Merge "Remove member role assignment"

This commit is contained in:
Zuul 2017-12-07 01:32:13 +00:00 committed by Gerrit Code Review
commit 15ec1abca3
8 changed files with 38 additions and 136 deletions

View File

@ -162,24 +162,6 @@ class Manager(manager.Manager):
"was already created", "was already created",
CONF.member_role_id) CONF.member_role_id)
def add_user_to_project(self, tenant_id, user_id):
"""Add user to a tenant by creating a default role relationship.
:raises keystone.exception.ProjectNotFound: If the project doesn't
exist.
:raises keystone.exception.UserNotFound: If the user doesn't exist.
"""
self.resource_api.get_project(tenant_id)
self.ensure_default_role()
# now that default role exists, the add should succeed
self.driver.add_role_to_user_and_project(
user_id,
tenant_id,
CONF.member_role_id)
COMPUTED_ASSIGNMENTS_REGION.invalidate()
@notifications.role_assignment('created') @notifications.role_assignment('created')
def _add_role_to_user_and_project_adapter(self, role_id, user_id=None, def _add_role_to_user_and_project_adapter(self, role_id, user_id=None,
group_id=None, domain_id=None, group_id=None, domain_id=None,
@ -200,27 +182,6 @@ class Manager(manager.Manager):
role_id, user_id=user_id, project_id=tenant_id) role_id, user_id=user_id, project_id=tenant_id)
COMPUTED_ASSIGNMENTS_REGION.invalidate() COMPUTED_ASSIGNMENTS_REGION.invalidate()
def remove_user_from_project(self, tenant_id, user_id):
"""Remove user from a tenant.
:raises keystone.exception.ProjectNotFound: If the project doesn't
exist.
:raises keystone.exception.UserNotFound: If the user doesn't exist.
"""
roles = self.get_roles_for_user_and_project(user_id, tenant_id)
if not roles:
raise exception.NotFound(tenant_id)
for role_id in roles:
try:
self.driver.remove_role_from_user_and_project(user_id,
tenant_id,
role_id)
except exception.RoleNotFound:
LOG.debug("Removing role %s failed because it does not exist.",
role_id)
COMPUTED_ASSIGNMENTS_REGION.invalidate()
# TODO(henry-nash): We might want to consider list limiting this at some # TODO(henry-nash): We might want to consider list limiting this at some
# point in the future. # point in the future.
@MEMOIZE_COMPUTED_ASSIGNMENTS @MEMOIZE_COMPUTED_ASSIGNMENTS

