Browse Source

Delete shadow users when domain is deleted

Without this change, when an admin tries to delete an LDAP-backed
domain, it fails due to the foreign key relationship in the users table.
Previously, we were assuming that LDAP users existed solely in the LDAP
directory, but this is not true with shadow users. This patch fixes the
logic to delete the shadow users upon domain deletion.

Change-Id: I12a08001e3aa08e4db9438cae425ad1a0a8070f7
Closes-bug: #1801873
tags/16.0.0.0rc1
Colleen Murphy 1 year ago
committed by Colleen Murphy
parent
commit
1b16725d06
3 changed files with 22 additions and 9 deletions
  1. +4
    -9
      keystone/identity/core.py
  2. +12
    -0
      keystone/identity/shadow_backends/sql.py
  3. +6
    -0
      releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml

+ 4
- 9
keystone/identity/core.py View File

@@ -500,14 +500,6 @@ class Manager(manager.Manager):

driver = self._select_identity_driver(domain_id)

if not driver.is_sql:
# The LDAP driver does not support deleting users or groups.
# Moreover, we shouldn't destroy users and groups in an unknown
# driver. The only time when we should delete users and groups is
# when the backend is SQL because the foreign key in the SQL table
# forces us to.
return

user_refs = self.list_users(domain_scope=domain_id)
group_refs = self.list_groups(domain_scope=domain_id)

@@ -524,7 +516,10 @@ class Manager(manager.Manager):
# And finally, delete the users themselves
for user in user_refs:
try:
self.delete_user(user['id'])
if not driver.is_sql:
PROVIDERS.shadow_users_api.delete_user(user['id'])
else:
self.delete_user(user['id'])
except exception.UserNotFound:
LOG.debug(('User %(userid)s not found when deleting domain '
'contents for %(domainid)s, continuing with '


+ 12
- 0
keystone/identity/shadow_backends/sql.py View File

@@ -16,6 +16,7 @@ import sqlalchemy
import uuid

from oslo_config import cfg
from oslo_db import api as oslo_db_api

from keystone.common import sql
from keystone import exception
@@ -158,6 +159,17 @@ class ShadowUsers(base.ShadowUsersDriverBase):
session.add(new_user_ref)
return identity_base.filter_user(new_user_ref.to_dict())

@oslo_db_api.wrap_db_retry(retry_on_deadlock=True)
def delete_user(self, user_id):
with sql.session_for_write() as session:
ref = self._get_user(session, user_id)

q = session.query(model.UserGroupMembership)
q = q.filter_by(user_id=user_id)
q.delete(False)

session.delete(ref)

def get_user(self, user_id):
with sql.session_for_read() as session:
user_ref = self._get_user(session, user_id)


+ 6
- 0
releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml View File

@@ -0,0 +1,6 @@
---
fixes:
- |
[`bug 1801873 <https://bugs.launchpad.net/keystone/+bug/1801873>`_]
This fixes an issue where an LDAP-backed domain could not be deleted due to
the existence of shadow users in the SQL database.

Loading…
Cancel
Save