Page MenuHomePhabricator

openstack: cleanup neutron user
Closed, ResolvedPublic

Description

We used to have a neutron user in LDAP which got eventually deleted to don't clash with the neutron system user created by openstack packages.

It seems we need further cleanup, I think we have some role assigned to this (now missing) neutron LDAP user which makes this command crash:

root@cloudcontrol1003:~# openstack role assignment list --names
Could not find user: neutron (HTTP 404) (Request-ID: req-2a42ad3e-7341-4473-8b5c-1c01d5e78a4d)

Apparently is this entry:

root@cloudcontrol1003:~# openstack role assignment list
+----------------------------------+------------------------------------------+-------+----------------------------------+--------+-----------+
| Role                             | User                                     | Group | Project                          | Domain | Inherited |
+----------------------------------+------------------------------------------+-------+----------------------------------+--------+-----------+
[..]
| f473273fac7146b3bdbf22e5d4504f95 | neutron                                  |       | bastion                          |        | False     |

If trying to remove the role assignment by hand, an error happens:

root@cloudcontrol1003:~# openstack role remove --user neutron --project bastion f473273fac7146b3bdbf22e5d4504f95
No user with a name or ID of 'neutron' exists.

So perhaps this needs cleanup at database level.

Event Timeline

aborrero created this task.Aug 7 2019, 9:36 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 7 2019, 9:36 AM
aborrero triaged this task as Medium priority.Aug 7 2019, 9:39 AM
aborrero updated the task description. (Show Details)
aborrero moved this task from Inbox to Important on the cloud-services-team (Kanban) board.

Mentioned in SAL (#wikimedia-cloud) [2019-08-07T14:29:48Z] <jeh> remove invalid neutron role assignment T230003

Nice catch, thanks for the back story too.

MariaDB [keystone]> select * from assignment where actor_id = 'neutron';
+-------------+----------+-----------+----------------------------------+-----------+
| type        | actor_id | target_id | role_id                          | inherited |
+-------------+----------+-----------+----------------------------------+-----------+
| UserProject | neutron  | bastion   | f473273fac7146b3bdbf22e5d4504f95 |         0 |
+-------------+----------+-----------+----------------------------------+-----------+
1 row in set (0.01 sec)

MariaDB [keystone]> delete from assignment where actor_id = 'neutron';
Query OK, 1 row affected (0.00 sec)

Found another one too:

openstack role assignment list --names
Could not find project: 9fb604ed497f41a6becaff067fa3ff11 (HTTP 404) (Request-ID: req-5565b77b-8f51-45e2-bf83-ce18cf4b7964)
openstack role assignment list | grep 9fb604ed497f41a6becaff067fa3ff11
| 4d8cad783d6342efa8414d7d36fbc034 | novaadmin                                |       | 9fb604ed497f41a6becaff067fa3ff11 |        | False     |
| f473273fac7146b3bdbf22e5d4504f95 | novaadmin                                |       | 9fb604ed497f41a6becaff067fa3ff11 |        | False     |
| 47a8370618ea42d49f7047774e75d262 | novaobserver                             |       | 9fb604ed497f41a6becaff067fa3ff11 |        | False     |
MariaDB [keystone]> select * from assignment where target_id = '9fb604ed497f41a6becaff067fa3ff11';
+-------------+--------------+----------------------------------+----------------------------------+-----------+
| type        | actor_id     | target_id                        | role_id                          | inherited |
+-------------+--------------+----------------------------------+----------------------------------+-----------+
| UserProject | novaadmin    | 9fb604ed497f41a6becaff067fa3ff11 | 4d8cad783d6342efa8414d7d36fbc034 |         0 |
| UserProject | novaadmin    | 9fb604ed497f41a6becaff067fa3ff11 | f473273fac7146b3bdbf22e5d4504f95 |         0 |
| UserProject | novaobserver | 9fb604ed497f41a6becaff067fa3ff11 | 47a8370618ea42d49f7047774e75d262 |         0 |
+-------------+--------------+----------------------------------+----------------------------------+-----------+
3 rows in set (0.01 sec)

MariaDB [keystone]> delete from assignment where target_id = '9fb604ed497f41a6becaff067fa3ff11';
Query OK, 3 rows affected (0.02 sec)
JHedden closed this task as Resolved.Aug 7 2019, 2:45 PM
JHedden claimed this task.

Confirmed openstack role assignment list --names is working as expected now.