Ensure bootstrap handles multiple roles with the same name
The bootstrap logic doesn't take into consideration multiple roles with the same name. If bootstrap is unable to determine which role to use and accidentally uses a domain-specific role with the same name as a default role, bootstrap will fail in unexpected ways. This change deviates slightly from the upstream patches in that the stable/queens test_cli.py module doesn't have a `self.bootstrap` attribute. Instead, we just test with `bootstrap` in the test itself. Otherwise, the test is functionally the same. Conflicts: keystone/cmd/bootstrap.py Bootstrap code used to live in keystone/cmd/cli.py before it was refactored into its own module, keystone/cmd/bootstrap.py. This caused a conflict during backport where the file patched in later releases because the file didn't exist. Instead, a functionally equivalent change was proposed to keystone/cmd/cli.py. Closes-Bug: 1856881 Change-Id: Iddc364d8c934b6e54d1e8c75b8b159faadbf865d (cherry picked from commit25cf359e5f
) (cherry picked from commit51ff7be731
) (cherry picked from commit1ba238e491
) (cherry picked from commit2e4055e49b
)
This commit is contained in:
parent
578be15629
commit
0cbf809a11
|
@ -275,6 +275,11 @@ class BootStrap(BaseApp):
|
||||||
# name instead.
|
# name instead.
|
||||||
hints = driver_hints.Hints()
|
hints = driver_hints.Hints()
|
||||||
hints.add_filter('name', self.role_name)
|
hints.add_filter('name', self.role_name)
|
||||||
|
hints.add_filter('domain_id', None)
|
||||||
|
|
||||||
|
# NOTE(lbragstad): Global roles are unique based on name. At this
|
||||||
|
# point we should be safe to assume the first, and only, element in
|
||||||
|
# the list.
|
||||||
role = self.role_manager.list_roles(hints)
|
role = self.role_manager.list_roles(hints)
|
||||||
self.role_id = role[0]['id']
|
self.role_id = role[0]['id']
|
||||||
|
|
||||||
|
|
|
@ -260,6 +260,31 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
|
||||||
user_id,
|
user_id,
|
||||||
bootstrap.password)
|
bootstrap.password)
|
||||||
|
|
||||||
|
def test_bootstrap_with_ambiguous_role_names(self):
|
||||||
|
bootstrap = cli.BootStrap()
|
||||||
|
# bootstrap system to create the default admin role
|
||||||
|
self._do_test_bootstrap(bootstrap)
|
||||||
|
|
||||||
|
# create a domain-specific roles that share the same names as the
|
||||||
|
# default roles created by keystone-manage bootstrap
|
||||||
|
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||||
|
domain = PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||||
|
domain_roles = {}
|
||||||
|
|
||||||
|
for name in ['admin', 'member', 'reader']:
|
||||||
|
domain_role = {
|
||||||
|
'domain_id': domain['id'],
|
||||||
|
'id': uuid.uuid4().hex,
|
||||||
|
'name': name
|
||||||
|
}
|
||||||
|
domain_roles[name] = PROVIDERS.role_api.create_role(
|
||||||
|
domain_role['id'], domain_role
|
||||||
|
)
|
||||||
|
|
||||||
|
# ensure subsequent bootstrap attempts don't fail because of
|
||||||
|
# ambiguity
|
||||||
|
self._do_test_bootstrap(bootstrap)
|
||||||
|
|
||||||
|
|
||||||
class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase):
|
class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase):
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1856881 <https://bugs.launchpad.net/keystone/+bug/1856881>`_]
|
||||||
|
``keystone-manage bootstrap`` can be run in upgrade scenarios where
|
||||||
|
pre-existing domain-specific roles exist named ``admin``, ``member``, and
|
||||||
|
``reader``.
|
Loading…
Reference in New Issue