Remove an assignment from domain and project

When you setup a user with a role assignment on a domain and then a role assignment on a project "acting as a domain", you can't actually remove them. The database throws you the error "Multiple rows were found for one()" since it gets two results for "actor_id" with the same "target_id". This patch fixes this problem by filtering the database query by "type" field to determine whether it is a user domain relation or a user project and then removing the assignment. Change-Id: Ife92a3c9e0982baafb4224882681c0855f573580 Closes-Bug: #1754677
2020-06-22 12:58:00 +05:30 · 2020-06-22 12:58:00 +05:30 · 28faa24e68
commit 28faa24e68
parent a0346effc8
3 changed files with 16 additions and 3 deletions
--- a/keystone/assignment/backends/sql.py
+++ b/keystone/assignment/backends/sql.py
@ -78,7 +78,14 @@ class Assignment(base.AssignmentDriverBase):
                            domain_id, project_id, inherited_to_projects):
        q = session.query(RoleAssignment)
        q = q.filter_by(actor_id=user_id or group_id)
-        q = q.filter_by(target_id=project_id or domain_id)
+        if domain_id:
+            q = q.filter_by(target_id=domain_id).filter(
+                (RoleAssignment.type == AssignmentType.USER_DOMAIN) |
+                (RoleAssignment.type == AssignmentType.GROUP_DOMAIN))
+        else:
+            q = q.filter_by(target_id=project_id).filter(
+                (RoleAssignment.type == AssignmentType.USER_PROJECT) |
+                (RoleAssignment.type == AssignmentType.GROUP_PROJECT))
        q = q.filter_by(role_id=role_id)
        q = q.filter_by(inherited=inherited_to_projects)
        return q
--- a/keystone/tests/unit/test_v3_assignment.py
+++ b/keystone/tests/unit/test_v3_assignment.py
@ -24,7 +24,6 @@ from keystone import exception
 from keystone.resource.backends import base as resource_base
 from keystone.tests import unit
 from keystone.tests.unit import test_v3
-from keystone.tests.unit import utils as test_utils


 CONF = keystone.conf.CONF
@ -1995,7 +1994,6 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,

        self._test_list_role_assignments_include_names(role)

-    @test_utils.wip("Skipped until Bug 1754677 is resolved")
    def test_remove_assignment_for_project_acting_as_domain(self):
        """Test goal: remove assignment for project acting as domain.

--- a/releasenotes/notes/bug-1754677-13ee75ed1b473f26.yaml
+++ b/releasenotes/notes/bug-1754677-13ee75ed1b473f26.yaml
@ -0,0 +1,8 @@
+---
+fixes:
+  - >
+    [`bug 1754677 <https://bugs.launchpad.net/keystone/+bug/1754677>`_]
+    When you setup a user with a role assignment on a domain and then a role
+    assignment on a project "acting as a domain", you can't actually remove them.
+    This fixes it by filtering the query by "type" i.e either a USER_DOMAIN or
+    a USER_PROJECT in role assignment table.