diff options
-rw-r--r-- | .zuul.yaml | 19 | ||||
-rw-r--r-- | keystone/assignment/backends/sql.py | 5 | ||||
-rw-r--r-- | keystone/tests/unit/assignment/test_backends.py | 19 | ||||
-rw-r--r-- | playbooks/legacy/keystone-dsvm-grenade-multinode/post.yaml | 15 | ||||
-rw-r--r-- | playbooks/legacy/keystone-dsvm-grenade-multinode/run.yaml | 48 | ||||
-rw-r--r-- | releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml | 16 |
6 files changed, 51 insertions, 71 deletions
diff --git a/.zuul.yaml b/.zuul.yaml index dfc6aaae6..50bd87b37 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -110,15 +110,17 @@ # Experimental - job: - name: keystone-dsvm-grenade-multinode - parent: legacy-dsvm-base-multinode - run: playbooks/legacy/keystone-dsvm-grenade-multinode/run.yaml - post-run: playbooks/legacy/keystone-dsvm-grenade-multinode/post.yaml - timeout: 10800 + name: keystone-grenade-multinode + parent: grenade-multinode required-projects: - openstack/grenade - - openstack/devstack-gate - openstack/keystone + vars: + devstack_plugins: + keystone: https://opendev.org/openstack/keystone + grenade_devstack_localrc: + shared: + MULTI_KEYSTONE: True # Experimental - job: @@ -178,7 +180,6 @@ - project: templates: - openstack-cover-jobs - - openstack-lower-constraints-jobs - openstack-python3-ussuri-jobs - publish-openstack-docs-pti - periodic-stable-jobs @@ -199,6 +200,7 @@ voting: false irrelevant-files: *irrelevant-files - keystone-dsvm-py3-functional-federation-opensuse15-k2k: + voting: false irrelevant-files: *irrelevant-files - keystoneclient-devstack-functional: voting: false @@ -226,6 +228,7 @@ - keystone-dsvm-py3-functional: irrelevant-files: *irrelevant-files - keystone-dsvm-py3-functional-federation-opensuse15-k2k: + voting: false irrelevant-files: *irrelevant-files - tempest-full-py3: irrelevant-files: *tempest-irrelevant-files @@ -237,7 +240,7 @@ experimental: jobs: - keystone-tox-patch_cover - - keystone-dsvm-grenade-multinode: + - keystone-grenade-multinode: irrelevant-files: *irrelevant-files - openstack-ansible-keystone-rolling-upgrade: irrelevant-files: *irrelevant-files diff --git a/keystone/assignment/backends/sql.py b/keystone/assignment/backends/sql.py index 6822811ca..5eda2b724 100644 --- a/keystone/assignment/backends/sql.py +++ b/keystone/assignment/backends/sql.py @@ -262,6 +262,11 @@ class Assignment(base.AssignmentDriverBase): q = q.filter_by(role_id=role_id) q.delete(False) + with sql.session_for_write() as session: + q = session.query(SystemRoleAssignment) + q = q.filter_by(role_id=role_id) + q.delete(False) + def delete_domain_assignments(self, domain_id): with sql.session_for_write() as session: q = session.query(RoleAssignment) diff --git a/keystone/tests/unit/assignment/test_backends.py b/keystone/tests/unit/assignment/test_backends.py index dd327c879..cdf89664a 100644 --- a/keystone/tests/unit/assignment/test_backends.py +++ b/keystone/tests/unit/assignment/test_backends.py @@ -4225,3 +4225,22 @@ class SystemAssignmentTests(AssignmentTestHelperMixin): group_id, role['id'] ) + + def test_delete_role_with_system_assignments(self): + role = unit.new_role_ref() + PROVIDERS.role_api.create_role(role['id'], role) + domain = unit.new_domain_ref() + PROVIDERS.resource_api.create_domain(domain['id'], domain) + user = unit.new_user_ref(domain_id=domain['id']) + user = PROVIDERS.identity_api.create_user(user) + + # creating a system grant for user + PROVIDERS.assignment_api.create_system_grant_for_user( + user['id'], role['id'] + ) + # deleting the role user has on system + PROVIDERS.role_api.delete_role(role['id']) + system_roles = PROVIDERS.assignment_api.list_role_assignments( + role_id=role['id'] + ) + self.assertEqual(len(system_roles), 0) diff --git a/playbooks/legacy/keystone-dsvm-grenade-multinode/post.yaml b/playbooks/legacy/keystone-dsvm-grenade-multinode/post.yaml deleted file mode 100644 index e07f5510a..000000000 --- a/playbooks/legacy/keystone-dsvm-grenade-multinode/post.yaml +++ /dev/null @@ -1,15 +0,0 @@ -- hosts: primary - tasks: - - - name: Copy files from {{ ansible_user_dir }}/workspace/ on node - synchronize: - src: '{{ ansible_user_dir }}/workspace/' - dest: '{{ zuul.executor.log_root }}' - mode: pull - copy_links: true - verify_host: true - rsync_opts: - - --include=/logs/** - - --include=*/ - - --exclude=* - - --prune-empty-dirs diff --git a/playbooks/legacy/keystone-dsvm-grenade-multinode/run.yaml b/playbooks/legacy/keystone-dsvm-grenade-multinode/run.yaml deleted file mode 100644 index 115187991..000000000 --- a/playbooks/legacy/keystone-dsvm-grenade-multinode/run.yaml +++ /dev/null @@ -1,48 +0,0 @@ -- hosts: primary - name: Autoconverted job legacy-keystone-dsvm-grenade-multinode from old job gate-keystone-dsvm-grenade-multinode-ubuntu-xenial-nv - tasks: - - - name: Ensure legacy workspace directory - file: - path: '{{ ansible_user_dir }}/workspace' - state: directory - - - shell: - cmd: | - set -e - set -x - cat > clonemap.yaml << EOF - clonemap: - - name: openstack/devstack-gate - dest: devstack-gate - EOF - /usr/zuul-env/bin/zuul-cloner -m clonemap.yaml --cache-dir /opt/git \ - https://opendev.org \ - openstack/devstack-gate - executable: /bin/bash - chdir: '{{ ansible_user_dir }}/workspace' - environment: '{{ zuul | zuul_legacy_vars }}' - - - shell: - cmd: | - set -e - set -x - export PYTHONUNBUFFERED=true - export DEVSTACK_GATE_CONFIGDRIVE=0 - export DEVSTACK_GATE_NEUTRON=1 - export DEVSTACK_GATE_GRENADE=pullup - export DEVSTACK_GATE_USE_PYTHON3=True - export PROJECTS="openstack/grenade $PROJECTS" - export BRANCH_OVERRIDE=default - if [ "$BRANCH_OVERRIDE" != "default" ] ; then - export OVERRIDE_ZUUL_BRANCH=$BRANCH_OVERRIDE - fi - export DEVSTACK_GATE_TOPOLOGY="multinode" - export MULTI_KEYSTONE=1 - export DEVSTACK_LOCAL_CONFIG="enable_plugin keystone https://opendev.org/openstack/keystone" - export DEVSTACK_LOCAL_CONFIG+=$'\n'"MULTI_KEYSTONE=1" - cp devstack-gate/devstack-vm-gate-wrap.sh ./safe-devstack-vm-gate-wrap.sh - ./safe-devstack-vm-gate-wrap.sh - executable: /bin/bash - chdir: '{{ ansible_user_dir }}/workspace' - environment: '{{ zuul | zuul_legacy_vars }}' diff --git a/releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml b/releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml new file mode 100644 index 000000000..21a53b482 --- /dev/null +++ b/releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml @@ -0,0 +1,16 @@ +--- +fixes: + - | + [`bug 1878938 <https://bugs.launchpad.net/keystone/+bug/1878938>`_] + Previously when a user used to have system role assignment and tries to delete + the same role, the system role assignments still existed in system_assignment + table. This causes keystone to return `HTTP 404 Not Found` errors when listing + role assignments with names (e.g., `--names` or `?include_names`). + + If you are affected by this bug, you must remove stale role assignments + manually. The following is an example SQL statement you can use to fix the + issue, but you should verify it's applicability to your deployment's SQL + implementation and version. + + SQL: + - delete from system_assignment where role_id not in (select id from role); |