diff options
| -rw-r--r-- | keystone/identity/core.py | 13 | ||||
| -rw-r--r-- | keystone/identity/shadow_backends/sql.py | 12 | ||||
| -rw-r--r-- | releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml | 6 |
3 files changed, 22 insertions, 9 deletions
diff --git a/keystone/identity/core.py b/keystone/identity/core.py index 114c4a21c..fa0e0f729 100644 --- a/keystone/identity/core.py +++ b/keystone/identity/core.py @@ -502,14 +502,6 @@ class Manager(manager.Manager): driver = self._select_identity_driver(domain_id) - if not driver.is_sql: - # The LDAP driver does not support deleting users or groups. - # Moreover, we shouldn't destroy users and groups in an unknown - # driver. The only time when we should delete users and groups is - # when the backend is SQL because the foreign key in the SQL table - # forces us to. - return - user_refs = self.list_users(domain_scope=domain_id) group_refs = self.list_groups(domain_scope=domain_id) @@ -526,7 +518,10 @@ class Manager(manager.Manager): # And finally, delete the users themselves for user in user_refs: try: - self.delete_user(user['id']) + if not driver.is_sql: + self.shadow_users_api.delete_user(user['id']) + else: + self.delete_user(user['id']) except exception.UserNotFound: LOG.debug(('User %(userid)s not found when deleting domain ' 'contents for %(domainid)s, continuing with ' diff --git a/keystone/identity/shadow_backends/sql.py b/keystone/identity/shadow_backends/sql.py index ccf420cbc..8f41c7116 100644 --- a/keystone/identity/shadow_backends/sql.py +++ b/keystone/identity/shadow_backends/sql.py @@ -16,6 +16,7 @@ import sqlalchemy import uuid from oslo_config import cfg +from oslo_db import api as oslo_db_api from keystone.common import sql from keystone import exception @@ -147,6 +148,17 @@ class ShadowUsers(base.ShadowUsersDriverBase): session.add(new_user_ref) return identity_base.filter_user(new_user_ref.to_dict()) + @oslo_db_api.wrap_db_retry(retry_on_deadlock=True) + def delete_user(self, user_id): + with sql.session_for_write() as session: + ref = self._get_user(session, user_id) + + q = session.query(model.UserGroupMembership) + q = q.filter_by(user_id=user_id) + q.delete(False) + + session.delete(ref) + def get_user(self, user_id): with sql.session_for_read() as session: user_ref = self._get_user(session, user_id) diff --git a/releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml b/releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml new file mode 100644 index 000000000..7fd970d35 --- /dev/null +++ b/releasenotes/notes/bug-1801873-0eb9a5ec3e801190.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + [`bug 1801873 <https://bugs.launchpad.net/keystone/+bug/1801873>`_] + This fixes an issue where an LDAP-backed domain could not be deleted due to + the existence of shadow users in the SQL database. |