Merge "Delete shadow users when domain is deleted" into stable/rocky

3 files changed, 22 insertions, 9 deletions

diff --git a/keystone/identity/core.py b/keystone/identity/core.py
index 5cfe9d3d7..229d615a0 100644
--- a/keystone/identity/core.py
+++ b/keystone/identity/core.py
@@ -502,14 +502,6 @@ class Manager(manager.Manager):
 
         driver = self._select_identity_driver(domain_id)
 
-        if not driver.is_sql:
-            # The LDAP driver does not support deleting users or groups.
-            # Moreover, we shouldn't destroy users and groups in an unknown
-            # driver. The only time when we should delete users and groups is
-            # when the backend is SQL because the foreign key in the SQL table
-            # forces us to.
-            return
-
         user_refs = self.list_users(domain_scope=domain_id)
         group_refs = self.list_groups(domain_scope=domain_id)
 
@@ -526,7 +518,10 @@ class Manager(manager.Manager):
         # And finally, delete the users themselves
         for user in user_refs:
             try:
-                self.delete_user(user['id'])
+                if not driver.is_sql:
+                    PROVIDERS.shadow_users_api.delete_user(user['id'])
+                else:
+                    self.delete_user(user['id'])
             except exception.UserNotFound:
                 LOG.debug(('User %(userid)s not found when deleting domain '
                            'contents for %(domainid)s, continuing with '
diff --git a/keystone/identity/shadow_backends/sql.py b/keystone/identity/shadow_backends/sql.py
index e861acb79..aa2c38ea3 100644
--- a/keystone/identity/shadow_backends/sql.py
+++ b/keystone/identity/shadow_backends/sql.py
@@ -16,6 +16,7 @@ import sqlalchemy
 import uuid
 
 from oslo_config import cfg
+from oslo_db import api as oslo_db_api
 
 from keystone.common import sql
 from keystone import exception
@@ -160,6 +161,17 @@ class ShadowUsers(base.ShadowUsersDriverBase):
             session.add(new_user_ref)
             return identity_base.filter_user(new_user_ref.to_dict())
 
+    @oslo_db_api.wrap_db_retry(retry_on_deadlock=True)
+    def delete_user(self, user_id):
+        with sql.session_for_write() as session:
+            ref = self._get_user(session, user_id)
+
+            q = session.query(model.UserGroupMembership)
+            q = q.filter_by(user_id=user_id)
+            q.delete(False)
+
+            session.delete(ref)
+
     def get_user(self, user_id):
         with sql.session_for_read() as session:
             user_ref = self._get_user(session, user_id)
diff --git a/releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml b/releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml
new file mode 100644
index 000000000..7fd970d35
--- /dev/null
+++ b/releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    [`bug 1801873 <https://bugs.launchpad.net/keystone/+bug/1801873>`_]
+    This fixes an issue where an LDAP-backed domain could not be deleted due to
+    the existence of shadow users in the SQL database.