Ceph » rgw

After removing a subuser without explicitly purging its keys, the user info may like this:
ceph@ceph1:~$ radosgw-admin subuser rm --subuser=test:swift

"user_id": "test",
"display_name": "Test",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"auid": 0,
"subusers": [],
"keys": [ {
"user": "test:swift",
"access_key": "VYQL38E0OSKFVGNJ499B",
"secret_key": ""
}, {
"user": "test",
"access_key": "W1DLB74QTBVKOE4SL6VF",
"secret_key": "7yeir2mkzNfCbQE1mrAHZqeNdcxenyNhrC1W2f3w"
}
],
"swift_keys": [ {
"user": "test:swift",
"secret_key": "rtYyABeKIeMRDCbKB64DiF0tBzXgbom4ijaXDUjd"
}
],

The subuser is deleted in the "subusers" section, but its swift key remains. This raises at least two problems:

• The removed subuser can still pass authentication and list containers. When it tries to go deeper to see objects, the system returns an error code: 401 Unauthorized, rather than code: 403 Forbidden. The behavior is the same as a valid subuser with permission: <none>. (I'm not sure if a subuser without any permission should be able to get the container list, it might be another issue.)
• If we create a subuser with the same name as the deleted one, the original swift key can still work. This may cause potential security problems.

Would it be more reasonable to set the '--purge-keys' as the default option? Or is there any particular design concerns not to do this?