Delete system role assignments when deleting users

Keystone removes role assignments that users have on projects and
domains when deleting users. This should also apply to system role
assignments, too.

Change-Id: Ied51b9c3b58714b2d5dbcb933eca1839d1351fc7
Closes-Bug: 1749264
This commit is contained in:
Lance Bragstad 2018-02-12 21:23:45 +00:00
parent 25596b874c
commit 3a3b3c5b5a
3 changed files with 17 additions and 2 deletions

View File

@ -1107,6 +1107,17 @@ class Manager(manager.Manager):
payload
)
def delete_user_assignments(self, user_id):
# FIXME(lbragstad): This should be refactored in the Rocky release so
# that we can pass the user_id to the system assignment backend like we
# do with the project and domain assignment backend. Holding off on
# this because it will require an interface change to the backend,
# making it harder to backport for Queens RC.
self.driver.delete_user_assignments(user_id)
system_assignments = self.list_system_grants_for_user(user_id)
for assignment in system_assignments:
self.delete_system_grant_for_user(user_id, assignment['id'])
def check_system_grant_for_user(self, user_id, role_id):
"""Check if a user has a specific role on the system.

View File

@ -24,7 +24,6 @@ import keystone.conf
from keystone import exception
from keystone.tests import unit
from keystone.tests.unit import test_v3
from keystone.tests.unit import utils as test_utils
CONF = keystone.conf.CONF
@ -366,7 +365,6 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
# Make sure the role is gone
self.head(member_url, expected_status=http_client.NOT_FOUND)
@test_utils.wip("Waiting for a fix to bug #1749264")
def test_delete_user_before_removing_system_assignments_succeeds(self):
system_role = self._create_new_role()
user = self._create_user()

View File

@ -0,0 +1,6 @@
---
fixes:
- |
[`bug 1749264 <https://bugs.launchpad.net/keystone/+bug/1749264>`_]
A user's system role assignment will be removed when the user is deleted.