diff options
| author | Lance Bragstad <lbragstad@gmail.com> | 2019-12-18 11:59:53 -0600 |
|---|---|---|
| committer | Lance Bragstad <lbragstad@gmail.com> | 2020-01-30 08:35:04 -0600 |
| commit | 2e4055e49b519a146902f0cf06740ec43231929b (patch) | |
| tree | c920d282f3b969aca83873a2a4c0b41fd9ef016a | |
| parent | 200dda218de19c19ee1f5d1a735da7e0a4fc7db5 (diff) | |
| download | keystone-2e4055e49b519a146902f0cf06740ec43231929b.tar.gz | |
Ensure bootstrap handles multiple roles with the same name
The bootstrap logic doesn't take into consideration multiple roles
with the same name. If bootstrap is unable to determine which role to
use and accidentally uses a domain-specific role with the same name
as a default role, bootstrap will fail in unexpected ways.
This change deviates slightly from the upstream patches in that the
stable/rocky test_cli.py module doesn't have a `self.bootstrap`
attribute. Instead, we just test with `bootstrap` in the test itself.
Otherwise, the test is functionally the same.
Closes-Bug: 1856881
Change-Id: Iddc364d8c934b6e54d1e8c75b8b159faadbf865d
(cherry picked from commit 25cf359e5fb914b855922121f20e23bd14626b8e)
(cherry picked from commit 51ff7be731450c183b3e3eb6d34493e986cc2635)
(cherry picked from commit 1ba238e49195890c0232554005d4efa670467694)
| -rw-r--r-- | keystone/cmd/bootstrap.py | 8 | ||||
| -rw-r--r-- | keystone/tests/unit/test_cli.py | 25 | ||||
| -rw-r--r-- | releasenotes/notes/bug-1856881-277103af343187f1.yaml | 7 |
3 files changed, 40 insertions, 0 deletions
diff --git a/keystone/cmd/bootstrap.py b/keystone/cmd/bootstrap.py index 2d1ec8577..c343c0013 100644 --- a/keystone/cmd/bootstrap.py +++ b/keystone/cmd/bootstrap.py @@ -124,6 +124,14 @@ class Bootstrapper(object): # name instead. hints = driver_hints.Hints() hints.add_filter('name', role_name) + # Only return global roles, domain-specific roles can't be used in + # system assignments and bootstrap isn't designed to work with + # domain-specific roles. + hints.add_filter('domain_id', None) + + # NOTE(lbragstad): Global roles are unique based on name. At this + # point we should be safe to return the first, and only, element in + # the list. return PROVIDERS.role_api.list_roles(hints)[0] def _ensure_implied_role(self, prior_role_id, implied_role_id): diff --git a/keystone/tests/unit/test_cli.py b/keystone/tests/unit/test_cli.py index 2c4a3f1de..cd7d21012 100644 --- a/keystone/tests/unit/test_cli.py +++ b/keystone/tests/unit/test_cli.py @@ -281,6 +281,31 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase): user_id, bootstrap.password) + def test_bootstrap_with_ambiguous_role_names(self): + bootstrap = cli.BootStrap() + # bootstrap system to create the default admin role + self._do_test_bootstrap(bootstrap) + + # create a domain-specific roles that share the same names as the + # default roles created by keystone-manage bootstrap + domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} + domain = PROVIDERS.resource_api.create_domain(domain['id'], domain) + domain_roles = {} + + for name in ['admin', 'member', 'reader']: + domain_role = { + 'domain_id': domain['id'], + 'id': uuid.uuid4().hex, + 'name': name + } + domain_roles[name] = PROVIDERS.role_api.create_role( + domain_role['id'], domain_role + ) + + # ensure subsequent bootstrap attempts don't fail because of + # ambiguity + self._do_test_bootstrap(bootstrap) + class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase): diff --git a/releasenotes/notes/bug-1856881-277103af343187f1.yaml b/releasenotes/notes/bug-1856881-277103af343187f1.yaml new file mode 100644 index 000000000..673371dbf --- /dev/null +++ b/releasenotes/notes/bug-1856881-277103af343187f1.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + [`bug 1856881 <https://bugs.launchpad.net/keystone/+bug/1856881>`_] + ``keystone-manage bootstrap`` can be run in upgrade scenarios where + pre-existing domain-specific roles exist named ``admin``, ``member``, and + ``reader``. |