Remove an assignment from domain and project
When you setup a user with a role assignment on a domain and then a role assignment on a project "acting as a domain", you can't actually remove them. The database throws you the error "Multiple rows were found for one()" since it gets two results for "actor_id" with the same "target_id". This patch fixes this problem by filtering the database query by "type" field to determine whether it is a user domain relation or a user project and then removing the assignment. Change-Id: Ife92a3c9e0982baafb4224882681c0855f573580 Closes-Bug: #1754677
This commit is contained in:
parent
a0346effc8
commit
28faa24e68
@ -78,7 +78,14 @@ class Assignment(base.AssignmentDriverBase):
|
||||
domain_id, project_id, inherited_to_projects):
|
||||
q = session.query(RoleAssignment)
|
||||
q = q.filter_by(actor_id=user_id or group_id)
|
||||
q = q.filter_by(target_id=project_id or domain_id)
|
||||
if domain_id:
|
||||
q = q.filter_by(target_id=domain_id).filter(
|
||||
(RoleAssignment.type == AssignmentType.USER_DOMAIN) |
|
||||
(RoleAssignment.type == AssignmentType.GROUP_DOMAIN))
|
||||
else:
|
||||
q = q.filter_by(target_id=project_id).filter(
|
||||
(RoleAssignment.type == AssignmentType.USER_PROJECT) |
|
||||
(RoleAssignment.type == AssignmentType.GROUP_PROJECT))
|
||||
q = q.filter_by(role_id=role_id)
|
||||
q = q.filter_by(inherited=inherited_to_projects)
|
||||
return q
|
||||
|
@ -24,7 +24,6 @@ from keystone import exception
|
||||
from keystone.resource.backends import base as resource_base
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit import test_v3
|
||||
from keystone.tests.unit import utils as test_utils
|
||||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
@ -1995,7 +1994,6 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
||||
|
||||
self._test_list_role_assignments_include_names(role)
|
||||
|
||||
@test_utils.wip("Skipped until Bug 1754677 is resolved")
|
||||
def test_remove_assignment_for_project_acting_as_domain(self):
|
||||
"""Test goal: remove assignment for project acting as domain.
|
||||
|
||||
|
8
releasenotes/notes/bug-1754677-13ee75ed1b473f26.yaml
Normal file
8
releasenotes/notes/bug-1754677-13ee75ed1b473f26.yaml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
fixes:
|
||||
- >
|
||||
[`bug 1754677 <https://bugs.launchpad.net/keystone/+bug/1754677>`_]
|
||||
When you setup a user with a role assignment on a domain and then a role
|
||||
assignment on a project "acting as a domain", you can't actually remove them.
|
||||
This fixes it by filtering the query by "type" i.e either a USER_DOMAIN or
|
||||
a USER_PROJECT in role assignment table.
|
Loading…
x
Reference in New Issue
Block a user