Public bug reported: Description of problem: Testing multi domain support in RHOS. The deletion of this domain when write enabled cleared the LDAP database entirely. Thankfully this was done in a lab, because LDAP was a total loss.
Version-Release number of selected component (if applicable): # rpm -qa | grep packstack openstack-packstack-puppet-2015.1-0.14.dev1589.g1d6372f.el7ost.noarch openstack-packstack-2015.1-0.14.dev1589.g1d6372f.el7ost.noarch # rpm -qa | grep keystone python-keystoneclient-1.3.0-2.el7ost.noarch python-keystone-2015.1.2-2.el7ost.noarch openstack-keystone-2015.1.2-2.el7ost.noarch python-keystonemiddleware-1.5.1-1.el7ost.noarch How reproducible: Assuming always? I was only able to do this once. Steps to Reproduce: 1. Enable multi domain support in keystone, ensure the following is in /etc/keystone.conf [identity] domain_specific_drivers_enabled = true domain_config_dir = /etc/keystone/domains #default_domain_id = 7d9bed61b1564f2289296a4e9241482d 2. Then add an LDAP domain and ensure that writes are permitted. vim /etc/keystone/domains/keystone.laboratory.conf [ldap] url=ldap://auth.lab.runlevelone.lan user=uid=keystone,cn=users,cn=accounts,dc=lab,dc=runlevelone,dc=lan password=xxxxxxx suffix=ccn=accounts,dc=lab,dc=runlevelone,dc=lan user_tree_dn=cn=users,cn=accounts,dc=lab,dc=runlevelone,dc=lan user_objectclass=person user_id_attribute=uid user_name_attribute=uid user_mail_attribute=mail user_allow_create=true user_allow_update=true user_allow_delete=true group_tree_dn=cn=groups,cn=accounts,dc=lab,dc=runlevelone,dc=lan group_objectclass=groupOfNames group_id_attribute=cn group_name_attribute=cn group_member_attribute=member group_desc_attribute=description group_allow_create=true group_allow_update=true group_allow_delete=true user_enabled_attribute=nsAccountLock user_enabled_default=false user_enabled_invert=true [identity] driver = keystone.identity.backends.ldap.Identity 3. Remove the domain, using 'openstack domain delete #domain_id' Actual results: Clears LDAP database, cn=users/groups,cn=accounts,dc=lab,dc=runlevelone,dc=lan was completely empty Expected results: Does not delete users on removal or prompt "THIS WILL DELETE ALL USERS, DO YOU WANT TO PROCEED" ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1546834 Title: The deletion of an LDAP domain in keystone when write enabled should not clear the LDAP database Status in OpenStack Identity (keystone): New Bug description: Description of problem: Testing multi domain support in RHOS. The deletion of this domain when write enabled cleared the LDAP database entirely. Thankfully this was done in a lab, because LDAP was a total loss. Version-Release number of selected component (if applicable): # rpm -qa | grep packstack openstack-packstack-puppet-2015.1-0.14.dev1589.g1d6372f.el7ost.noarch openstack-packstack-2015.1-0.14.dev1589.g1d6372f.el7ost.noarch # rpm -qa | grep keystone python-keystoneclient-1.3.0-2.el7ost.noarch python-keystone-2015.1.2-2.el7ost.noarch openstack-keystone-2015.1.2-2.el7ost.noarch python-keystonemiddleware-1.5.1-1.el7ost.noarch How reproducible: Assuming always? I was only able to do this once. Steps to Reproduce: 1. Enable multi domain support in keystone, ensure the following is in /etc/keystone.conf [identity] domain_specific_drivers_enabled = true domain_config_dir = /etc/keystone/domains #default_domain_id = 7d9bed61b1564f2289296a4e9241482d 2. Then add an LDAP domain and ensure that writes are permitted. vim /etc/keystone/domains/keystone.laboratory.conf [ldap] url=ldap://auth.lab.runlevelone.lan user=uid=keystone,cn=users,cn=accounts,dc=lab,dc=runlevelone,dc=lan password=xxxxxxx suffix=ccn=accounts,dc=lab,dc=runlevelone,dc=lan user_tree_dn=cn=users,cn=accounts,dc=lab,dc=runlevelone,dc=lan user_objectclass=person user_id_attribute=uid user_name_attribute=uid user_mail_attribute=mail user_allow_create=true user_allow_update=true user_allow_delete=true group_tree_dn=cn=groups,cn=accounts,dc=lab,dc=runlevelone,dc=lan group_objectclass=groupOfNames group_id_attribute=cn group_name_attribute=cn group_member_attribute=member group_desc_attribute=description group_allow_create=true group_allow_update=true group_allow_delete=true user_enabled_attribute=nsAccountLock user_enabled_default=false user_enabled_invert=true [identity] driver = keystone.identity.backends.ldap.Identity 3. Remove the domain, using 'openstack domain delete #domain_id' Actual results: Clears LDAP database, cn=users/groups,cn=accounts,dc=lab,dc=runlevelone,dc=lan was completely empty Expected results: Does not delete users on removal or prompt "THIS WILL DELETE ALL USERS, DO YOU WANT TO PROCEED" To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1546834/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp