Reviewed: https://review.openstack.org/491546
Committed:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=b068d71b59c092820b1e78dd87a3fb00b40802eb
Submitter: Jenkins
Branch: master
commit b068d71b59c092820b1e78dd87a3fb00b40802eb
Author: Lance Bragstad <lbrags...@gmail.com>
Date: Mon Aug 7 20:29:08 2017 +0000
Except forbidden when clearing default project IDs
The identity backend registers a callback that listens for when a
project is deleted. When it receives a notification, it uses the
project ID send in the notification and removes all references to it
from the identity backend, where users might have it referenced in
their `default_project_id` attribute. The original fix for this did
not account for LDAP backends being read-only. This caused an issue
where DELETE /v3/projects/{project_id} actually caused an HTTP 403
Forbidden exception because the LDAP backend wasn't writeable,
despite that project actually being deleted.
This change makes the identity API manager handle the exception
and tests it specifically for LDAP, or read-only, backends.
Change-Id: I16f4fcb289dad2fe752f3188476329c95cf777c9
Closes-Bug: 1705081
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1705081
Title:
DELETE project API is failing in forbidden(403) error message
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
With ldap as identity backend driver, when some project is deleted using
DELETE /v3/projects/{project_id} API, it is failing in
RESP BODY: {"error": {"message": "You are not authorized to perform the
requested action.", "code": 403, "title": "Forbidden"}}
In the delete project flow, with change-set[0] a notification action
is configured at [1] to clear default project information on all users
by invoking respective identity backend driver at [2] in method
unset_default_project_id() but for ldap driver at [3] it is configured
to throw forbidden error. Since ldap doesn't maintain project
information on users, unset_default_project_id() method at [3] doesn't
require any specific functionality to clean up project information on
users.
[0]
https://github.com/openstack/keystone/commit/51d5597df729158d15b71e2ba80ab103df5d55f8
[1]
https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L492
[2]
https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L533
[3]
https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L92
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1705081/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
