Users that are removed from LDAP break role assignments and cannot be removed easily in Red Hat OpenStack Platform
Issue
Users that are removed from LDAP break role assignments and cannot be removed easily
User test was added to Active Directory:
[stack@undercloud-6 ~]$ openstack user list --domain redhat
+------------------------------------------------------------------+----------+
| ID | Name |
+------------------------------------------------------------------+----------+
| 853a331554ea0fb6e938f39256beb9f8096625c29f34bc8d88990b4198205f90 | svc-ldap |
| 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | akaris |
| 39e5b866156f05d6b3f95409a663a44718bec62eeabc9ec6f08ff78ef5fd457d | nalmond |
| f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | test |
+------------------------------------------------------------------+----------+
[stack@undercloud-6 ~]$ openstack project create demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | 1c3e304811d8457a871a6c67f6f63a75 |
| is_domain | False |
| name | demo |
| parent_id | default |
+-------------+----------------------------------+
[stack@undercloud-6 ~]$ openstack role add --project demo --user f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 _member_
[stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457a871a6c67f6f63a75
| 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | | 1c3e304811d8457a871a6c67f6f63a75 | | False |
[stack@undercloud-6 ~]$ openstack role assignment list --names
+---------------+------------------------------------+-------+-----------------+------------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+---------------+------------------------------------+-------+-----------------+------------+-----------+
| admin | cinderv2@Default | | service@Default | | False |
| _member_ | cinderv2@Default | | service@Default | | False |
| admin | ceilometer@Default | | service@Default | | False |
| _member_ | ceilometer@Default | | service@Default | | False |
| ResellerAdmin | ceilometer@Default | | service@Default | | False |
| admin | admin@Default | | admin@Default | | False |
| admin | nova@Default | | service@Default | | False |
| _member_ | nova@Default | | service@Default | | False |
| admin | glance@Default | | service@Default | | False |
| _member_ | glance@Default | | service@Default | | False |
| admin | neutron@Default | | service@Default | | False |
| _member_ | neutron@Default | | service@Default | | False |
| admin | sahara@Default | | service@Default | | False |
| _member_ | sahara@Default | | service@Default | | False |
| admin | gnocchi@Default | | service@Default | | False |
| _member_ | gnocchi@Default | | service@Default | | False |
| ResellerAdmin | gnocchi@Default | | service@Default | | False |
| admin | swift@Default | | service@Default | | False |
| _member_ | swift@Default | | service@Default | | False |
| admin | aodh@Default | | service@Default | | False |
| _member_ | aodh@Default | | service@Default | | False |
| _member_ | test@redhat | | demo@Default | | False |
| admin | cinder@Default | | service@Default | | False |
| _member_ | cinder@Default | | service@Default | | False |
| admin | heat@Default | | service@Default | | False |
| _member_ | heat@Default | | service@Default | | False |
| admin | admin@Default | | | redhat | False |
| admin | admin@Default | | | Default | False |
| admin | heat_stack_domain_admin@heat_stack | | | heat_stack | False |
+---------------+------------------------------------+-------+-----------------+------------+-----------+
User test was removed from Active Directory:
[stack@undercloud-6 ~]$ openstack user list --domain redhat+------------------------------------------------------------------+----------+
| ID | Name |
+------------------------------------------------------------------+----------+
| 853a331554ea0fb6e938f39256beb9f8096625c29f34bc8d88990b4198205f90 | svc-ldap |
| 82ec6ba7034541d55349c62705f750634a1d0d680386444dbe0f7ffd9f15b032 | akaris |
| 39e5b866156f05d6b3f95409a663a44718bec62eeabc9ec6f08ff78ef5fd457d | nalmond |
[stack@undercloud-6 ~]$ openstack role assignment list | head -2
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+----------------------------------+-----------+
| Role | User | Group | Project | Domain | Inherited |
[stack@undercloud-6 ~]$ openstack role assignment list | grep 1c3e304811d8457a871a6c67f6f63a75
| 9fe2ff9ee4384b1894a90878d3e92bab | f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 | | 1c3e304811d8457a871a6c67f6f63a75 | | False |
[stack@undercloud-6 ~]$ openstack role remove --project demo --user f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2 9fe2ff9ee4384b1894a90878d3e92bab
No user with a name or ID of 'f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2' exists.
The role assignment cannot be removed:
[stack@undercloud-6 ~]$ openstack role remove --project demo --user 1c3e304811d8457a871a6c67f6f63a75 _member_
No user with a name or ID of '1c3e304811d8457a871a6c67f6f63a75' exists.
The user cannot be deleted:
[stack@undercloud-6 ~]$ openstack user delete f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2
No user with a name or ID of 'f3f3e1b1c01c79299154f85f0821ceb0f7c149de8d9836f86eceaaa38e9f27c2' exists.
Environment
Red Hat OpenStack Platform 9
Red Hat OpenStack Platform 10
Red Hat OpenStack Platform 11
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
