Bug 1466533 - Users that are removed from LDAP break role assignments and cannot be removed easily
Users that are removed from LDAP break role assignments and cannot be removed...
Status: NEW
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone (Show other bugs)
9.0 (Mitaka)
Unspecified Unspecified
low Severity low
: Upstream M3
: ---
Assigned To: John Dennis
nlevinki
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-29 19:17 EDT by Andreas Karis
Modified: 2018-02-12 15:12 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1658641 None None None 2017-06-30 10:45 EDT

  None (edit)
Description Andreas Karis 2017-06-29 19:17:18 EDT
Users that are removed from LDAP break role assignments and cannot be removed easily

Followed: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/9/html/integrate_with_identity_service/sec-active-directory

User test was added to Active Directory:
~~~
[stack@undercloud-6 ~]$ openstack user list --domain redhat
+------------------------------------------------------------------+----------+
| ID                                                               | Name     |
+------------------------------------------------------------------+----------+
| 853a331554ea0fb6e938f39256beb9f8096625c29f34bc8d88990b4198205f90 | svc-ldap |
| 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | akaris   |
| 39e5b866156f05d6b3f95409a663a44718bec62eeabc9ec6f08ff78ef5fd457d | nalmond  |
| f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | test     |
+------------------------------------------------------------------+----------+
[stack@undercloud-6 ~]$ openstack project create demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 1c3e304811d8457a871a6c67f6f63a75 |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | default                          |
+-------------+----------------------------------+
[stack@undercloud-6 ~]$ openstack role add --project demo --user f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 _member_
[stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457a871a6c67f6f63a75
| 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 |       | 1c3e304811d8457a871a6c67f6f63a75 |                                  | False     |
[stack@undercloud-6 ~]$ openstack role assignment list --names
+---------------+------------------------------------+-------+-----------------+------------+-----------+
| Role          | User                               | Group | Project         | Domain     | Inherited |
+---------------+------------------------------------+-------+-----------------+------------+-----------+
| admin         | cinderv2@Default                   |       | service@Default |            | False     |
| _member_      | cinderv2@Default                   |       | service@Default |            | False     |
| admin         | ceilometer@Default                 |       | service@Default |            | False     |
| _member_      | ceilometer@Default                 |       | service@Default |            | False     |
| ResellerAdmin | ceilometer@Default                 |       | service@Default |            | False     |
| admin         | admin@Default                      |       | admin@Default   |            | False     |
| admin         | nova@Default                       |       | service@Default |            | False     |
| _member_      | nova@Default                       |       | service@Default |            | False     |
| admin         | glance@Default                     |       | service@Default |            | False     |
| _member_      | glance@Default                     |       | service@Default |            | False     |
| admin         | neutron@Default                    |       | service@Default |            | False     |
| _member_      | neutron@Default                    |       | service@Default |            | False     |
| admin         | sahara@Default                     |       | service@Default |            | False     |
| _member_      | sahara@Default                     |       | service@Default |            | False     |
| admin         | gnocchi@Default                    |       | service@Default |            | False     |
| _member_      | gnocchi@Default                    |       | service@Default |            | False     |
| ResellerAdmin | gnocchi@Default                    |       | service@Default |            | False     |
| admin         | swift@Default                      |       | service@Default |            | False     |
| _member_      | swift@Default                      |       | service@Default |            | False     |
| admin         | aodh@Default                       |       | service@Default |            | False     |
| _member_      | aodh@Default                       |       | service@Default |            | False     |
| _member_      | test@redhat                        |       | demo@Default    |            | False     |
| admin         | cinder@Default                     |       | service@Default |            | False     |
| _member_      | cinder@Default                     |       | service@Default |            | False     |
| admin         | heat@Default                       |       | service@Default |            | False     |
| _member_      | heat@Default                       |       | service@Default |            | False     |
| admin         | admin@Default                      |       |                 | redhat     | False     |
| admin         | admin@Default                      |       |                 | Default    | False     |
| admin         | heat_stack_domain_admin@heat_stack |       |                 | heat_stack | False     |
+---------------+------------------------------------+-------+-----------------+------------+-----------+
~~~

User test was removed from Active Directory:
~~~
[stack@undercloud-6 ~]$ openstack user list --domain redhat+------------------------------------------------------------------+----------+
| ID                                                               | Name     |
+------------------------------------------------------------------+----------+
| 853a331554ea0fb6e938f39256beb9f8096625c29f34bc8d88990b4198205f90 | svc-ldap |
| 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | akaris   |
| 39e5b866156f05d6b3f95409a663a44718bec62eeabc9ec6f08ff78ef5fd457d | nalmond  |
[stack@undercloud-6 ~]$ openstack role assignment list | head -2
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+----------------------------------+-----------+
| Role                             | User                                                             | Group | Project                          | Domain                           | Inherited |
[stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457a871a6c67f6f63a75
| 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 |       | 1c3e304811d8457a871a6c67f6f63a75 |                                  | False     |
[stack@undercloud-6 ~]$ openstack role remove --project demo --user f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 9fe2ff9ee4384b1894a90878d3e92bab
No user with a name or ID of 'f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2' exists.
~~~

The role assignment cannot be removed:
~~~
[stack@undercloud-6 ~]$ openstack role remove --project demo --user 1c3e304811d8457a871a6c67f6f63a75 _member_
No user with a name or ID of '1c3e304811d8457a871a6c67f6f63a75' exists.
~~~

