OpenStack Identity (keystone)

[LDAP Keystone]Fail to remove tenant even if all members are removed.

Bug #1054362 reported by Jerry Zhao on 2012-09-21

This bug report is a duplicate of: Bug #1057436: Delete role does not delete roles assignment in tenants. Edit Remove

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	New	Undecided	Adam Young

Bug Description

Version:
I applied the latest LDAP codes by 09/21/2012 on keystone.

Operations:
Add tenant via GUI
Add a user to the tenant.
Remove user from the tenant
Remove tenant--Fail

Keystone log:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 184, in __call__
    result = method(context, **params)
  File "/usr/lib/python2.7/dist-packages/keystone/identity/core.py", line 322, in delete_tenant
    self.identity_api.delete_tenant(context, tenant_id)
  File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 48, in _wrapper
    return f(*args, **kw)
  File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap/core.py", line 254, in delete_tenant
    return self.tenant.delete(tenant_id)
  File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/ldap/core.py", line 575, in delete
    super(TenantApi, self).delete(id)
  File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 289, in delete
    conn.delete_s(self._id_to_dn(id))
  File "/usr/lib/python2.7/dist-packages/keystone/common/ldap/core.py", line 343, in delete_s
    return self.conn.delete_s(dn)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 285, in delete_s
    return self.delete_ext_s(dn,None,None)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 279, in delete_ext_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 422, in result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 426, in result2
    res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 432, in result3
    ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
NOT_ALLOWED_ON_NONLEAF: {'info': 'subordinate objects must be deleted first', 'desc': 'Operation not allowed on non-leaf'}
(eventlet.wsgi.server): 2012-09-21 14:25:11,595 DEBUG 127.0.0.1 - - [21/Sep/2012 14:25:11] "DELETE /v2.0/tenants/0370e357e30c47c98e4740d61ff81ec7 HTTP/1.1" 500 390 0.019932

The error is because there are still Admin/Member role entries left in the Group or Tenant.

# c490cadbebb74403a9b7d2dfa59bb2f4, 7a7466c4a5c040ea8e315888a907b0fe, Groups,
mydomain.com
dn: cn=c490cadbebb74403a9b7d2dfa59bb2f4,cn=7a7466c4a5c040ea8e315888a907b0fe,ou
=Groups,dc=mydomain,dc=com
objectClass: organizationalRole
roleOccupant: cn=dumb,dc=nonexistent
cn: c490cadbebb74403a9b7d2dfa59bb2f4

Workaround: If the role entry is removed manually from ldap server. The group or tenant can be successfully removed.

Tags:

Revision history for this message

Joseph Heck (heckj) wrote on 2012-09-25:

adam - would you mind taking a look at this bug and seeing if you can repro?

Changed in keystone:
assignee:	nobody → Adam Young (ayoung)

Revision history for this message

Jose Castro Leon (jose-castro-leon) wrote on 2012-09-27:

The problem appears while deleting the object Tenant because it has the role as a leave. In such case you need to do a deletion of the subtree using delete_ext_s with the appropiate ldapcontrol.

Revision history for this message

Jose Castro Leon (jose-castro-leon) wrote on 2012-09-27:

i am preparing a patch on https://bugs.launchpad.net/keystone/+bug/1057436

Revision history for this message

Nikola Knezevic (kne) wrote on 2015-08-13:

The duplicate status is wrong, as of kilo, the bug #1057436 does not show up, while this bug appears.

root@ng:~# keystone user-role-list --tenant testq05

root@ng:~# keystone tenant-delete testq05
An unexpected error prevented the server from fulfilling your request: {'info': 'subordinate objects must be deleted first', 'desc': 'Operation not allowed on non-leaf'} (Disable debug mode to suppress these details.) (HTTP 500) (Request-ID: req-d3d28418-f88f-4964-95fe-bbe82d60807b)

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1057436 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.