Users that are removed from LDAP break role assignments and cannot be removed easily Followed: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/9/html/integrate_with_identity_service/sec-active-directory User test was added to Active Directory: ~~~ [stack@undercloud-6 ~]$ openstack user list --domain redhat +------------------------------------------------------------------+----------+ | ID | Name | +------------------------------------------------------------------+----------+ | 853a331554ea0fb6e938f39256beb9f8096625c29f34bc8d88990b4198205f90 | svc-ldap | | 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | akaris | | 39e5b866156f05d6b3f95409a663a44718bec62eeabc9ec6f08ff78ef5fd457d | nalmond | | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | test | +------------------------------------------------------------------+----------+ [stack@undercloud-6 ~]$ openstack project create demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | domain_id | default | | enabled | True | | id | 1c3e304811d8457a871a6c67f6f63a75 | | is_domain | False | | name | demo | | parent_id | default | +-------------+----------------------------------+ [stack@undercloud-6 ~]$ openstack role add --project demo --user f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 _member_ [stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457a871a6c67f6f63a75 | 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | | 1c3e304811d8457a871a6c67f6f63a75 | | False | [stack@undercloud-6 ~]$ openstack role assignment list --names +---------------+------------------------------------+-------+-----------------+------------+-----------+ | Role | User | Group | Project | Domain | Inherited | +---------------+------------------------------------+-------+-----------------+------------+-----------+ | admin | cinderv2@Default | | service@Default | | False | | _member_ | cinderv2@Default | | service@Default | | False | | admin | ceilometer@Default | | service@Default | | False | | _member_ | ceilometer@Default | | service@Default | | False | | ResellerAdmin | ceilometer@Default | | service@Default | | False | | admin | admin@Default | | admin@Default | | False | | admin | nova@Default | | service@Default | | False | | _member_ | nova@Default | | service@Default | | False | | admin | glance@Default | | service@Default | | False | | _member_ | glance@Default | | service@Default | | False | | admin | neutron@Default | | service@Default | | False | | _member_ | neutron@Default | | service@Default | | False | | admin | sahara@Default | | service@Default | | False | | _member_ | sahara@Default | | service@Default | | False | | admin | gnocchi@Default | | service@Default | | False | | _member_ | gnocchi@Default | | service@Default | | False | | ResellerAdmin | gnocchi@Default | | service@Default | | False | | admin | swift@Default | | service@Default | | False | | _member_ | swift@Default | | service@Default | | False | | admin | aodh@Default | | service@Default | | False | | _member_ | aodh@Default | | service@Default | | False | | _member_ | test@redhat | | demo@Default | | False | | admin | cinder@Default | | service@Default | | False | | _member_ | cinder@Default | | service@Default | | False | | admin | heat@Default | | service@Default | | False | | _member_ | heat@Default | | service@Default | | False | | admin | admin@Default | | | redhat | False | | admin | admin@Default | | | Default | False | | admin | heat_stack_domain_admin@heat_stack | | | heat_stack | False | +---------------+------------------------------------+-------+-----------------+------------+-----------+ ~~~ User test was removed from Active Directory: ~~~ [stack@undercloud-6 ~]$ openstack user list --domain redhat+------------------------------------------------------------------+----------+ | ID | Name | +------------------------------------------------------------------+----------+ | 853a331554ea0fb6e938f39256beb9f8096625c29f34bc8d88990b4198205f90 | svc-ldap | | 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | akaris | | 39e5b866156f05d6b3f95409a663a44718bec62eeabc9ec6f08ff78ef5fd457d | nalmond | [stack@undercloud-6 ~]$ openstack role assignment list | head -2 +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+----------------------------------+-----------+ | Role | User | Group | Project | Domain | Inherited | [stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457a871a6c67f6f63a75 | 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | | 1c3e304811d8457a871a6c67f6f63a75 | | False | [stack@undercloud-6 ~]$ openstack role remove --project demo --user f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 9fe2ff9ee4384b1894a90878d3e92bab No user with a name or ID of 'f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2' exists. ~~~ The role assignment cannot be removed: ~~~ [stack@undercloud-6 ~]$ openstack role remove --project demo --user 1c3e304811d8457a871a6c67f6f63a75 _member_ No user with a name or ID of '1c3e304811d8457a871a6c67f6f63a75' exists. ~~~ The user cannot be deleted: ~~~ [stack@undercloud-6 ~]$ openstack user delete f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 No user with a name or ID of 'f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2' exists. ~~~
