[openstack-dev] [keystone][api] Backwards incompatible changes based on config

Lance Bragstad lbragstad at gmail.com
Fri Aug 4 18:37:40 UTC 2017

Keystone had a bug reported [0] recently (that we are targeting to
pike-rc1) that exposes an inconsistency in the API based on
configuration. The happy path is as follows:

- a deployment is configured to store projects (controlled by the
resource backend) and users (controlled by the identity backend) in SQL
- users can have a default project ID and a previous bug [1] fix made it
so users who were associated to a project via their
`default_project_id`, which is an attribute of the user, would be
corrected when that project was deleted
- when a project is deleted (DELETE /v3/projects/{project_id}) a
callback [2] [3] is invoked to unset that project ID from all users who
might have it set as their default project

This works great when both the identity and resource backends are
configured to use SQL. When the identity backend is configured to use
LDAP, the wheels fall off:

- a user attempts to remove a project (DELETE /v3/projects/{project_id})
- the identity callback is invoked and control is passed to the LDAP
identity driver implementation
- the LDAP implementation raises a 403 [4] because read/write LDAP is
not supported in keystone, and unsetting a project ID would classify as
a write operation

Properly fixing this would result in a 403 -> 204 status code, which
requires an API version bump according to the interoperability
guidelines [5] (note that keystone has not implemented microversions at
this point). At the same time - not fixing the issues results in a 403
anytime a project is deleted while in this configuration.

Looking to get some advice from the API WG to see if this is something
we'll be able to address before rc or not. Thanks for reading!


[0] https://bugs.launchpad.net/keystone/+bug/1705081

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170804/e9cb9f46/attachment.sig>

More information about the OpenStack-dev mailing list