Ensure bootstrap handles multiple roles with the same name

The bootstrap logic doesn't take into consideration multiple roles with the same name. If bootstrap is unable to determine which role to use and accidentally uses a domain-specific role with the same name as a default role, bootstrap will fail in unexpected ways. Conflicts: keystone/tests/unit/test_cli.py Conflict exists because stable/stein doesn't have https://review.opendev.org/#/c/675228/ but it's unrelated to this specific bug fix. Closes-Bug: 1856881 Change-Id: Iddc364d8c934b6e54d1e8c75b8b159faadbf865d (cherry picked from commit 25cf359e5f) (cherry picked from commit 51ff7be731)
2019-12-18 11:59:53 -06:00 · 2019-12-18 11:59:53 -06:00 · 1ba238e491
parent 5ad8a33d5a
commit 1ba238e491
3 changed files with 39 additions and 0 deletions
--- a/keystone/cmd/bootstrap.py
+++ b/keystone/cmd/bootstrap.py
@ -124,6 +124,14 @@ class Bootstrapper(object):
            # name instead.
            hints = driver_hints.Hints()
            hints.add_filter('name', role_name)
+            # Only return global roles, domain-specific roles can't be used in
+            # system assignments and bootstrap isn't designed to work with
+            # domain-specific roles.
+            hints.add_filter('domain_id', None)
+
+            # NOTE(lbragstad): Global roles are unique based on name. At this
+            # point we should be safe to return the first, and only, element in
+            # the list.
            return PROVIDERS.role_api.list_roles(hints)[0]

    def _ensure_implied_role(self, prior_role_id, implied_role_id):
--- a/keystone/tests/unit/test_cli.py
+++ b/keystone/tests/unit/test_cli.py
@ -289,6 +289,30 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
                user_id,
                self.bootstrap.password)

+    def test_bootstrap_with_ambiguous_role_names(self):
+        # bootstrap system to create the default admin role
+        self._do_test_bootstrap(self.bootstrap)
+
+        # create a domain-specific roles that share the same names as the
+        # default roles created by keystone-manage bootstrap
+        domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
+        domain = PROVIDERS.resource_api.create_domain(domain['id'], domain)
+        domain_roles = {}
+
+        for name in ['admin', 'member', 'reader']:
+            domain_role = {
+                'domain_id': domain['id'],
+                'id': uuid.uuid4().hex,
+                'name': name
+            }
+            domain_roles[name] = PROVIDERS.role_api.create_role(
+                domain_role['id'], domain_role
+            )
+
+            # ensure subsequent bootstrap attempts don't fail because of
+            # ambiguity
+            self._do_test_bootstrap(self.bootstrap)
+

 class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase):

--- a/releasenotes/notes/bug-1856881-277103af343187f1.yaml
+++ b/releasenotes/notes/bug-1856881-277103af343187f1.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    [`bug 1856881 <https://bugs.launchpad.net/keystone/+bug/1856881>`_]
+    ``keystone-manage bootstrap`` can be run in upgrade scenarios where
+    pre-existing domain-specific roles exist named ``admin``, ``member``, and
+    ``reader``.