Ensure bootstrap handles multiple roles with the same name
The bootstrap logic doesn't take into consideration multiple roles with the same name. If bootstrap is unable to determine which role to use and accidentally uses a domain-specific role with the same name as a default role, bootstrap will fail in unexpected ways. Conflicts: keystone/tests/unit/test_cli.py Conflict exists because stable/stein doesn't have https://review.opendev.org/#/c/675228/ but it's unrelated to this specific bug fix. Closes-Bug: 1856881 Change-Id: Iddc364d8c934b6e54d1e8c75b8b159faadbf865d (cherry picked from commit25cf359e5f
) (cherry picked from commit51ff7be731
)
This commit is contained in:
parent
5ad8a33d5a
commit
1ba238e491
|
@ -124,6 +124,14 @@ class Bootstrapper(object):
|
|||
# name instead.
|
||||
hints = driver_hints.Hints()
|
||||
hints.add_filter('name', role_name)
|
||||
# Only return global roles, domain-specific roles can't be used in
|
||||
# system assignments and bootstrap isn't designed to work with
|
||||
# domain-specific roles.
|
||||
hints.add_filter('domain_id', None)
|
||||
|
||||
# NOTE(lbragstad): Global roles are unique based on name. At this
|
||||
# point we should be safe to return the first, and only, element in
|
||||
# the list.
|
||||
return PROVIDERS.role_api.list_roles(hints)[0]
|
||||
|
||||
def _ensure_implied_role(self, prior_role_id, implied_role_id):
|
||||
|
|
|
@ -289,6 +289,30 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
|
|||
user_id,
|
||||
self.bootstrap.password)
|
||||
|
||||
def test_bootstrap_with_ambiguous_role_names(self):
|
||||
# bootstrap system to create the default admin role
|
||||
self._do_test_bootstrap(self.bootstrap)
|
||||
|
||||
# create a domain-specific roles that share the same names as the
|
||||
# default roles created by keystone-manage bootstrap
|
||||
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||
domain = PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
domain_roles = {}
|
||||
|
||||
for name in ['admin', 'member', 'reader']:
|
||||
domain_role = {
|
||||
'domain_id': domain['id'],
|
||||
'id': uuid.uuid4().hex,
|
||||
'name': name
|
||||
}
|
||||
domain_roles[name] = PROVIDERS.role_api.create_role(
|
||||
domain_role['id'], domain_role
|
||||
)
|
||||
|
||||
# ensure subsequent bootstrap attempts don't fail because of
|
||||
# ambiguity
|
||||
self._do_test_bootstrap(self.bootstrap)
|
||||
|
||||
|
||||
class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase):
|
||||
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1856881 <https://bugs.launchpad.net/keystone/+bug/1856881>`_]
|
||||
``keystone-manage bootstrap`` can be run in upgrade scenarios where
|
||||
pre-existing domain-specific roles exist named ``admin``, ``member``, and
|
||||
``reader``.
|
Loading…
Reference in New Issue