diff options
| author | Vishakha Agarwal <agarwalvishakha18@gmail.com> | 2020-05-27 12:08:41 +0530 |
|---|---|---|
| committer | Lance Bragstad <lbragstad@gmail.com> | 2020-10-30 16:03:28 +0000 |
| commit | e8b477847cabe449be4d3b8a21d8236ddbd84064 (patch) | |
| tree | 5a5c108e057c2702c39bccdafa0165e33a397a38 | |
| parent | fb7d54543fd69e046a5136ca4028f4e128b947c2 (diff) | |
| download | keystone-e8b477847cabe449be4d3b8a21d8236ddbd84064.tar.gz | |
Delete system role assignments from system_assignment table
This patch ensures to delete the system role assignments from
all the assignment tables in keystone after deleting the role
user has over the system.
This also make sure of deleting stale role assignments before
deleting role for the deployments that are already in this state.
Closes-Bug: #1878938
Change-Id: I4df19c45c870ff3fb78578ca1fb7dd0d35da3c82
(cherry picked from commit c1dcbb05b4488f1fa3e7af4d9171d11702d94119)
(cherry picked from commit b83170a386ba8da2195c7494d04d832ce9b6d7b0)
(cherry picked from commit 6f93063ff95f3c65af106a09281427e411d01850)
(cherry picked from commit 7ac0891375656d156f1a9601e3520052dddb39d0)
| -rw-r--r-- | keystone/assignment/backends/sql.py | 5 | ||||
| -rw-r--r-- | keystone/tests/unit/assignment/test_backends.py | 19 | ||||
| -rw-r--r-- | releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml | 16 |
3 files changed, 40 insertions, 0 deletions
diff --git a/keystone/assignment/backends/sql.py b/keystone/assignment/backends/sql.py index 6822811ca..5eda2b724 100644 --- a/keystone/assignment/backends/sql.py +++ b/keystone/assignment/backends/sql.py @@ -262,6 +262,11 @@ class Assignment(base.AssignmentDriverBase): q = q.filter_by(role_id=role_id) q.delete(False) + with sql.session_for_write() as session: + q = session.query(SystemRoleAssignment) + q = q.filter_by(role_id=role_id) + q.delete(False) + def delete_domain_assignments(self, domain_id): with sql.session_for_write() as session: q = session.query(RoleAssignment) diff --git a/keystone/tests/unit/assignment/test_backends.py b/keystone/tests/unit/assignment/test_backends.py index 589256eff..181c42a54 100644 --- a/keystone/tests/unit/assignment/test_backends.py +++ b/keystone/tests/unit/assignment/test_backends.py @@ -4226,3 +4226,22 @@ class SystemAssignmentTests(AssignmentTestHelperMixin): group_id, role['id'] ) + + def test_delete_role_with_system_assignments(self): + role = unit.new_role_ref() + PROVIDERS.role_api.create_role(role['id'], role) + domain = unit.new_domain_ref() + PROVIDERS.resource_api.create_domain(domain['id'], domain) + user = unit.new_user_ref(domain_id=domain['id']) + user = PROVIDERS.identity_api.create_user(user) + + # creating a system grant for user + PROVIDERS.assignment_api.create_system_grant_for_user( + user['id'], role['id'] + ) + # deleting the role user has on system + PROVIDERS.role_api.delete_role(role['id']) + system_roles = PROVIDERS.assignment_api.list_role_assignments( + role_id=role['id'] + ) + self.assertEqual(len(system_roles), 0) diff --git a/releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml b/releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml new file mode 100644 index 000000000..21a53b482 --- /dev/null +++ b/releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml @@ -0,0 +1,16 @@ +--- +fixes: + - | + [`bug 1878938 <https://bugs.launchpad.net/keystone/+bug/1878938>`_] + Previously when a user used to have system role assignment and tries to delete + the same role, the system role assignments still existed in system_assignment + table. This causes keystone to return `HTTP 404 Not Found` errors when listing + role assignments with names (e.g., `--names` or `?include_names`). + + If you are affected by this bug, you must remove stale role assignments + manually. The following is an example SQL statement you can use to fix the + issue, but you should verify it's applicability to your deployment's SQL + implementation and version. + + SQL: + - delete from system_assignment where role_id not in (select id from role); |