diff options
author | Zuul <zuul@review.openstack.org> | 2019-04-15 22:30:11 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2019-04-15 22:30:11 +0000 |
commit | 1854439a991f59fb3b5f56c97ce31e6b966e828f (patch) | |
tree | 05eda24b96dcb699a278699161e42e9814d6c477 | |
parent | 8a3b48ce7f2363a165f0930b8a3b09dc8e2a205c (diff) | |
parent | b5af5c9009e19b40fce8496f777c665f8fa3c644 (diff) | |
download | keystone-1854439a991f59fb3b5f56c97ce31e6b966e828f.tar.gz |
Merge "Delete shadow users when domain is deleted" into stable/rocky
-rw-r--r-- | keystone/identity/core.py | 13 | ||||
-rw-r--r-- | keystone/identity/shadow_backends/sql.py | 12 | ||||
-rw-r--r-- | releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml | 6 |
3 files changed, 22 insertions, 9 deletions
diff --git a/keystone/identity/core.py b/keystone/identity/core.py index 5cfe9d3d7..229d615a0 100644 --- a/keystone/identity/core.py +++ b/keystone/identity/core.py @@ -502,14 +502,6 @@ class Manager(manager.Manager): driver = self._select_identity_driver(domain_id) - if not driver.is_sql: - # The LDAP driver does not support deleting users or groups. - # Moreover, we shouldn't destroy users and groups in an unknown - # driver. The only time when we should delete users and groups is - # when the backend is SQL because the foreign key in the SQL table - # forces us to. - return - user_refs = self.list_users(domain_scope=domain_id) group_refs = self.list_groups(domain_scope=domain_id) @@ -526,7 +518,10 @@ class Manager(manager.Manager): # And finally, delete the users themselves for user in user_refs: try: - self.delete_user(user['id']) + if not driver.is_sql: + PROVIDERS.shadow_users_api.delete_user(user['id']) + else: + self.delete_user(user['id']) except exception.UserNotFound: LOG.debug(('User %(userid)s not found when deleting domain ' 'contents for %(domainid)s, continuing with ' diff --git a/keystone/identity/shadow_backends/sql.py b/keystone/identity/shadow_backends/sql.py index e861acb79..aa2c38ea3 100644 --- a/keystone/identity/shadow_backends/sql.py +++ b/keystone/identity/shadow_backends/sql.py @@ -16,6 +16,7 @@ import sqlalchemy import uuid from oslo_config import cfg +from oslo_db import api as oslo_db_api from keystone.common import sql from keystone import exception @@ -160,6 +161,17 @@ class ShadowUsers(base.ShadowUsersDriverBase): session.add(new_user_ref) return identity_base.filter_user(new_user_ref.to_dict()) + @oslo_db_api.wrap_db_retry(retry_on_deadlock=True) + def delete_user(self, user_id): + with sql.session_for_write() as session: + ref = self._get_user(session, user_id) + + q = session.query(model.UserGroupMembership) + q = q.filter_by(user_id=user_id) + q.delete(False) + + session.delete(ref) + def get_user(self, user_id): with sql.session_for_read() as session: user_ref = self._get_user(session, user_id) diff --git a/releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml b/releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml new file mode 100644 index 000000000..7fd970d35 --- /dev/null +++ b/releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + [`bug 1801873 <https://bugs.launchpad.net/keystone/+bug/1801873>`_] + This fixes an issue where an LDAP-backed domain could not be deleted due to + the existence of shadow users in the SQL database. |