View File

@ -1779,86 +1779,6 @@ class AssignmentTests(AssignmentTestHelperMixin):
user_id=self.user_foo['id'], user_id=self.user_foo['id'],
source_from_group_ids=[group['id']]) source_from_group_ids=[group['id']])
def test_add_user_to_project(self):
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
self.user_foo['id'])
tenants = self.assignment_api.list_projects_for_user(
self.user_foo['id'])
self.assertIn(self.tenant_baz, tenants)
def test_add_user_to_project_missing_default_role(self):
self.role_api.delete_role(CONF.member_role_id)
self.assertRaises(exception.RoleNotFound,
self.role_api.get_role,
CONF.member_role_id)
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
self.user_foo['id'])
tenants = (
self.assignment_api.list_projects_for_user(self.user_foo['id']))
self.assertIn(self.tenant_baz, tenants)
default_role = self.role_api.get_role(CONF.member_role_id)
self.assertIsNotNone(default_role)
def test_add_user_to_project_returns_not_found(self):
self.assertRaises(exception.ProjectNotFound,
self.assignment_api.add_user_to_project,
uuid.uuid4().hex,
self.user_foo['id'])
def test_add_user_to_project_no_user(self):
# If add_user_to_project and the user doesn't exist, then
# no error.
user_id_not_exist = uuid.uuid4().hex
self.assignment_api.add_user_to_project(self.tenant_bar['id'],
user_id_not_exist)
def test_remove_user_from_project(self):
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
self.user_foo['id'])
self.assignment_api.remove_user_from_project(self.tenant_baz['id'],
self.user_foo['id'])
tenants = self.assignment_api.list_projects_for_user(
self.user_foo['id'])
self.assertNotIn(self.tenant_baz, tenants)
def test_remove_user_from_project_race_delete_role(self):
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
self.user_foo['id'])
self.assignment_api.add_role_to_user_and_project(
tenant_id=self.tenant_baz['id'],
user_id=self.user_foo['id'],
role_id=self.role_other['id'])
# Mock a race condition, delete a role after
# get_roles_for_user_and_project() is called in
# remove_user_from_project().
roles = self.assignment_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_baz['id'])
self.role_api.delete_role(self.role_other['id'])
self.assignment_api.get_roles_for_user_and_project = mock.Mock(
return_value=roles)
self.assignment_api.remove_user_from_project(self.tenant_baz['id'],
self.user_foo['id'])
tenants = self.assignment_api.list_projects_for_user(
self.user_foo['id'])
self.assertNotIn(self.tenant_baz, tenants)
def test_remove_user_from_project_returns_not_found(self):
self.assertRaises(exception.ProjectNotFound,
self.assignment_api.remove_user_from_project,
uuid.uuid4().hex,
self.user_foo['id'])
self.assertRaises(exception.UserNotFound,
self.assignment_api.remove_user_from_project,
self.tenant_bar['id'],
uuid.uuid4().hex)
self.assertRaises(exception.NotFound,
self.assignment_api.remove_user_from_project,
self.tenant_baz['id'],
self.user_foo['id'])
def test_list_user_project_ids_returns_not_found(self): def test_list_user_project_ids_returns_not_found(self):
self.assertRaises(exception.UserNotFound, self.assertRaises(exception.UserNotFound,
self.assignment_api.list_projects_for_user, self.assignment_api.list_projects_for_user,
@ -1867,8 +1787,11 @@ class AssignmentTests(AssignmentTestHelperMixin):
def test_delete_user_with_project_association(self): def test_delete_user_with_project_association(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user = self.identity_api.create_user(user) user = self.identity_api.create_user(user)
self.assignment_api.add_user_to_project(self.tenant_bar['id'], role_member = unit.new_role_ref()
user['id']) self.role_api.create_role(role_member['id'], role_member)
self.assignment_api.add_role_to_user_and_project(user['id'],
self.tenant_bar['id'],
role_member['id'])
self.identity_api.delete_user(user['id']) self.identity_api.delete_user(user['id'])
self.assertRaises(exception.UserNotFound, self.assertRaises(exception.UserNotFound,
self.assignment_api.list_projects_for_user, self.assignment_api.list_projects_for_user,

View File

@ -739,9 +739,11 @@ class TestCase(BaseTestCase):
# the dict returned. # the dict returned.
user_copy['password'] = user['password'] user_copy['password'] = user['password']
# fixtures.ROLES[2] is the _member_ role.
for tenant_id in tenants: for tenant_id in tenants:
self.assignment_api.add_user_to_project( self.assignment_api.add_role_to_user_and_project(
tenant_id, user_copy['id']) user_copy['id'], tenant_id, fixtures.ROLES[2]['id'])
# Use the ID from the fixture as the attribute name, so # Use the ID from the fixture as the attribute name, so
# that our tests can easily reference each user dict, while # that our tests can easily reference each user dict, while
# the ID in the dict will be the real public ID. # the ID in the dict will be the real public ID.

View File

@ -74,8 +74,13 @@ class IdentityTests(object):
del user['id'] del user['id']
new_user = self.identity_api.create_user(user) new_user = self.identity_api.create_user(user)
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
new_user['id']) role_member = unit.new_role_ref()
self.role_api.create_role(role_member['id'], role_member)
self.assignment_api.add_role_to_user_and_project(new_user['id'],
self.tenant_baz['id'],
role_member['id'])
user_ref = self.identity_api.authenticate( user_ref = self.identity_api.authenticate(
self.make_request(), self.make_request(),
user_id=new_user['id'], user_id=new_user['id'],
@ -89,7 +94,7 @@ class IdentityTests(object):
role_list = self.assignment_api.get_roles_for_user_and_project( role_list = self.assignment_api.get_roles_for_user_and_project(
new_user['id'], self.tenant_baz['id']) new_user['id'], self.tenant_baz['id'])
self.assertEqual(1, len(role_list)) self.assertEqual(1, len(role_list))
self.assertIn(CONF.member_role_id, role_list) self.assertIn(role_member['id'], role_list)
def test_authenticate_if_no_password_set(self): def test_authenticate_if_no_password_set(self):
id_ = uuid.uuid4().hex id_ = uuid.uuid4().hex

View File

@ -716,8 +716,11 @@ class BaseLDAPIdentity(LDAPTestSetup, IdentityTests, AssignmentTests,
def test_authenticate_requires_simple_bind(self): def test_authenticate_requires_simple_bind(self):
user = self.new_user_ref(domain_id=CONF.identity.default_domain_id) user = self.new_user_ref(domain_id=CONF.identity.default_domain_id)
user = self.identity_api.create_user(user) user = self.identity_api.create_user(user)
self.assignment_api.add_user_to_project(self.tenant_baz['id'], role_member = unit.new_role_ref()
user['id']) self.role_api.create_role(role_member['id'], role_member)
self.assignment_api.add_role_to_user_and_project(user['id'],
self.tenant_baz['id'],
role_member['id'])
driver = self.identity_api._select_identity_driver( driver = self.identity_api._select_identity_driver(
user['domain_id']) user['domain_id'])
driver.user.LDAP_USER = None driver.user.LDAP_USER = None

View File

@ -268,8 +268,11 @@ class SqlIdentity(SqlTests,
def test_delete_user_with_project_association(self): def test_delete_user_with_project_association(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user = self.identity_api.create_user(user) user = self.identity_api.create_user(user)
self.assignment_api.add_user_to_project(self.tenant_bar['id'], role_member = unit.new_role_ref()
user['id']) self.role_api.create_role(role_member['id'], role_member)
self.assignment_api.add_role_to_user_and_project(user['id'],
self.tenant_bar['id'],
role_member['id'])
self.identity_api.delete_user(user['id']) self.identity_api.delete_user(user['id'])
self.assertRaises(exception.UserNotFound, self.assertRaises(exception.UserNotFound,
self.assignment_api.list_projects_for_user, self.assignment_api.list_projects_for_user,
@ -317,8 +320,11 @@ class SqlIdentity(SqlTests,
def test_delete_project_with_user_association(self): def test_delete_project_with_user_association(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user = self.identity_api.create_user(user) user = self.identity_api.create_user(user)
self.assignment_api.add_user_to_project(self.tenant_bar['id'], role_member = unit.new_role_ref()
user['id']) self.role_api.create_role(role_member['id'], role_member)
self.assignment_api.add_role_to_user_and_project(user['id'],
self.tenant_bar['id'],
role_member['id'])
self.resource_api.delete_project(self.tenant_bar['id']) self.resource_api.delete_project(self.tenant_bar['id'])
tenants = self.assignment_api.list_projects_for_user(user['id']) tenants = self.assignment_api.list_projects_for_user(user['id'])
self.assertEqual([], tenants) self.assertEqual([], tenants)

View File

@ -1962,8 +1962,6 @@ class TokenAPITests(object):
self.role_api.create_role(role_foo_domain1['id'], role_foo_domain1) self.role_api.create_role(role_foo_domain1['id'], role_foo_domain1)
role_group_domain1 = unit.new_role_ref() role_group_domain1 = unit.new_role_ref()
self.role_api.create_role(role_group_domain1['id'], role_group_domain1) self.role_api.create_role(role_group_domain1['id'], role_group_domain1)
self.assignment_api.add_user_to_project(project1['id'],
user_foo['id'])
new_group = unit.new_group_ref(domain_id=domain1['id']) new_group = unit.new_group_ref(domain_id=domain1['id'])
new_group = self.identity_api.create_group(new_group) new_group = self.identity_api.create_group(new_group)
self.identity_api.add_user_to_group(user_foo['id'], self.identity_api.add_user_to_group(user_foo['id'],

View File

@ -234,8 +234,12 @@ class ResourceTestCase(test_v3.RestfulTestCase,
domain_id=domain2['id'], domain_id=domain2['id'],
project_id=project2['id']) project_id=project2['id'])
self.assignment_api.add_user_to_project(project2['id'], role_member = unit.new_role_ref()
user2['id']) self.role_api.create_role(role_member['id'], role_member)
self.assignment_api.add_role_to_user_and_project(user2['id'],
project2['id'],
role_member['id'])
# First check a user in that domain can authenticate.. # First check a user in that domain can authenticate..
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(