Remove an assignment from domain and project

When you setup a user with a role assignment on a domain
and then a role assignment on a project "acting as a domain",
you can't actually remove them. The database throws you the
error "Multiple rows were found for one()" since it gets two
results for "actor_id" with the same "target_id".

This patch fixes this problem by filtering the database query
by "type" field to determine whether it is a user domain relation
or a user project and then removing the assignment.

Change-Id: Ife92a3c9e0982baafb4224882681c0855f573580
Closes-Bug: #1754677
This commit is contained in:
Vishakha Agarwal 2020-06-22 12:58:00 +05:30
parent a0346effc8
commit 28faa24e68
3 changed files with 16 additions and 3 deletions

View File

@ -78,7 +78,14 @@ class Assignment(base.AssignmentDriverBase):
domain_id, project_id, inherited_to_projects):
q = session.query(RoleAssignment)
q = q.filter_by(actor_id=user_id or group_id)
q = q.filter_by(target_id=project_id or domain_id)
if domain_id:
q = q.filter_by(target_id=domain_id).filter(
(RoleAssignment.type == AssignmentType.USER_DOMAIN) |
(RoleAssignment.type == AssignmentType.GROUP_DOMAIN))
else:
q = q.filter_by(target_id=project_id).filter(
(RoleAssignment.type == AssignmentType.USER_PROJECT) |
(RoleAssignment.type == AssignmentType.GROUP_PROJECT))
q = q.filter_by(role_id=role_id)
q = q.filter_by(inherited=inherited_to_projects)
return q

View File

@ -24,7 +24,6 @@ from keystone import exception
from keystone.resource.backends import base as resource_base
from keystone.tests import unit
from keystone.tests.unit import test_v3
from keystone.tests.unit import utils as test_utils
CONF = keystone.conf.CONF
@ -1995,7 +1994,6 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
self._test_list_role_assignments_include_names(role)
@test_utils.wip("Skipped until Bug 1754677 is resolved")
def test_remove_assignment_for_project_acting_as_domain(self):
"""Test goal: remove assignment for project acting as domain.

View File

@ -0,0 +1,8 @@
---
fixes:
- >
[`bug 1754677 <https://bugs.launchpad.net/keystone/+bug/1754677>`_]
When you setup a user with a role assignment on a domain and then a role
assignment on a project "acting as a domain", you can't actually remove them.
This fixes it by filtering the query by "type" i.e either a USER_DOMAIN or
a USER_PROJECT in role assignment table.