Browse Source

Ensure bootstrap handles multiple roles with the same name

The bootstrap logic doesn't take into consideration multiple roles
with the same name. If bootstrap is unable to determine which role to
use and accidentally uses a domain-specific role with the same name
as a default role, bootstrap will fail in unexpected ways.

This change deviates slightly from the upstream patches in that the
stable/queens test_cli.py module doesn't have a `self.bootstrap`
attribute. Instead, we just test with `bootstrap` in the test itself.
Otherwise, the test is functionally the same.

Conflicts:
      keystone/cmd/bootstrap.py

      Bootstrap code used to live in keystone/cmd/cli.py before it was
      refactored into its own module, keystone/cmd/bootstrap.py. This
      caused a conflict during backport where the file patched in later
      releases because the file didn't exist. Instead, a functionally
      equivalent change was proposed to keystone/cmd/cli.py.

Closes-Bug: 1856881
Change-Id: Iddc364d8c934b6e54d1e8c75b8b159faadbf865d
(cherry picked from commit 25cf359e5fb914b855922121f20e23bd14626b8e)
(cherry picked from commit 51ff7be731450c183b3e3eb6d34493e986cc2635)
(cherry picked from commit 1ba238e49195890c0232554005d4efa670467694)
(cherry picked from commit 2e4055e49b519a146902f0cf06740ec43231929b)
changes/71/708671/2
Lance Bragstad 6 months ago
committed by Lance Bragstad
parent
commit
0cbf809a11
3 changed files with 37 additions and 0 deletions
  1. +5
    -0
      keystone/cmd/cli.py
  2. +25
    -0
      keystone/tests/unit/test_cli.py
  3. +7
    -0
      releasenotes/notes/bug-1856881-277103af343187f1.yaml

+ 5
- 0
keystone/cmd/cli.py View File

@@ -275,6 +275,11 @@ class BootStrap(BaseApp):
# name instead.
hints = driver_hints.Hints()
hints.add_filter('name', self.role_name)
hints.add_filter('domain_id', None)

# NOTE(lbragstad): Global roles are unique based on name. At this
# point we should be safe to assume the first, and only, element in
# the list.
role = self.role_manager.list_roles(hints)
self.role_id = role[0]['id']



+ 25
- 0
keystone/tests/unit/test_cli.py View File

@@ -260,6 +260,31 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
user_id,
bootstrap.password)

def test_bootstrap_with_ambiguous_role_names(self):
bootstrap = cli.BootStrap()
# bootstrap system to create the default admin role
self._do_test_bootstrap(bootstrap)

# create a domain-specific roles that share the same names as the
# default roles created by keystone-manage bootstrap
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
domain = PROVIDERS.resource_api.create_domain(domain['id'], domain)
domain_roles = {}

for name in ['admin', 'member', 'reader']:
domain_role = {
'domain_id': domain['id'],
'id': uuid.uuid4().hex,
'name': name
}
domain_roles[name] = PROVIDERS.role_api.create_role(
domain_role['id'], domain_role
)

# ensure subsequent bootstrap attempts don't fail because of
# ambiguity
self._do_test_bootstrap(bootstrap)


class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase):



+ 7
- 0
releasenotes/notes/bug-1856881-277103af343187f1.yaml View File

@@ -0,0 +1,7 @@
---
fixes:
- |
[`bug 1856881 <https://bugs.launchpad.net/keystone/+bug/1856881>`_]
``keystone-manage bootstrap`` can be run in upgrade scenarios where
pre-existing domain-specific roles exist named ``admin``, ``member``, and
``reader``.

Loading…
Cancel
Save