62ee18b359
Since the users table has a foreign key to the projects table[1], users must be deleted before the domain can be deleted. However, the notification emitted from the domain deletion comes too late, and keystone runs into a foreign key reference error before it can delete the users. This patch addresses the problem by adding a new internal notification to alert the identity manager that users should be deleted. This uses a new notification rather than the existing notification because the existing one is used to alert listeners that the domain deletion has been fully completed, whereas this one must happen in the middle of the domain delete process. The callback must also only try to delete SQL users. The LDAP driver doesn't support deleting users, and we can't assume other drivers support it either. Moreover, the foreign key reference is only a problem for SQL users anyway. Because our backend unit tests run with SQLite and foreign keys do not work properly, we can't properly expose this bug in our unit tests, but there is an accompanying tempest test[2][3] to validate this fix. [1] https://github.com/openstack/keystone/blob/2bd88d3/keystone/common/sql/expand_repo/versions/014_expand_add_domain_id_to_user_table.py#L140-L141 [2] https://review.openstack.org/#/c/509610 [3] https://review.openstack.org/#/c/509947 Change-Id: If5bdb6f5eef80b50b000aed5188ce7da4dfd1083 Closes-bug: #1718747 |
||
---|---|---|
api-ref/source | ||
config-generator | ||
devstack | ||
doc | ||
etc | ||
examples/pki | ||
httpd | ||
keystone | ||
keystone_tempest_plugin | ||
playbooks/legacy | ||
rally-jobs | ||
releasenotes | ||
tools | ||
.coveragerc | ||
.gitignore | ||
.gitreview | ||
.mailmap | ||
.stestr.conf | ||
.zuul.yaml | ||
CONTRIBUTING.rst | ||
HACKING.rst | ||
LICENSE | ||
README.rst | ||
babel.cfg | ||
bindep.txt | ||
requirements.txt | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini |
README.rst
Team and repository tags
OpenStack Keystone
Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.
Developer documentation, the source of which is in
doc/source/
, is published at:
The API reference and documentation are available at:
The canonical client library is available at:
https://git.openstack.org/cgit/openstack/python-keystoneclient
Documentation for cloud administrators is available at:
The source of documentation for cloud administrators is available at:
Information about our team meeting is available at:
Bugs and feature requests are tracked on Launchpad at:
Future design work is tracked at:
Contributors are encouraged to join IRC
(#openstack-keystone
on freenode):
For information on contributing to Keystone, see
CONTRIBUTING.rst
.