Merge "Remove member role assignment"
This commit is contained in:
commit
15ec1abca3
@ -162,24 +162,6 @@ class Manager(manager.Manager):
|
|||||||
"was already created",
|
"was already created",
|
||||||
CONF.member_role_id)
|
CONF.member_role_id)
|
||||||
|
|
||||||
def add_user_to_project(self, tenant_id, user_id):
|
|
||||||
"""Add user to a tenant by creating a default role relationship.
|
|
||||||
|
|
||||||
:raises keystone.exception.ProjectNotFound: If the project doesn't
|
|
||||||
exist.
|
|
||||||
:raises keystone.exception.UserNotFound: If the user doesn't exist.
|
|
||||||
|
|
||||||
"""
|
|
||||||
self.resource_api.get_project(tenant_id)
|
|
||||||
self.ensure_default_role()
|
|
||||||
|
|
||||||
# now that default role exists, the add should succeed
|
|
||||||
self.driver.add_role_to_user_and_project(
|
|
||||||
user_id,
|
|
||||||
tenant_id,
|
|
||||||
CONF.member_role_id)
|
|
||||||
COMPUTED_ASSIGNMENTS_REGION.invalidate()
|
|
||||||
|
|
||||||
@notifications.role_assignment('created')
|
@notifications.role_assignment('created')
|
||||||
def _add_role_to_user_and_project_adapter(self, role_id, user_id=None,
|
def _add_role_to_user_and_project_adapter(self, role_id, user_id=None,
|
||||||
group_id=None, domain_id=None,
|
group_id=None, domain_id=None,
|
||||||
@ -200,27 +182,6 @@ class Manager(manager.Manager):
|
|||||||
role_id, user_id=user_id, project_id=tenant_id)
|
role_id, user_id=user_id, project_id=tenant_id)
|
||||||
COMPUTED_ASSIGNMENTS_REGION.invalidate()
|
COMPUTED_ASSIGNMENTS_REGION.invalidate()
|
||||||
|
|
||||||
def remove_user_from_project(self, tenant_id, user_id):
|
|
||||||
"""Remove user from a tenant.
|
|
||||||
|
|
||||||
:raises keystone.exception.ProjectNotFound: If the project doesn't
|
|
||||||
exist.
|
|
||||||
:raises keystone.exception.UserNotFound: If the user doesn't exist.
|
|
||||||
|
|
||||||
"""
|
|
||||||
roles = self.get_roles_for_user_and_project(user_id, tenant_id)
|
|
||||||
if not roles:
|
|
||||||
raise exception.NotFound(tenant_id)
|
|
||||||
for role_id in roles:
|
|
||||||
try:
|
|
||||||
self.driver.remove_role_from_user_and_project(user_id,
|
|
||||||
tenant_id,
|
|
||||||
role_id)
|
|
||||||
except exception.RoleNotFound:
|
|
||||||
LOG.debug("Removing role %s failed because it does not exist.",
|
|
||||||
role_id)
|
|
||||||
COMPUTED_ASSIGNMENTS_REGION.invalidate()
|
|
||||||
|
|
||||||
# TODO(henry-nash): We might want to consider list limiting this at some
|
# TODO(henry-nash): We might want to consider list limiting this at some
|
||||||
# point in the future.
|
# point in the future.
|
||||||
@MEMOIZE_COMPUTED_ASSIGNMENTS
|
@MEMOIZE_COMPUTED_ASSIGNMENTS
|
||||||
|
@ -1779,86 +1779,6 @@ class AssignmentTests(AssignmentTestHelperMixin):
|
|||||||
user_id=self.user_foo['id'],
|
user_id=self.user_foo['id'],
|
||||||
source_from_group_ids=[group['id']])
|
source_from_group_ids=[group['id']])
|
||||||
|
|
||||||
def test_add_user_to_project(self):
|
|
||||||
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
|
|
||||||
self.user_foo['id'])
|
|
||||||
tenants = self.assignment_api.list_projects_for_user(
|
|
||||||
self.user_foo['id'])
|
|
||||||
self.assertIn(self.tenant_baz, tenants)
|
|
||||||
|
|
||||||
def test_add_user_to_project_missing_default_role(self):
|
|
||||||
self.role_api.delete_role(CONF.member_role_id)
|
|
||||||
self.assertRaises(exception.RoleNotFound,
|
|
||||||
self.role_api.get_role,
|
|
||||||
CONF.member_role_id)
|
|
||||||
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
|
|
||||||
self.user_foo['id'])
|
|
||||||
tenants = (
|
|
||||||
self.assignment_api.list_projects_for_user(self.user_foo['id']))
|
|
||||||
self.assertIn(self.tenant_baz, tenants)
|
|
||||||
default_role = self.role_api.get_role(CONF.member_role_id)
|
|
||||||
self.assertIsNotNone(default_role)
|
|
||||||
|
|
||||||
def test_add_user_to_project_returns_not_found(self):
|
|
||||||
self.assertRaises(exception.ProjectNotFound,
|
|
||||||
self.assignment_api.add_user_to_project,
|
|
||||||
uuid.uuid4().hex,
|
|
||||||
self.user_foo['id'])
|
|
||||||
|
|
||||||
def test_add_user_to_project_no_user(self):
