diff options
author | Lance Bragstad <lbragstad@gmail.com> | 2019-12-18 11:59:53 -0600 |
---|---|---|
committer | Lance Bragstad <lbragstad@gmail.com> | 2020-01-29 11:39:09 -0600 |
commit | 1ba238e49195890c0232554005d4efa670467694 (patch) | |
tree | 6f636e393eedaffef6e003e1622e4b04483a654d | |
parent | 5ad8a33d5a43c3d3e63f434c10223d9f42070e0e (diff) | |
download | keystone-1ba238e49195890c0232554005d4efa670467694.tar.gz |
Ensure bootstrap handles multiple roles with the same name
The bootstrap logic doesn't take into consideration multiple roles
with the same name. If bootstrap is unable to determine which role to
use and accidentally uses a domain-specific role with the same name
as a default role, bootstrap will fail in unexpected ways.
Conflicts:
keystone/tests/unit/test_cli.py
Conflict exists because stable/stein doesn't have
https://review.opendev.org/#/c/675228/ but it's unrelated to this
specific bug fix.
Closes-Bug: 1856881
Change-Id: Iddc364d8c934b6e54d1e8c75b8b159faadbf865d
(cherry picked from commit 25cf359e5fb914b855922121f20e23bd14626b8e)
(cherry picked from commit 51ff7be731450c183b3e3eb6d34493e986cc2635)
-rw-r--r-- | keystone/cmd/bootstrap.py | 8 | ||||
-rw-r--r-- | keystone/tests/unit/test_cli.py | 24 | ||||
-rw-r--r-- | releasenotes/notes/bug-1856881-277103af343187f1.yaml | 7 |
3 files changed, 39 insertions, 0 deletions
diff --git a/keystone/cmd/bootstrap.py b/keystone/cmd/bootstrap.py index bdce341c7..abffd663a 100644 --- a/keystone/cmd/bootstrap.py +++ b/keystone/cmd/bootstrap.py @@ -124,6 +124,14 @@ class Bootstrapper(object): # name instead. hints = driver_hints.Hints() hints.add_filter('name', role_name) + # Only return global roles, domain-specific roles can't be used in + # system assignments and bootstrap isn't designed to work with + # domain-specific roles. + hints.add_filter('domain_id', None) + + # NOTE(lbragstad): Global roles are unique based on name. At this + # point we should be safe to return the first, and only, element in + # the list. return PROVIDERS.role_api.list_roles(hints)[0] def _ensure_implied_role(self, prior_role_id, implied_role_id): diff --git a/keystone/tests/unit/test_cli.py b/keystone/tests/unit/test_cli.py index 25f05be9e..b51a792bc 100644 --- a/keystone/tests/unit/test_cli.py +++ b/keystone/tests/unit/test_cli.py @@ -289,6 +289,30 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase): user_id, self.bootstrap.password) + def test_bootstrap_with_ambiguous_role_names(self): + # bootstrap system to create the default admin role + self._do_test_bootstrap(self.bootstrap) + + # create a domain-specific roles that share the same names as the + # default roles created by keystone-manage bootstrap + domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} + domain = PROVIDERS.resource_api.create_domain(domain['id'], domain) + domain_roles = {} + + for name in ['admin', 'member', 'reader']: + domain_role = { + 'domain_id': domain['id'], + 'id': uuid.uuid4().hex, + 'name': name + } + domain_roles[name] = PROVIDERS.role_api.create_role( + domain_role['id'], domain_role + ) + + # ensure subsequent bootstrap attempts don't fail because of + # ambiguity + self._do_test_bootstrap(self.bootstrap) + class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase): diff --git a/releasenotes/notes/bug-1856881-277103af343187f1.yaml b/releasenotes/notes/bug-1856881-277103af343187f1.yaml new file mode 100644 index 000000000..673371dbf --- /dev/null +++ b/releasenotes/notes/bug-1856881-277103af343187f1.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + [`bug 1856881 <https://bugs.launchpad.net/keystone/+bug/1856881>`_] + ``keystone-manage bootstrap`` can be run in upgrade scenarios where + pre-existing domain-specific roles exist named ``admin``, ``member``, and + ``reader``. |