From d76a068d1348da467cd1b5db518c7739ce9f7488 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Mon, 25 Mar 2019 15:50:26 +0100 Subject: [PATCH] Delete shadow users when domain is deleted Without this change, when an admin tries to delete an LDAP-backed domain, it fails due to the foreign key relationship in the users table. Previously, we were assuming that LDAP users existed solely in the LDAP directory, but this is not true with shadow users. This patch fixes the logic to delete the shadow users upon domain deletion. Altered cherry-pick: use injected API provider since provider_api mechanism doesn't exist in pike. Change-Id: I12a08001e3aa08e4db9438cae425ad1a0a8070f7 Closes-bug: #1801873 (cherry picked from commit 1b16725d066f71a833ca74656c0c3dfe5f815e98) --- keystone/identity/core.py | 13 ++++--------- keystone/identity/shadow_backends/sql.py | 12 ++++++++++++ .../notes/bug-1801873-0eb9a5ec3e801190.yaml | 6 ++++++ 3 files changed, 22 insertions(+), 9 deletions(-) create mode 100644 releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml diff --git a/keystone/identity/core.py b/keystone/identity/core.py index 114c4a21c2..fa0e0f7298 100644 --- a/keystone/identity/core.py +++ b/keystone/identity/core.py @@ -502,14 +502,6 @@ class Manager(manager.Manager): driver = self._select_identity_driver(domain_id) - if not driver.is_sql: - # The LDAP driver does not support deleting users or groups. - # Moreover, we shouldn't destroy users and groups in an unknown - # driver. The only time when we should delete users and groups is - # when the backend is SQL because the foreign key in the SQL table - # forces us to. - return - user_refs = self.list_users(domain_scope=domain_id) group_refs = self.list_groups(domain_scope=domain_id) @@ -526,7 +518,10 @@ class Manager(manager.Manager): # And finally, delete the users themselves for user in user_refs: try: - self.delete_user(user['id']) + if not driver.is_sql: + self.shadow_users_api.delete_user(user['id']) + else: + self.delete_user(user['id']) except exception.UserNotFound: LOG.debug(('User %(userid)s not found when deleting domain ' 'contents for %(domainid)s, continuing with ' diff --git a/keystone/identity/shadow_backends/sql.py b/keystone/identity/shadow_backends/sql.py index ccf420cbc7..8f41c71168 100644 --- a/keystone/identity/shadow_backends/sql.py +++ b/keystone/identity/shadow_backends/sql.py @@ -16,6 +16,7 @@ import sqlalchemy import uuid from oslo_config import cfg +from oslo_db import api as oslo_db_api from keystone.common import sql from keystone import exception @@ -147,6 +148,17 @@ class ShadowUsers(base.ShadowUsersDriverBase): session.add(new_user_ref) return identity_base.filter_user(new_user_ref.to_dict()) + @oslo_db_api.wrap_db_retry(retry_on_deadlock=True) + def delete_user(self, user_id): + with sql.session_for_write() as session: + ref = self._get_user(session, user_id) + + q = session.query(model.UserGroupMembership) + q = q.filter_by(user_id=user_id) + q.delete(False) + + session.delete(ref) + def get_user(self, user_id): with sql.session_for_read() as session: user_ref = self._get_user(session, user_id) diff --git a/releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml b/releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml new file mode 100644 index 0000000000..7fd970d351 --- /dev/null +++ b/releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + [`bug 1801873 `_] + This fixes an issue where an LDAP-backed domain could not be deleted due to + the existence of shadow users in the SQL database.