The user cannot be deleted:
~~~
[stack@undercloud-6 ~]$ openstack user delete f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2
No user with a name or ID of 'f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2' exists.
~~~
Comment 1 Andreas Karis 2017-06-29 19:17:40 EDT
Looking at the database, the id_mapping table and the assignment table seem to be the only ones holding references to this user (given the test which I ran, meaning that I assigned a role to the user)
~~~
[root@overcloud-controller-0 domains]# mysql keystone -e 'show tables;' | awk '{print $1}' | while read t;do echo "XXXXX $t XXXXX";  mysql keystone -e "select * from $t \G" | grep f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 -C5 ; done
XXXXX Tables_in_keystone XXXXX
ERROR 1146 (42S02) at line 1: Table 'keystone.Tables_in_keystone' doesn't exist
XXXXX access_token XXXXX
XXXXX assignment XXXXX
target_id: dfc01178c51b4688be78188b5e8c9581
  role_id: 9fe2ff9ee4384b1894a90878d3e92bab
inherited: 0
*************************** 22. row ***************************
     type: UserProject
 actor_id: f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2
target_id: 1c3e304811d8457a871a6c67f6f63a75
  role_id: 9fe2ff9ee4384b1894a90878d3e92bab
inherited: 0
*************************** 23. row ***************************
     type: UserProject
XXXXX config_register XXXXX
XXXXX consumer XXXXX
XXXXX credential XXXXX
XXXXX domain XXXXX
XXXXX endpoint XXXXX
XXXXX endpoint_group XXXXX
XXXXX federated_user XXXXX
XXXXX federation_protocol XXXXX
XXXXX group XXXXX
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'group' at line 1
XXXXX id_mapping XXXXX
  public_id: 853a331554ea0fb6e938f39256beb9f8096625c29f34bc8d88990b4198205f90
  domain_id: 210bdf7974a14693843ec7f9b1956105
   local_id: svc-ldap
entity_type: user
*************************** 4. row ***************************
  public_id: f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2
  domain_id: 210bdf7974a14693843ec7f9b1956105
   local_id: test
entity_type: user
XXXXX identity_provider XXXXX
XXXXX idp_remote_ids XXXXX
XXXXX implied_role XXXXX
XXXXX local_user XXXXX
XXXXX mapping XXXXX
XXXXX migrate_version XXXXX
XXXXX password XXXXX
XXXXX policy XXXXX
XXXXX policy_association XXXXX
XXXXX project XXXXX
XXXXX project_endpoint XXXXX
XXXXX project_endpoint_group XXXXX
XXXXX region XXXXX
XXXXX request_token XXXXX
XXXXX revocation_event XXXXX
XXXXX role XXXXX
XXXXX sensitive_config XXXXX
XXXXX service XXXXX
XXXXX service_provider XXXXX
XXXXX token XXXXX
XXXXX trust XXXXX
XXXXX trust_role XXXXX
XXXXX user XXXXX
XXXXX user_group_membership XXXXX
XXXXX whitelisted_config XXXXX
~~~

Before cleanup:
~~~
[stack@undercloud-6 ~]$ openstack role assignment list | grep f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2
| 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 |       | 1c3e304811d8457a871a6c67f6f63a75 |                                  | False     |
~~~

In order to clean up the mapping:
~~~
[root@overcloud-controller-0 domains]# mysql keystone -e 'delete from assignment where actor_id="f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2"'
[root@overcloud-controller-0 domains]# 
~~~

After this:
~~~
[stack@undercloud-6 ~]$ openstack role assignment list | grep f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2
[stack@undercloud-6 ~]$ openstack role assignment list --names
+---------------+------------------------------------+-------+-----------------+------------+-----------+
| Role          | User                               | Group | Project         | Domain     | Inherited |
+---------------+------------------------------------+-------+-----------------+------------+-----------+
| admin         | cinderv2@Default                   |       | service@Default |            | False     |
| _member_      | cinderv2@Default                   |       | service@Default |            | False     |
| admin         | ceilometer@Default                 |       | service@Default |            | False     |
| _member_      | ceilometer@Default                 |       | service@Default |            | False     |
| ResellerAdmin | ceilometer@Default                 |       | service@Default |            | False     |
| admin         | admin@Default                      |       | admin@Default   |            | False     |
| admin         | nova@Default                       |       | service@Default |            | False     |
| _member_      | nova@Default                       |       | service@Default |            | False     |
| admin         | glance@Default                     |       | service@Default |            | False     |
| _member_      | glance@Default                     |       | service@Default |            | False     |
| admin         | neutron@Default                    |       | service@Default |            | False     |
| _member_      | neutron@Default                    |       | service@Default |            | False     |
| admin         | sahara@Default                     |       | service@Default |            | False     |
| _member_      | sahara@Default                     |       | service@Default |            | False     |
| admin         | gnocchi@Default                    |       | service@Default |            | False     |
| _member_      | gnocchi@Default                    |       | service@Default |            | False     |
| ResellerAdmin | gnocchi@Default                    |       | service@Default |            | False     |
| admin         | swift@Default                      |       | service@Default |            | False     |
| _member_      | swift@Default                      |       | service@Default |            | False     |
| admin         | aodh@Default                       |       | service@Default |            | False     |
| _member_      | aodh@Default                       |       | service@Default |            | False     |
| admin         | cinder@Default                     |       | service@Default |            | False     |
| _member_      | cinder@Default                     |       | service@Default |            | False     |
| admin         | heat@Default                       |       | service@Default |            | False     |
| _member_      | heat@Default                       |       | service@Default |            | False     |
| admin         | admin@Default                      |       |                 | redhat     | False     |
| admin         | admin@Default                      |       |                 | Default    | False     |
| admin         | heat_stack_domain_admin@heat_stack |       |                 | heat_stack | False     |
+---------------+------------------------------------+-------+-----------------+------------+-----------+
~~~

Note You need to log in before you can comment on or make changes to this bug.