diff options
| author | Zuul <zuul@review.opendev.org> | 2020-01-30 18:11:39 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2020-01-30 18:11:39 +0000 |
| commit | 3907f65600c605ea39ec99346db860373522a0cb (patch) | |
| tree | 85624fe400935f04404ce23ec20ab5b00a26f350 | |
| parent | af470fd6394af9758a277f05744dd4544bac09e5 (diff) | |
| parent | 1ba238e49195890c0232554005d4efa670467694 (diff) | |
| download | keystone-3907f65600c605ea39ec99346db860373522a0cb.tar.gz | |
Merge "Ensure bootstrap handles multiple roles with the same name" into stable/stein
| -rw-r--r-- | keystone/cmd/bootstrap.py | 8 | ||||
| -rw-r--r-- | keystone/tests/unit/test_cli.py | 24 | ||||
| -rw-r--r-- | releasenotes/notes/bug-1856881-277103af343187f1.yaml | 7 |
3 files changed, 39 insertions, 0 deletions
diff --git a/keystone/cmd/bootstrap.py b/keystone/cmd/bootstrap.py index bdce341c7..abffd663a 100644 --- a/keystone/cmd/bootstrap.py +++ b/keystone/cmd/bootstrap.py @@ -124,6 +124,14 @@ class Bootstrapper(object): # name instead. hints = driver_hints.Hints() hints.add_filter('name', role_name) + # Only return global roles, domain-specific roles can't be used in + # system assignments and bootstrap isn't designed to work with + # domain-specific roles. + hints.add_filter('domain_id', None) + + # NOTE(lbragstad): Global roles are unique based on name. At this + # point we should be safe to return the first, and only, element in + # the list. return PROVIDERS.role_api.list_roles(hints)[0] def _ensure_implied_role(self, prior_role_id, implied_role_id): diff --git a/keystone/tests/unit/test_cli.py b/keystone/tests/unit/test_cli.py index 25f05be9e..b51a792bc 100644 --- a/keystone/tests/unit/test_cli.py +++ b/keystone/tests/unit/test_cli.py @@ -289,6 +289,30 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase): user_id, self.bootstrap.password) + def test_bootstrap_with_ambiguous_role_names(self): + # bootstrap system to create the default admin role + self._do_test_bootstrap(self.bootstrap) + + # create a domain-specific roles that share the same names as the + # default roles created by keystone-manage bootstrap + domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} + domain = PROVIDERS.resource_api.create_domain(domain['id'], domain) + domain_roles = {} + + for name in ['admin', 'member', 'reader']: + domain_role = { + 'domain_id': domain['id'], + 'id': uuid.uuid4().hex, + 'name': name + } + domain_roles[name] = PROVIDERS.role_api.create_role( + domain_role['id'], domain_role + ) + + # ensure subsequent bootstrap attempts don't fail because of + # ambiguity + self._do_test_bootstrap(self.bootstrap) + class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase): diff --git a/releasenotes/notes/bug-1856881-277103af343187f1.yaml b/releasenotes/notes/bug-1856881-277103af343187f1.yaml new file mode 100644 index 000000000..673371dbf --- /dev/null +++ b/releasenotes/notes/bug-1856881-277103af343187f1.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + [`bug 1856881 <https://bugs.launchpad.net/keystone/+bug/1856881>`_] + ``keystone-manage bootstrap`` can be run in upgrade scenarios where + pre-existing domain-specific roles exist named ``admin``, ``member``, and + ``reader``. |