|
|
||||||
# If add_user_to_project and the user doesn't exist, then
|
|
||||||
# no error.
|
|
||||||
user_id_not_exist = uuid.uuid4().hex
|
|
||||||
self.assignment_api.add_user_to_project(self.tenant_bar['id'],
|
|
||||||
user_id_not_exist)
|
|
||||||
|
|
||||||
def test_remove_user_from_project(self):
|
|
||||||
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
|
|
||||||
self.user_foo['id'])
|
|
||||||
self.assignment_api.remove_user_from_project(self.tenant_baz['id'],
|
|
||||||
self.user_foo['id'])
|
|
||||||
tenants = self.assignment_api.list_projects_for_user(
|
|
||||||
self.user_foo['id'])
|
|
||||||
self.assertNotIn(self.tenant_baz, tenants)
|
|
||||||
|
|
||||||
def test_remove_user_from_project_race_delete_role(self):
|
|
||||||
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
|
|
||||||
self.user_foo['id'])
|
|
||||||
self.assignment_api.add_role_to_user_and_project(
|
|
||||||
tenant_id=self.tenant_baz['id'],
|
|
||||||
user_id=self.user_foo['id'],
|
|
||||||
role_id=self.role_other['id'])
|
|
||||||
|
|
||||||
# Mock a race condition, delete a role after
|
|
||||||
# get_roles_for_user_and_project() is called in
|
|
||||||
# remove_user_from_project().
|
|
||||||
roles = self.assignment_api.get_roles_for_user_and_project(
|
|
||||||
self.user_foo['id'], self.tenant_baz['id'])
|
|
||||||
self.role_api.delete_role(self.role_other['id'])
|
|
||||||
self.assignment_api.get_roles_for_user_and_project = mock.Mock(
|
|
||||||
return_value=roles)
|
|
||||||
self.assignment_api.remove_user_from_project(self.tenant_baz['id'],
|
|
||||||
self.user_foo['id'])
|
|
||||||
tenants = self.assignment_api.list_projects_for_user(
|
|
||||||
self.user_foo['id'])
|
|
||||||
self.assertNotIn(self.tenant_baz, tenants)
|
|
||||||
|
|
||||||
def test_remove_user_from_project_returns_not_found(self):
|
|
||||||
self.assertRaises(exception.ProjectNotFound,
|
|
||||||
self.assignment_api.remove_user_from_project,
|
|
||||||
uuid.uuid4().hex,
|
|
||||||
self.user_foo['id'])
|
|
||||||
|
|
||||||
self.assertRaises(exception.UserNotFound,
|
|
||||||
self.assignment_api.remove_user_from_project,
|
|
||||||
self.tenant_bar['id'],
|
|
||||||
uuid.uuid4().hex)
|
|
||||||
|
|
||||||
self.assertRaises(exception.NotFound,
|
|
||||||
self.assignment_api.remove_user_from_project,
|
|
||||||
self.tenant_baz['id'],
|
|
||||||
self.user_foo['id'])
|
|
||||||
|
|
||||||
def test_list_user_project_ids_returns_not_found(self):
|
def test_list_user_project_ids_returns_not_found(self):
|
||||||
self.assertRaises(exception.UserNotFound,
|
self.assertRaises(exception.UserNotFound,
|
||||||
self.assignment_api.list_projects_for_user,
|
self.assignment_api.list_projects_for_user,
|
||||||
@ -1867,8 +1787,11 @@ class AssignmentTests(AssignmentTestHelperMixin):
|
|||||||
def test_delete_user_with_project_association(self):
|
def test_delete_user_with_project_association(self):
|
||||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||||
user = self.identity_api.create_user(user)
|
user = self.identity_api.create_user(user)
|
||||||
self.assignment_api.add_user_to_project(self.tenant_bar['id'],
|
role_member = unit.new_role_ref()
|
||||||
user['id'])
|
self.role_api.create_role(role_member['id'], role_member)
|
||||||
|
self.assignment_api.add_role_to_user_and_project(user['id'],
|
||||||
|
self.tenant_bar['id'],
|
||||||
|
role_member['id'])
|
||||||
self.identity_api.delete_user(user['id'])
|
self.identity_api.delete_user(user['id'])
|
||||||
self.assertRaises(exception.UserNotFound,
|
self.assertRaises(exception.UserNotFound,
|
||||||
self.assignment_api.list_projects_for_user,
|
self.assignment_api.list_projects_for_user,
|
||||||
|
@ -739,9 +739,11 @@ class TestCase(BaseTestCase):
