Public bug reported: I've set up a DevStack with Keystone using domain-specific backends.
I've then created a Domain-A with its domain-specific configuration being: [ldap] url=ldap://ldap.server.com:389 user=cn=admin,dc=example,dc=com password=secret suffix=dc=example,dc=com user_tree_dn="ou=Users,dc=example,dc=com" user_id_attribute=cn user_name_attribute=cn user_objectclass=organizationalPerson user_allow_create=false user_allow_update=false user_allow_delete=false group_tree_dn=ou=Groups,dc=example,dc=com group_id_attribute=cn group_name_attribute=cn group_objectclass=* group_allow_create=false group_allow_update=false group_allow_delete=false [identity] driver = keystone.identity.backends.ldap.Identity Now I cannot delete this domain. When I try that, Keystone returns this error: {"error": {"message": "You are not authorized to perform the requested action: LDAP group delete (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"} As I configured it not to allow the information to be deleted by Keystone, I'd expect it to ignore the fact that it cannot delete the groups and users and then delete the domain. On the other hand, it is good to have it blocked until the not-needed- anymore configuration file is removed. See also the chat below on 2014-10-22 on #openstack-keystone: 14:53:45 gabriel-bezerra | ayoung: I cannot delete a domain that is backed by a populated read-only LDAP database. It is a bug, right? (just asking before filing) 14:56:11 ayoung | gabriel-bezerra, multi-backend? 14:56:52 gabriel-bezerra | ayoung: yes, domain-specific 14:57:37 ayoung | gabriel-bezerra, what error do you get? I'm not certain its a bug or not. Suspect a foreign key constraint 14:57:50 ayoung | but you need to disable a domain before deleting no matter what 14:58:15 gabriel-bezerra | ayoung: {"error": {"message": "You are not authorized to perform the requested action: LDAP group delete (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"} 14:58:39 ayoung | gabriel-bezerra, cuz deleting the domain trys to delete all of the objects inside it 14:58:48 gabriel-bezerra | ayoung: it is being disabled 14:59:00 ayoung | You'd have to unmap the domain specific backend part first 14:59:30 ayoung | so remove the file, restart the server,and I bet it works...and I think that is as it should be under current ways of thinking 15:00:07 gabriel-bezerra | ayoung: ok. no bug then. thank you. 15:00:21 ayoung | yeah...but maybe something to document 15:00:59 ayoung | gabriel-bezerra, until we make the configuration something that can be done on the fly and without restarting the server, I'd say it "works as designed" 15:07:41 gabriel-bezerra | ayoung: I'll file the bug then, just to keep track of the issue. 15:07:50 ayoung | ++ ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1385405 Title: Domain backed by a populated read-only domain-specific LDAP identity backend cannot be deleted Status in OpenStack Identity (Keystone): New Bug description: I've set up a DevStack with Keystone using domain-specific backends. I've then created a Domain-A with its domain-specific configuration being: [ldap] url=ldap://ldap.server.com:389 user=cn=admin,dc=example,dc=com password=secret suffix=dc=example,dc=com user_tree_dn="ou=Users,dc=example,dc=com" user_id_attribute=cn user_name_attribute=cn user_objectclass=organizationalPerson user_allow_create=false user_allow_update=false user_allow_delete=false group_tree_dn=ou=Groups,dc=example,dc=com group_id_attribute=cn group_name_attribute=cn group_objectclass=* group_allow_create=false group_allow_update=false group_allow_delete=false [identity] driver = keystone.identity.backends.ldap.Identity Now I cannot delete this domain. When I try that, Keystone returns this error: {"error": {"message": "You are not authorized to perform the requested action: LDAP group delete (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"} As I configured it not to allow the information to be deleted by Keystone, I'd expect it to ignore the fact that it cannot delete the groups and users and then delete the domain. On the other hand, it is good to have it blocked until the not-needed- anymore configuration file is removed. See also the chat below on 2014-10-22 on #openstack-keystone: 14:53:45 gabriel-bezerra | ayoung: I cannot delete a domain that is backed by a populated read-only LDAP database. It is a bug, right? (just asking before filing) 14:56:11 ayoung | gabriel-bezerra, multi-backend? 14:56:52 gabriel-bezerra | ayoung: yes, domain-specific 14:57:37 ayoung | gabriel-bezerra, what error do you get? I'm not certain its a bug or not. Suspect a foreign key constraint 14:57:50 ayoung | but you need to disable a domain before deleting no matter what 14:58:15 gabriel-bezerra | ayoung: {"error": {"message": "You are not authorized to perform the requested action: LDAP group delete (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"} 14:58:39 ayoung | gabriel-bezerra, cuz deleting the domain trys to delete all of the objects inside it 14:58:48 gabriel-bezerra | ayoung: it is being disabled 14:59:00 ayoung | You'd have to unmap the domain specific backend part first 14:59:30 ayoung | so remove the file, restart the server,and I bet it works...and I think that is as it should be under current ways of thinking 15:00:07 gabriel-bezerra | ayoung: ok. no bug then. thank you. 15:00:21 ayoung | yeah...but maybe something to document 15:00:59 ayoung | gabriel-bezerra, until we make the configuration something that can be done on the fly and without restarting the server, I'd say it "works as designed" 15:07:41 gabriel-bezerra | ayoung: I'll file the bug then, just to keep track of the issue. 15:07:50 ayoung | ++ To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1385405/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp