Keystone had a bug reported [0] recently (that we are targeting to pike-rc1) that exposes an inconsistency in the API based on configuration. The happy path is as follows: - a deployment is configured to store projects (controlled by the resource backend) and users (controlled by the identity backend) in SQL - users can have a default project ID and a previous bug [1] fix made it so users who were associated to a project via their `default_project_id`, which is an attribute of the user, would be corrected when that project was deleted - when a project is deleted (DELETE /v3/projects/{project_id}) a callback [2] [3] is invoked to unset that project ID from all users who might have it set as their default project This works great when both the identity and resource backends are configured to use SQL. When the identity backend is configured to use LDAP, the wheels fall off: - a user attempts to remove a project (DELETE /v3/projects/{project_id}) - the identity callback is invoked and control is passed to the LDAP identity driver implementation - the LDAP implementation raises a 403 [4] because read/write LDAP is not supported in keystone, and unsetting a project ID would classify as a write operation Properly fixing this would result in a 403 -> 204 status code, which requires an API version bump according to the interoperability guidelines [5] (note that keystone has not implemented microversions at this point). At the same time - not fixing the issues results in a 403 anytime a project is deleted while in this configuration. Looking to get some advice from the API WG to see if this is something we'll be able to address before rc or not. Thanks for reading! Lance [0] https://bugs.launchpad.net/keystone/+bug/1705081 [1] https://github.com/openstack/keystone/commit/51d5597df729158d15b71e2ba80ab103df5d55f8 [2] https://github.com/openstack/keystone/blob/4e986235713758f2df5ae12e66ca3e5e93edd551/keystone/identity/core.py#L489-L494 [3] https://github.com/openstack/keystone/blob/4e986235713758f2df5ae12e66ca3e5e93edd551/keystone/identity/core.py#L523-L533 [4] https://github.com/openstack/keystone/blob/4e986235713758f2df5ae12e66ca3e5e93edd551/keystone/identity/backends/ldap/core.py#L89-L92 [5] http://specs.openstack.org/openstack/api-wg/guidelines/api_interoperability.html#evaluating-api-changes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170804/e9cb9f46/attachment.sig>