|
|||||||
# the dict returned.
|
# the dict returned.
|
||||||
user_copy['password'] = user['password']
|
user_copy['password'] = user['password']
|
||||||
|
|
||||||
|
# fixtures.ROLES[2] is the _member_ role.
|
||||||
for tenant_id in tenants:
|
for tenant_id in tenants:
|
||||||
self.assignment_api.add_user_to_project(
|
self.assignment_api.add_role_to_user_and_project(
|
||||||
tenant_id, user_copy['id'])
|
user_copy['id'], tenant_id, fixtures.ROLES[2]['id'])
|
||||||
|
|
||||||
# Use the ID from the fixture as the attribute name, so
|
# Use the ID from the fixture as the attribute name, so
|
||||||
# that our tests can easily reference each user dict, while
|
# that our tests can easily reference each user dict, while
|
||||||
# the ID in the dict will be the real public ID.
|
# the ID in the dict will be the real public ID.
|
||||||
|
@ -74,8 +74,13 @@ class IdentityTests(object):
|
|||||||
del user['id']
|
del user['id']
|
||||||
|
|
||||||
new_user = self.identity_api.create_user(user)
|
new_user = self.identity_api.create_user(user)
|
||||||
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
|
|
||||||
new_user['id'])
|
role_member = unit.new_role_ref()
|
||||||
|
self.role_api.create_role(role_member['id'], role_member)
|
||||||
|
|
||||||
|
self.assignment_api.add_role_to_user_and_project(new_user['id'],
|
||||||
|
self.tenant_baz['id'],
|
||||||
|
role_member['id'])
|
||||||
user_ref = self.identity_api.authenticate(
|
user_ref = self.identity_api.authenticate(
|
||||||
self.make_request(),
|
self.make_request(),
|
||||||
user_id=new_user['id'],
|
user_id=new_user['id'],
|
||||||
@ -89,7 +94,7 @@ class IdentityTests(object):
|
|||||||
role_list = self.assignment_api.get_roles_for_user_and_project(
|
role_list = self.assignment_api.get_roles_for_user_and_project(
|
||||||
new_user['id'], self.tenant_baz['id'])
|
new_user['id'], self.tenant_baz['id'])
|
||||||
self.assertEqual(1, len(role_list))
|
self.assertEqual(1, len(role_list))
|
||||||
self.assertIn(CONF.member_role_id, role_list)
|
self.assertIn(role_member['id'], role_list)
|
||||||
|
|
||||||
def test_authenticate_if_no_password_set(self):
|
def test_authenticate_if_no_password_set(self):
|
||||||
id_ = uuid.uuid4().hex
|
id_ = uuid.uuid4().hex
|
||||||
|
@ -716,8 +716,11 @@ class BaseLDAPIdentity(LDAPTestSetup, IdentityTests, AssignmentTests,
|
|||||||
def test_authenticate_requires_simple_bind(self):
|
def test_authenticate_requires_simple_bind(self):
|
||||||
user = self.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
user = self.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||||
user = self.identity_api.create_user(user)
|
user = self.identity_api.create_user(user)
|
||||||
self.assignment_api.add_user_to_project(self.tenant_baz['id'],
|
role_member = unit.new_role_ref()
|
||||||
user['id'])
|
self.role_api.create_role(role_member['id'], role_member)
|
||||||
|
self.assignment_api.add_role_to_user_and_project(user['id'],
|
||||||
|
self.tenant_baz['id'],
|
||||||
|
role_member['id'])
|
||||||
driver = self.identity_api._select_identity_driver(
|
driver = self.identity_api._select_identity_driver(
|
||||||
user['domain_id'])
|
user['domain_id'])
|
||||||
driver.user.LDAP_USER = None
|
driver.user.LDAP_USER = None
|
||||||
|
@ -268,8 +268,11 @@ class SqlIdentity(SqlTests,
|
|||||||
def test_delete_user_with_project_association(self):
|
def test_delete_user_with_project_association(self):
|
||||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||||
user = self.identity_api.create_user(user)
|
user = self.identity_api.create_user(user)
|
||||||
self.assignment_api.add_user_to_project(self.tenant_bar['id'],
|
role_member = unit.new_role_ref()
|
||||||
user['id'])
|
self.role_api.create_role(role_member['id'], role_member)
|
||||||
|
self.assignment_api.add_role_to_user_and_project(user['id'],
|
||||||
|
self.tenant_bar['id'],
|
||||||
|
role_member['id'])
|
||||||
self.identity_api.delete_user(user['id'])
|
self.identity_api.delete_user(user['id'])
|
||||||
self.assertRaises(exception.UserNotFound,
|
self.assertRaises(exception.UserNotFound,
|
||||||
self.assignment_api.list_projects_for_user,
|
self.assignment_api.list_projects_for_user,
|
||||||
@ -317,8 +320,11 @@ class SqlIdentity(SqlTests,
|
|||||||
def test_delete_project_with_user_association(self):
|
def test_delete_project_with_user_association(self):
|
||||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||||
user = self.identity_api.create_user(user)
|
user = self.identity_api.create_user(user)
|
||||||
self.assignment_api.add_user_to_project(self.tenant_bar['id'],
|
role_member = unit.new_role_ref()
|
||||||
user['id'])
|
self.role_api.create_role(role_member['id'], role_member)
|
||||||
|
self.assignment_api.add_role_to_user_and_project(user['id'],
|
||||||
|
self.tenant_bar['id'],
|
||||||
|
role_member['id'])
|
||||||
self.resource_api.delete_project(self.tenant_bar['id'])
|
self.resource_api.delete_project(self.tenant_bar['id'])
|
||||||
tenants = self.assignment_api.list_projects_for_user(user['id'])
|
tenants = self.assignment_api.list_projects_for_user(user['id'])
|
||||||
self.assertEqual([], tenants)
|
self.assertEqual([], tenants)
|
||||||
|
@ -1962,8 +1962,6 @@ class TokenAPITests(object):
|
|||||||
self.role_api.create_role(role_foo_domain1['id'], role_foo_domain1)
|
self.role_api.create_role(role_foo_domain1['id'], role_foo_domain1)
|
||||||
role_group_domain1 = unit.new_role_ref()
|
role_group_domain1 = unit.new_role_ref()
|
||||||
self.role_api.create_role(role_group_domain1['id'], role_group_domain1)
|
self.role_api.create_role(role_group_domain1['id'], role_group_domain1)
|
||||||
self.assignment_api.add_user_to_project(project1['id'],
|
|
||||||
user_foo['id'])
|
|
||||||
new_group = unit.new_group_ref(domain_id=domain1['id'])
|
new_group = unit.new_group_ref(domain_id=domain1['id'])
|
||||||
new_group = self.identity_api.create_group(new_group)
|
new_group = self.identity_api.create_group(new_group)
|
||||||
self.identity_api.add_user_to_group(user_foo['id'],
|
self.identity_api.add_user_to_group(user_foo['id'],
|
||||||
|
@ -234,8 +234,12 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
|||||||
domain_id=domain2['id'],
|
domain_id=domain2['id'],
|
||||||
project_id=project2['id'])
|
project_id=project2['id'])
|
||||||
|
|
||||||
self.assignment_api.add_user_to_project(project2['id'],
|
role_member = unit.new_role_ref()
|
||||||
user2['id'])
|
self.role_api.create_role(role_member['id'], role_member)
|
||||||
|
|
||||||
|
self.assignment_api.add_role_to_user_and_project(user2['id'],
|
||||||
|
project2['id'],
|
||||||
|
role_member['id'])
|
||||||
|
|
||||||
# First check a user in that domain can authenticate..
|
# First check a user in that domain can authenticate..
|
||||||
auth_data = self.build_authentication_request(
|
auth_data = self.build_authentication_request(
|
||||||
|
Loading…
Reference in New Issue
Block a user