Fix defect in list_user_ids that only lists direct user assignments

The assignment manager method list_user_ids_for_projects fails to honor either group or inherited assignments. Since this is used to generate token invalidations, we could be leaving tokens out there which should be killed. Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com> Change-Id: I0ad41a635ea060be351a3cb37fb42e5ab46a40df Closes-Bug: #1513893
2015-11-06 17:23:23 +00:00 · 2015-11-06 17:23:23 +00:00 · 1c40fe4c04
parent 57999b564d
commit 1c40fe4c04
5 changed files with 18 additions and 34 deletions
--- a/keystone/assignment/backends/ldap.py
+++ b/keystone/assignment/backends/ldap.py
@ -80,12 +80,6 @@ class Assignment(assignment.AssignmentDriverV9):
    def list_domain_ids_for_groups(self, group_ids, inherited=False):
        raise exception.NotImplemented()

-    def list_user_ids_for_project(self, tenant_id):
-        tenant_dn = self.project._id_to_dn(tenant_id)
-        rolegrants = self.role.get_role_assignments(tenant_dn)
-        return [self.user._dn_to_id(user_dn) for user_dn in
-                self.project.get_user_dns(tenant_id, rolegrants)]
-
    def _subrole_id_to_dn(self, role_id, tenant_id):
        if tenant_id is None:
            return self.role._id_to_dn(role_id)
--- a/keystone/assignment/backends/sql.py
+++ b/keystone/assignment/backends/sql.py
@ -57,15 +57,6 @@ class Assignment(keystone_assignment.AssignmentDriverV9):
    def default_resource_driver(self):
        return 'sql'

-    def list_user_ids_for_project(self, tenant_id):
-        with sql.transaction() as session:
-            query = session.query(RoleAssignment.actor_id)
-            query = query.filter_by(type=AssignmentType.USER_PROJECT)
-            query = query.filter_by(target_id=tenant_id)
-            query = query.distinct('actor_id')
-            assignments = query.all()
-            return [assignment.actor_id for assignment in assignments]
-
    def create_grant(self, role_id, user_id=None, group_id=None,
                     domain_id=None, project_id=None,
                     inherited_to_projects=False):
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@ -82,7 +82,10 @@ class Manager(manager.Manager):

    def list_user_ids_for_project(self, tenant_id):
        self.resource_api.get_project(tenant_id)
-        return self.driver.list_user_ids_for_project(tenant_id)
+        assignment_list = self.list_role_assignments(
+            project_id=tenant_id, effective=True)
+        # Use set() to process the list to remove any duplicates
+        return list(set([x['user_id'] for x in assignment_list]))

    def _list_parent_ids_of_project(self, project_id):
        if CONF.os_inherit.enabled:
@ -893,15 +896,6 @@ class AssignmentDriverBase(object):
    def _get_list_limit(self):
        return CONF.assignment.list_limit or CONF.list_limit

-    @abc.abstractmethod
-    def list_user_ids_for_project(self, tenant_id):
-        """Lists all user IDs with a role assignment in the specified project.
-
-        :returns: a list of user_ids or an empty set.
-
-        """
-        raise exception.NotImplemented()  # pragma: no cover
-
    @abc.abstractmethod
    def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
        """Add a role to a user within given tenant.
@ -1090,6 +1084,15 @@ class AssignmentDriverV8(AssignmentDriverBase):

    """

+    @abc.abstractmethod
+    def list_user_ids_for_project(self, tenant_id):
+        """Lists all user IDs with a role assignment in the specified project.
+
+        :returns: a list of user_ids or an empty set.
+
+        """
+        raise exception.NotImplemented()  # pragma: no cover
+
    @abc.abstractmethod
    def list_project_ids_for_user(self, user_id, group_ids, hints,
                                  inherited=False):
@ -1180,9 +1183,6 @@ class V9AssignmentWrapperForV8Driver(AssignmentDriverV9):
    def default_resource_driver(self):
        return self.driver.default_resource_driver()

-    def list_user_ids_for_project(self, tenant_id):
-        return self.driver.list_user_ids_for_project(tenant_id)
-
    def add_role_to_user_and_project(self, user_id, tenant_id, role_id):
        self.driver.add_role_to_user_and_project(user_id, tenant_id, role_id)

--- a/keystone/tests/unit/test_backend.py
+++ b/keystone/tests/unit/test_backend.py
@ -6359,10 +6359,8 @@ class InheritanceTests(AssignmentTestHelperMixin):
        self.config_fixture.config(group='os_inherit', enabled=True)
        user_ids = self.assignment_api.list_user_ids_for_project(
            test_data['projects'][1]['id'])
-        # FIXME(henry-nash): This should return four unique IDs, but due to
-        # bug #1513893 only the user with a direct user role is returned
-        self.assertThat(user_ids, matchers.HasLength(1))
-        for x in range(0, 1):
+        self.assertThat(user_ids, matchers.HasLength(4))
+        for x in range(0, 4):
            self.assertIn(test_data['users'][x]['id'], user_ids)


--- a/releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml
+++ b/releasenotes/notes/Assignment_V9_driver-c22be069f7baccb0.yaml
@ -2,8 +2,9 @@
 prelude: >
    New Assignment driver (V9)
 features:
-  - The list_project_ids_for_user() and list_domain_ids_for_user() methods have
-    been removed from the V9 version of the Assignment driver.
+  - The list_project_ids_for_user(), list_domain_ids_for_user() and
+    list_user_ids_for_project() methods have been removed from the V9 version
+    of the Assignment driver.
 upgrade:
  - The V8 Assignment driver interface is deprecated, but still supported in
    this release, so any custom drivers based on the V8 interface should still