Reviewed: https://review.openstack.org/491546 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b068d71b59c092820b1e78dd87a3fb00b40802eb Submitter: Jenkins Branch: master
commit b068d71b59c092820b1e78dd87a3fb00b40802eb Author: Lance Bragstad <lbrags...@gmail.com> Date: Mon Aug 7 20:29:08 2017 +0000 Except forbidden when clearing default project IDs The identity backend registers a callback that listens for when a project is deleted. When it receives a notification, it uses the project ID send in the notification and removes all references to it from the identity backend, where users might have it referenced in their `default_project_id` attribute. The original fix for this did not account for LDAP backends being read-only. This caused an issue where DELETE /v3/projects/{project_id} actually caused an HTTP 403 Forbidden exception because the LDAP backend wasn't writeable, despite that project actually being deleted. This change makes the identity API manager handle the exception and tests it specifically for LDAP, or read-only, backends. Change-Id: I16f4fcb289dad2fe752f3188476329c95cf777c9 Closes-Bug: 1705081 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1705081 Title: DELETE project API is failing in forbidden(403) error message Status in OpenStack Identity (keystone): Fix Released Bug description: With ldap as identity backend driver, when some project is deleted using DELETE /v3/projects/{project_id} API, it is failing in RESP BODY: {"error": {"message": "You are not authorized to perform the requested action.", "code": 403, "title": "Forbidden"}} In the delete project flow, with change-set[0] a notification action is configured at [1] to clear default project information on all users by invoking respective identity backend driver at [2] in method unset_default_project_id() but for ldap driver at [3] it is configured to throw forbidden error. Since ldap doesn't maintain project information on users, unset_default_project_id() method at [3] doesn't require any specific functionality to clean up project information on users. [0] https://github.com/openstack/keystone/commit/51d5597df729158d15b71e2ba80ab103df5d55f8 [1] https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L492 [2] https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L533 [3] https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L92 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1705081/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp