Merge "Ensure bootstrap handles multiple roles with the same name" into stable/rocky
This commit is contained in:
commit
4171542c21
|
@ -124,6 +124,14 @@ class Bootstrapper(object):
|
|||
# name instead.
|
||||
hints = driver_hints.Hints()
|
||||
hints.add_filter('name', role_name)
|
||||
# Only return global roles, domain-specific roles can't be used in
|
||||
# system assignments and bootstrap isn't designed to work with
|
||||
# domain-specific roles.
|
||||
hints.add_filter('domain_id', None)
|
||||
|
||||
# NOTE(lbragstad): Global roles are unique based on name. At this
|
||||
# point we should be safe to return the first, and only, element in
|
||||
# the list.
|
||||
return PROVIDERS.role_api.list_roles(hints)[0]
|
||||
|
||||
def _ensure_implied_role(self, prior_role_id, implied_role_id):
|
||||
|
|
|
@ -281,6 +281,31 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
|
|||
user_id,
|
||||
bootstrap.password)
|
||||
|
||||
def test_bootstrap_with_ambiguous_role_names(self):
|
||||
bootstrap = cli.BootStrap()
|
||||
# bootstrap system to create the default admin role
|
||||
self._do_test_bootstrap(bootstrap)
|
||||
|
||||
# create a domain-specific roles that share the same names as the
|
||||
# default roles created by keystone-manage bootstrap
|
||||
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||
domain = PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
domain_roles = {}
|
||||
|
||||
for name in ['admin', 'member', 'reader']:
|
||||
domain_role = {
|
||||
'domain_id': domain['id'],
|
||||
'id': uuid.uuid4().hex,
|
||||
'name': name
|
||||
}
|
||||
domain_roles[name] = PROVIDERS.role_api.create_role(
|
||||
domain_role['id'], domain_role
|
||||
)
|
||||
|
||||
# ensure subsequent bootstrap attempts don't fail because of
|
||||
# ambiguity
|
||||
self._do_test_bootstrap(bootstrap)
|
||||
|
||||
|
||||
class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase):
|
||||
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1856881 <https://bugs.launchpad.net/keystone/+bug/1856881>`_]
|
||||
``keystone-manage bootstrap`` can be run in upgrade scenarios where
|
||||
pre-existing domain-specific roles exist named ``admin``, ``member``, and
|
||||
``reader``.
|
Loading…
Reference in New Issue