From 2e4055e49b519a146902f0cf06740ec43231929b Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 18 Dec 2019 11:59:53 -0600 Subject: [PATCH] Ensure bootstrap handles multiple roles with the same name The bootstrap logic doesn't take into consideration multiple roles with the same name. If bootstrap is unable to determine which role to use and accidentally uses a domain-specific role with the same name as a default role, bootstrap will fail in unexpected ways. This change deviates slightly from the upstream patches in that the stable/rocky test_cli.py module doesn't have a `self.bootstrap` attribute. Instead, we just test with `bootstrap` in the test itself. Otherwise, the test is functionally the same. Closes-Bug: 1856881 Change-Id: Iddc364d8c934b6e54d1e8c75b8b159faadbf865d (cherry picked from commit 25cf359e5fb914b855922121f20e23bd14626b8e) (cherry picked from commit 51ff7be731450c183b3e3eb6d34493e986cc2635) (cherry picked from commit 1ba238e49195890c0232554005d4efa670467694) --- keystone/cmd/bootstrap.py | 8 ++++++ keystone/tests/unit/test_cli.py | 25 +++++++++++++++++++ .../notes/bug-1856881-277103af343187f1.yaml | 7 ++++++ 3 files changed, 40 insertions(+) create mode 100644 releasenotes/notes/bug-1856881-277103af343187f1.yaml diff --git a/keystone/cmd/bootstrap.py b/keystone/cmd/bootstrap.py index 2d1ec8577b..c343c00130 100644 --- a/keystone/cmd/bootstrap.py +++ b/keystone/cmd/bootstrap.py @@ -124,6 +124,14 @@ class Bootstrapper(object): # name instead. hints = driver_hints.Hints() hints.add_filter('name', role_name) + # Only return global roles, domain-specific roles can't be used in + # system assignments and bootstrap isn't designed to work with + # domain-specific roles. + hints.add_filter('domain_id', None) + + # NOTE(lbragstad): Global roles are unique based on name. At this + # point we should be safe to return the first, and only, element in + # the list. return PROVIDERS.role_api.list_roles(hints)[0] def _ensure_implied_role(self, prior_role_id, implied_role_id): diff --git a/keystone/tests/unit/test_cli.py b/keystone/tests/unit/test_cli.py index 2c4a3f1de9..cd7d21012b 100644 --- a/keystone/tests/unit/test_cli.py +++ b/keystone/tests/unit/test_cli.py @@ -281,6 +281,31 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase): user_id, bootstrap.password) + def test_bootstrap_with_ambiguous_role_names(self): + bootstrap = cli.BootStrap() + # bootstrap system to create the default admin role + self._do_test_bootstrap(bootstrap) + + # create a domain-specific roles that share the same names as the + # default roles created by keystone-manage bootstrap + domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} + domain = PROVIDERS.resource_api.create_domain(domain['id'], domain) + domain_roles = {} + + for name in ['admin', 'member', 'reader']: + domain_role = { + 'domain_id': domain['id'], + 'id': uuid.uuid4().hex, + 'name': name + } + domain_roles[name] = PROVIDERS.role_api.create_role( + domain_role['id'], domain_role + ) + + # ensure subsequent bootstrap attempts don't fail because of + # ambiguity + self._do_test_bootstrap(bootstrap) + class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase): diff --git a/releasenotes/notes/bug-1856881-277103af343187f1.yaml b/releasenotes/notes/bug-1856881-277103af343187f1.yaml new file mode 100644 index 0000000000..673371dbf5 --- /dev/null +++ b/releasenotes/notes/bug-1856881-277103af343187f1.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + [`bug 1856881 `_] + ``keystone-manage bootstrap`` can be run in upgrade scenarios where + pre-existing domain-specific roles exist named ``admin``, ``member``, and + ``reader``.