diff options
author | Colleen Murphy <colleen.murphy@suse.de> | 2019-10-09 16:30:33 -0700 |
---|---|---|
committer | Colleen Murphy <colleen.murphy@suse.de> | 2019-10-11 14:12:57 -0700 |
commit | c4d60977881ac2f014dc6e2eaaba37892f075266 (patch) | |
tree | 1df531e4b0ddd68dccb1e9e59f809f972f2d0fca /keystone | |
parent | e4626f4bc32b846ca9b99f954101a7a462675ea5 (diff) | |
download | keystone-c4d60977881ac2f014dc6e2eaaba37892f075266.tar.gz |
Drop project.id foreign keys
In 2bd88d30 we added a new column domain_id to the user table to
deduplicate the domain_id columns in the local_user and nonlocal_user
tables, and at that point made the user.domain_id column a foreign key
referencing the project.id column. This is a problem that led to
3d46c8a5 in which we removed the ability for the resource driver to be
pluggable, since we had linked two sql backends together and made them
reliant on one another.
This commit removes the foreign key constraint from the user table and
the identity_provider table. For the user table, the sqlalchemy model
never reflected this schema so we don't need to change the model. For
the identity_provider table, we need to update the model. In both cases,
we already enforce, at the manager layer, the constraint that the
domain_id needs to reference a real domain ID[1][2], so we do not need
to rely on this constraint at the database layer.
[1] https://opendev.org/openstack/keystone/src/commit/43142e4470df976a459a1a2e95cfb163afc42893/keystone/identity/core.py#L935
[2] https://opendev.org/openstack/keystone/src/commit/43142e4470df976a459a1a2e95cfb163afc42893/keystone/federation/core.py#L73-L77
Partial-bug: #1672713
Change-Id: I7c068e350811e22622d1f1e7d8b0a55d4d7cab11
Diffstat (limited to 'keystone')
5 files changed, 103 insertions, 2 deletions
diff --git a/keystone/common/sql/contract_repo/versions/072_contract_drop_domain_id_fk.py b/keystone/common/sql/contract_repo/versions/072_contract_drop_domain_id_fk.py new file mode 100644 index 000000000..7e00c1e9f --- /dev/null +++ b/keystone/common/sql/contract_repo/versions/072_contract_drop_domain_id_fk.py @@ -0,0 +1,47 @@ +# Copyright 2019 SUSE LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# This is a placeholder for Train backports. Do not use this number for new +# Ussuri work. New Ussuri work starts after all the placeholders. + +import migrate +import sqlalchemy as sql + + +def upgrade(migrate_engine): + meta = sql.MetaData() + meta.bind = migrate_engine + user = sql.Table('user', meta, autoload=True) + project = sql.Table('project', meta, autoload=True) + + fk_name = [ + c for c in user.constraints + if isinstance(c, sql.ForeignKeyConstraint) + and c.column_keys == ['domain_id'] + ][0].name + fk_constraint = migrate.ForeignKeyConstraint( + columns=[user.c.domain_id], refcolumns=[project.c.id]) + fk_constraint.name = fk_name + fk_constraint.drop() + + identity_provider = sql.Table('identity_provider', meta, autoload=True) + fk_name = [ + c for c in identity_provider.constraints + if isinstance(c, sql.ForeignKeyConstraint) + and c.column_keys == ['domain_id'] + ][0].name + fk_constraint = migrate.ForeignKeyConstraint( + columns=[identity_provider.c.domain_id], refcolumns=[project.c.id]) + fk_constraint.name = fk_name + fk_constraint.drop() diff --git a/keystone/common/sql/data_migration_repo/versions/072_migrate_drop_domain_id_fk.py b/keystone/common/sql/data_migration_repo/versions/072_migrate_drop_domain_id_fk.py new file mode 100644 index 000000000..bb90c3de3 --- /dev/null +++ b/keystone/common/sql/data_migration_repo/versions/072_migrate_drop_domain_id_fk.py @@ -0,0 +1,20 @@ +# Copyright 2019 SUSE LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# This is a placeholder for Train backports. Do not use this number for new +# Ussuri work. New Ussuri work starts after all the placeholders. + + +def upgrade(migrate_engine): + pass diff --git a/keystone/common/sql/expand_repo/versions/072_expand_drop_domain_id_fk.py b/keystone/common/sql/expand_repo/versions/072_expand_drop_domain_id_fk.py new file mode 100644 index 000000000..bb90c3de3 --- /dev/null +++ b/keystone/common/sql/expand_repo/versions/072_expand_drop_domain_id_fk.py @@ -0,0 +1,20 @@ +# Copyright 2019 SUSE LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# This is a placeholder for Train backports. Do not use this number for new +# Ussuri work. New Ussuri work starts after all the placeholders. + + +def upgrade(migrate_engine): + pass diff --git a/keystone/federation/backends/sql.py b/keystone/federation/backends/sql.py index 9451e1a4b..0b7997327 100644 --- a/keystone/federation/backends/sql.py +++ b/keystone/federation/backends/sql.py @@ -56,8 +56,7 @@ class IdentityProviderModel(sql.ModelBase, sql.ModelDictMixin): mutable_attributes = frozenset(['description', 'enabled', 'remote_ids']) id = sql.Column(sql.String(64), primary_key=True) - domain_id = sql.Column(sql.String(64), sql.ForeignKey('project.id'), - nullable=False) + domain_id = sql.Column(sql.String(64), nullable=False) enabled = sql.Column(sql.Boolean, nullable=False) description = sql.Column(sql.Text(), nullable=True) remote_ids = orm.relationship('IdPRemoteIdsModel', diff --git a/keystone/tests/unit/test_sql_upgrade.py b/keystone/tests/unit/test_sql_upgrade.py index c048fe516..33f8da5c0 100644 --- a/keystone/tests/unit/test_sql_upgrade.py +++ b/keystone/tests/unit/test_sql_upgrade.py @@ -3458,6 +3458,21 @@ class FullMigration(SqlMigrateBase, unit.TestCase): role_option, ['role_id', 'option_id', 'option_value']) + def test_migration_072_drop_domain_id_fk(self): + self.expand(71) + self.migrate(71) + self.contract(71) + + self.assertTrue(self.does_fk_exist('user', 'domain_id')) + self.assertTrue(self.does_fk_exist('identity_provider', 'domain_id')) + + self.expand(72) + self.migrate(72) + self.contract(72) + + self.assertFalse(self.does_fk_exist('user', 'domain_id')) + self.assertFalse(self.does_fk_exist('identity_provider', 'domain_id')) + class MySQLOpportunisticFullMigration(FullMigration): FIXTURE = db_fixtures.MySQLOpportunisticFixture |