Open Stack

On 7/14/2016 3:04 AM, Zhenyu Zheng wrote:
> Hi All,
>
> We have meet some problems when trying to cleanup resources, keypairs in
> particular.
>
> The scenario is like this, we have several projects in our public cloud,
> each project have their own admin, they can create and delete users, and
> their users may create keypairs; As keypairs are only related to
> users(user_id), when project admin delete it's users, they may forget to
> delete the related keypairs and also they might tried to delete keypairs
> but some thing happened and it didn't work.
>
> Now, when we, as public cloud admin, we want to delete this project and
> cleanup its' resources, we can't delete the keypairs because when delete
> keypairs we have to provide the related user_id, if this user has
> already been deleted(keystone uses hard delete and we cannot find
> deleted users their), we won't able to delete the keypairs forever.
>
> Does anyone have any comments or thoughts about the above problem?
>
> Thanks
>
> Kevin Zheng
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

Nova doesn't actually validate the user_id passed into the keypairs API 
is valid, does it? Like flavor access and quotas, Nova is given an ID 
but doesn't validate it with Keystone. So we don't actually need 
Keystone to find these do we?

I'm not saying that's great, we already had a spec approved for Newton 
to check the provided user/project ID with keystone for the flavor 
access and quotas APIs, we could do the same for keypairs.

You could, however, write a script that deletes keypairs for user_ids 
that don't exist in Keystone...

-- 

Thanks,

Matt Riedemann