Fix defect in list_user_ids that only lists direct user assignments
The assignment manager method list_user_ids_for_projects fails to honor either group or inherited assignments. Since this is used to generate token invalidations, we could be leaving tokens out there which should be killed. Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com> Change-Id: I0ad41a635ea060be351a3cb37fb42e5ab46a40df Closes-Bug: #1513893
This commit is contained in:
parent
57999b564d
commit
1c40fe4c04
|
@ -80,12 +80,6 @@ class Assignment(assignment.AssignmentDriverV9):
|
|||
def list_domain_ids_for_groups(self, group_ids, inherited=False):
|
||||
raise exception.NotImplemented()
|
||||
|
||||
def list_user_ids_for_project(self, tenant_id):
|
||||
tenant_dn = self.project._id_to_dn(tenant_id)
|
||||
rolegrants = self.role.get_role_assignments(tenant_dn)
|
||||
return [self.user._dn_to_id(user_dn) for user_dn in
|
||||
self.project.get_user_dns(tenant_id, rolegrants)]
|
||||
|
||||
def _subrole_id_to_dn(self, role_id, tenant_id):
|
||||
if tenant_id is None:
|
||||
return self.role._id_to_dn(role_id)
|
||||
|
|
|
@ -57,15 +57,6 @@ class Assignment(keystone_assignment.AssignmentDriverV9):
|
|||
def default_resource_driver(self):
|
||||
return 'sql'
|
||||
|
||||
def list_user_ids_for_project(self, tenant_id):
|
||||
with sql.transaction() as session:
|
||||
query = session.query(RoleAssignment.actor_id)
|
||||
query = query.filter_by(type=AssignmentType.USER_PROJECT)
|
||||
query = query.filter_by(target_id=tenant_id)
|
||||
query = query.distinct('actor_id')
|
||||
assignments = query.all()
|
||||
return [assignment.actor_id for assignment in assignments]
|
||||
|
||||
def create_grant(self, role_id, user_id=None, group_id=None,
|
||||
domain_id=None, project_id=None,
|
||||
inherited_to_projects=False):
|
||||
|
|
|
@ -82,7 +82,10 @@ class Manager(manager.Manager):
|
|||
|
||||
def list_user_ids_for_project(self, tenant_id):
|
||||
self.resource_api.get_project(tenant_id)
|
||||
return self.driver.list_user_ids_for_project(tenant_id)
|
||||
assignment_list = self.list_role_assignments(
|
||||
project_id=tenant_id, effective=True)
|
||||
# Use set() to process the list to remove any duplicates
|
||||
return list(set([x['user_id'] for x in assignment_list]))
|
||||
|
||||
def _list_parent_ids_of_project(self, project_id):
|
||||
if CONF.os_inherit.enabled:
|
||||
|
@ -893,15 +896,6 @@ class AssignmentDriverBase(object):
|
|||
def _get_list_limit(self):
|
||||
return CONF.assignment.list_limit or CONF.list_limit
|
||||
|
||||
@abc.abstractmethod
|
||||
def list_user_ids_for_project(self, tenant_id):
|
||||
"""Lists all user IDs with a role assignment in the specified project.
|
||||
|
||||
:returns: a list of user_ids or an empty set.
|
||||
|
||||
"""
|
||||
raise exception.NotImplemented() # pragma: no cover
|
||||
|
||||
@abc.abstractmethod
|
||||
def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
|
||||
"""Add a role to a user within given tenant.
|
||||
|
@ -1090,6 +1084,15 @@ class AssignmentDriverV8(AssignmentDriverBase):
|
|||
|
||||
"""
|
||||
|
||||
@abc.abstractmethod
|
||||
def list_user_ids_for_project(self, tenant_id):
|
||||
"""Lists all user IDs with a role assignment in the specified project.
|
||||
|
||||
:returns: a list of user_ids or an empty set.
|
||||
|
||||
"""
|
||||
raise exception.NotImplemented() # pragma: no cover
|
||||
|
||||
@abc.abstractmethod
|
||||
def list_project_ids_for_user(self, user_id, group_ids, hints,
|
||||
inherited=False):
|
||||
|
@ -1180,9 +1183,6 @@ class V9AssignmentWrapperForV8Driver(AssignmentDriverV9):
|
|||
def default_resource_driver(self):
|
||||
return self.driver.default_resource_driver()
|
||||
|
||||
def list_user_ids_for_project(self, tenant_id):
|
||||
return self.driver.list_user_ids_for_project(tenant_id)
|
||||
|
||||
def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
|
||||
self.driver.add_role_to_user_and_project(user_id, tenant_id, role_id)
|
||||
|
||||
|
|
|
@ -6359,10 +6359,8 @@ class InheritanceTests(AssignmentTestHelperMixin):
|
|||
self.config_fixture.config(group='os_inherit', enabled=True)
|
||||
user_ids = self.assignment_api.list_user_ids_for_project(
|
||||
test_data['projects'][1]['id'])
|
||||
# FIXME(henry-nash): This should return four unique IDs, but due to
|
||||
# bug #1513893 only the user with a direct user role is returned
|
||||
self.assertThat(user_ids, matchers.HasLength(1))
|
||||
for x in range(0, 1):
|
||||
self.assertThat(user_ids, matchers.HasLength(4))
|
||||
for x in range(0, 4):
|
||||
self.assertIn(test_data['users'][x]['id'], user_ids)
|
||||
|
||||
|
||||
|
|
|
@ -2,8 +2,9 @@
|
|||
prelude: >
|
||||
New Assignment driver (V9)
|
||||
features:
|
||||
- The list_project_ids_for_user() and list_domain_ids_for_user() methods have
|
||||
been removed from the V9 version of the Assignment driver.
|
||||
- The list_project_ids_for_user(), list_domain_ids_for_user() and
|
||||
list_user_ids_for_project() methods have been removed from the V9 version
|
||||
of the Assignment driver.
|
||||
upgrade:
|
||||
- The V8 Assignment driver interface is deprecated, but still supported in
|
||||
this release, so any custom drivers based on the V8 interface should still
|
||||
|
|
Loading…
Reference in New Issue