Looking at the database, the id_mapping table and the assignment table seem to be the only ones holding references to this user (given the test which I ran, meaning that I assigned a role to the user) ~~~ [root@overcloud-controller-0 domains]# mysql keystone -e 'show tables;' | awk '{print $1}' | while read t;do echo "XXXXX $t XXXXX"; mysql keystone -e "select * from $t \G" | grep f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 -C5 ; done XXXXX Tables_in_keystone XXXXX ERROR 1146 (42S02) at line 1: Table 'keystone.Tables_in_keystone' doesn't exist XXXXX access_token XXXXX XXXXX assignment XXXXX target_id: dfc01178c51b4688be78188b5e8c9581 role_id: 9fe2ff9ee4384b1894a90878d3e92bab inherited: 0 *************************** 22. row *************************** type: UserProject actor_id: f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 target_id: 1c3e304811d8457a871a6c67f6f63a75 role_id: 9fe2ff9ee4384b1894a90878d3e92bab inherited: 0 *************************** 23. row *************************** type: UserProject XXXXX config_register XXXXX XXXXX consumer XXXXX XXXXX credential XXXXX XXXXX domain XXXXX XXXXX endpoint XXXXX XXXXX endpoint_group XXXXX XXXXX federated_user XXXXX XXXXX federation_protocol XXXXX XXXXX group XXXXX ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'group' at line 1 XXXXX id_mapping XXXXX public_id: 853a331554ea0fb6e938f39256beb9f8096625c29f34bc8d88990b4198205f90 domain_id: 210bdf7974a14693843ec7f9b1956105 local_id: svc-ldap entity_type: user *************************** 4. row *************************** public_id: f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 domain_id: 210bdf7974a14693843ec7f9b1956105 local_id: test entity_type: user XXXXX identity_provider XXXXX XXXXX idp_remote_ids XXXXX XXXXX implied_role XXXXX XXXXX local_user XXXXX XXXXX mapping XXXXX XXXXX migrate_version XXXXX XXXXX password XXXXX XXXXX policy XXXXX XXXXX policy_association XXXXX XXXXX project XXXXX XXXXX project_endpoint XXXXX XXXXX project_endpoint_group XXXXX XXXXX region XXXXX XXXXX request_token XXXXX XXXXX revocation_event XXXXX XXXXX role XXXXX XXXXX sensitive_config XXXXX XXXXX service XXXXX XXXXX service_provider XXXXX XXXXX token XXXXX XXXXX trust XXXXX XXXXX trust_role XXXXX XXXXX user XXXXX XXXXX user_group_membership XXXXX XXXXX whitelisted_config XXXXX ~~~ Before cleanup: ~~~ [stack@undercloud-6 ~]$ openstack role assignment list | grep f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | | 1c3e304811d8457a871a6c67f6f63a75 | | False | ~~~ In order to clean up the mapping: ~~~ [root@overcloud-controller-0 domains]# mysql keystone -e 'delete from assignment where actor_id="f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2"' [root@overcloud-controller-0 domains]# ~~~ After this: ~~~ [stack@undercloud-6 ~]$ openstack role assignment list | grep f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 [stack@undercloud-6 ~]$ openstack role assignment list --names +---------------+------------------------------------+-------+-----------------+------------+-----------+ | Role | User | Group | Project | Domain | Inherited | +---------------+------------------------------------+-------+-----------------+------------+-----------+ | admin | cinderv2@Default | | service@Default | | False | | _member_ | cinderv2@Default | | service@Default | | False | | admin | ceilometer@Default | | service@Default | | False | | _member_ | ceilometer@Default | | service@Default | | False | | ResellerAdmin | ceilometer@Default | | service@Default | | False | | admin | admin@Default | | admin@Default | | False | | admin | nova@Default | | service@Default | | False | | _member_ | nova@Default | | service@Default | | False | | admin | glance@Default | | service@Default | | False | | _member_ | glance@Default | | service@Default | | False | | admin | neutron@Default | | service@Default | | False | | _member_ | neutron@Default | | service@Default | | False | | admin | sahara@Default | | service@Default | | False | | _member_ | sahara@Default | | service@Default | | False | | admin | gnocchi@Default | | service@Default | | False | | _member_ | gnocchi@Default | | service@Default | | False | | ResellerAdmin | gnocchi@Default | | service@Default | | False | | admin | swift@Default | | service@Default | | False | | _member_ | swift@Default | | service@Default | | False | | admin | aodh@Default | | service@Default | | False | | _member_ | aodh@Default | | service@Default | | False | | admin | cinder@Default | | service@Default | | False | | _member_ | cinder@Default | | service@Default | | False | | admin | heat@Default | | service@Default | | False | | _member_ | heat@Default | | service@Default | | False | | admin | admin@Default | | | redhat | False | | admin | admin@Default | | | Default | False | | admin | heat_stack_domain_admin@heat_stack | | | heat_stack | False | +---------------+------------------------------------+-------+-----------------+------------+-----------+ ~~~
We are experiencing the exact same issue, and have come to the same "solution" (removing entries in database)... So let's upvote this one.