Public bug reported: With ldap as identity backend driver, when some project is deleted using DELETE /v3/projects/{project_id} API, it is failing in RESP BODY: {"error": {"message": "You are not authorized to perform the requested action.", "code": 403, "title": "Forbidden"}}
In the delete project flow, with change-set[0] a notification action is configured at [1] to clear default project information on all users by invoking respective identity backend driver at [2] in method unset_default_project_id() but for ldap driver at [3] it is configured to throw forbidden error. Since ldap doesn't maintain project information on users, unset_default_project_id() method at [3] doesn't require any specific functionality to clean up project information on users. [0] https://github.com/openstack/keystone/commit/51d5597df729158d15b71e2ba80ab103df5d55f8 [1] https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L492 [2] https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L533 [3] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L92 ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1705081 Title: DELETE project API is failing in forbidden(403) error message Status in OpenStack Identity (keystone): New Bug description: With ldap as identity backend driver, when some project is deleted using DELETE /v3/projects/{project_id} API, it is failing in RESP BODY: {"error": {"message": "You are not authorized to perform the requested action.", "code": 403, "title": "Forbidden"}} In the delete project flow, with change-set[0] a notification action is configured at [1] to clear default project information on all users by invoking respective identity backend driver at [2] in method unset_default_project_id() but for ldap driver at [3] it is configured to throw forbidden error. Since ldap doesn't maintain project information on users, unset_default_project_id() method at [3] doesn't require any specific functionality to clean up project information on users. [0] https://github.com/openstack/keystone/commit/51d5597df729158d15b71e2ba80ab103df5d55f8 [1] https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L492 [2] https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L533 [3] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L92 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1705081/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp