group info.

Additional info:
[root@ip-172-18-15-96 amd64]# diff all no-ex-g1 
277,285d276
< # group1, groups, adextended, example.com
< dn: cn=group1,ou=groups,ou=adextended,dc=example,dc=com
< objectClass: groupOfNames
< cn: extended-group1
< cn: group1
< owner: cn=Person1,ou=people,ou=adextended,dc=example,dc=com
< description: Person1's Group
< member: cn=Person5,ou=people,ou=rfc2307,dc=example,dc=com
< 
308,309c299,300
< # numResponses: 31
< # numEntries: 30
---
> # numResponses: 30
> # numEntries: 29
Comment 1 Steve Kuznetsov 2015-12-15 09:20:48 EST
This is a bug found when deleting the LDAP entry for group metadata in the Augmented AD schema. This occurs as we do not consider the presence of the group metadata object as indicative of group existence for this schema. When deleting the LDAP group entry for the RFC2307 schema, groups are pruned as expected. This should be simple to fix, ETA today or tomorrow.
Comment 2 Steve Kuznetsov 2015-12-15 10:22:58 EST
Bug fix in this pull request: https://github.com/openshift/origin/pull/6323
Comment 3 XiaochuanWang 2015-12-16 04:16:38 EST
Verified on openshift origin:
openshift v1.1-477-g0d4de0b
oc v1.1-477-g0d4de0b
kubernetes v1.1.0-origin-1107-g4c8e6f4
etcd 2.1.2
Comment 4 XiaochuanWang 2015-12-16 04:36:40 EST
Hi Steve Kuznetsov,it's not reproduced on origin already, could you help to mark this status "ON_QA" and then it could be Verified
Comment 5 David Eads 2015-12-16 07:40:26 EST
Updating on Steve's behalf.
Comment 6 XiaochuanWang 2015-12-17 00:29:55 EST
Verified on openshift origin:
openshift v1.1-477-g0d4de0b
oc v1.1-477-g0d4de0b
kubernetes v1.1.0-origin-1107-g4c8e6f4

Note You need to log in before you can comment on or make changes to this bug.