Ensure bootstrap handles multiple roles with the same name

The bootstrap logic doesn't take into consideration multiple roles
with the same name. If bootstrap is unable to determine which role to
use and accidentally uses a domain-specific role with the same name
as a default role, bootstrap will fail in unexpected ways.

This change deviates slightly from the upstream patches in that the
stable/queens test_cli.py module doesn't have a `self.bootstrap`
attribute. Instead, we just test with `bootstrap` in the test itself.
Otherwise, the test is functionally the same.

Conflicts:
      keystone/cmd/bootstrap.py

      Bootstrap code used to live in keystone/cmd/cli.py before it was
      refactored into its own module, keystone/cmd/bootstrap.py. This
      caused a conflict during backport where the file patched in later
      releases because the file didn't exist. Instead, a functionally
      equivalent change was proposed to keystone/cmd/cli.py.

Closes-Bug: 1856881
Change-Id: Iddc364d8c934b6e54d1e8c75b8b159faadbf865d
(cherry picked from commit 25cf359e5f)
(cherry picked from commit 51ff7be731)
(cherry picked from commit 1ba238e491)
(cherry picked from commit 2e4055e49b)
This commit is contained in:
Lance Bragstad 2019-12-18 11:59:53 -06:00 committed by Lance Bragstad
parent 578be15629
commit 0cbf809a11
3 changed files with 37 additions and 0 deletions

View File

@ -275,6 +275,11 @@ class BootStrap(BaseApp):
# name instead. # name instead.
hints = driver_hints.Hints() hints = driver_hints.Hints()
hints.add_filter('name', self.role_name) hints.add_filter('name', self.role_name)
hints.add_filter('domain_id', None)
# NOTE(lbragstad): Global roles are unique based on name. At this
# point we should be safe to assume the first, and only, element in
# the list.
role = self.role_manager.list_roles(hints) role = self.role_manager.list_roles(hints)
self.role_id = role[0]['id'] self.role_id = role[0]['id']

View File

@ -260,6 +260,31 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
user_id, user_id,
bootstrap.password) bootstrap.password)
def test_bootstrap_with_ambiguous_role_names(self):
bootstrap = cli.BootStrap()
# bootstrap system to create the default admin role
self._do_test_bootstrap(bootstrap)
# create a domain-specific roles that share the same names as the
# default roles created by keystone-manage bootstrap
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
domain = PROVIDERS.resource_api.create_domain(domain['id'], domain)
domain_roles = {}
for name in ['admin', 'member', 'reader']:
domain_role = {
'domain_id': domain['id'],
'id': uuid.uuid4().hex,
'name': name
}
domain_roles[name] = PROVIDERS.role_api.create_role(
domain_role['id'], domain_role
)
# ensure subsequent bootstrap attempts don't fail because of
# ambiguity
self._do_test_bootstrap(bootstrap)
class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase): class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase):

View File

@ -0,0 +1,7 @@
---
fixes:
- |
[`bug 1856881 <https://bugs.launchpad.net/keystone/+bug/1856881>`_]
``keystone-manage bootstrap`` can be run in upgrade scenarios where
pre-existing domain-specific roles exist named ``admin``, ``member``, and
``reader``.