Merge "Ensure bootstrap handles multiple roles with the same name" into stable/rocky
This commit is contained in:
commit
4171542c21
|
@ -124,6 +124,14 @@ class Bootstrapper(object):
|
||||||
# name instead.
|
# name instead.
|
||||||
hints = driver_hints.Hints()
|
hints = driver_hints.Hints()
|
||||||
hints.add_filter('name', role_name)
|
hints.add_filter('name', role_name)
|
||||||
|
# Only return global roles, domain-specific roles can't be used in
|
||||||
|
# system assignments and bootstrap isn't designed to work with
|
||||||
|
# domain-specific roles.
|
||||||
|
hints.add_filter('domain_id', None)
|
||||||
|
|
||||||
|
# NOTE(lbragstad): Global roles are unique based on name. At this
|
||||||
|
# point we should be safe to return the first, and only, element in
|
||||||
|
# the list.
|
||||||
return PROVIDERS.role_api.list_roles(hints)[0]
|
return PROVIDERS.role_api.list_roles(hints)[0]
|
||||||
|
|
||||||
def _ensure_implied_role(self, prior_role_id, implied_role_id):
|
def _ensure_implied_role(self, prior_role_id, implied_role_id):
|
||||||
|
|
|
@ -281,6 +281,31 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
|
||||||
user_id,
|
user_id,
|
||||||
bootstrap.password)
|
bootstrap.password)
|
||||||
|
|
||||||
|
def test_bootstrap_with_ambiguous_role_names(self):
|
||||||
|
bootstrap = cli.BootStrap()
|
||||||
|
# bootstrap system to create the default admin role
|
||||||
|
self._do_test_bootstrap(bootstrap)
|
||||||
|
|
||||||
|
# create a domain-specific roles that share the same names as the
|
||||||
|
# default roles created by keystone-manage bootstrap
|
||||||
|
domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||||
|
domain = PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||||
|
domain_roles = {}
|
||||||
|
|
||||||
|
for name in ['admin', 'member', 'reader']:
|
||||||
|
domain_role = {
|
||||||
|
'domain_id': domain['id'],
|
||||||
|
'id': uuid.uuid4().hex,
|
||||||
|
'name': name
|
||||||
|
}
|
||||||
|
domain_roles[name] = PROVIDERS.role_api.create_role(
|
||||||
|
domain_role['id'], domain_role
|
||||||
|
)
|
||||||
|
|
||||||
|
# ensure subsequent bootstrap attempts don't fail because of
|
||||||
|
# ambiguity
|
||||||
|
self._do_test_bootstrap(bootstrap)
|
||||||
|
|
||||||
|
|
||||||
class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase):
|
class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase):
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1856881 <https://bugs.launchpad.net/keystone/+bug/1856881>`_]
|
||||||
|
``keystone-manage bootstrap`` can be run in upgrade scenarios where
|
||||||
|
pre-existing domain-specific roles exist named ``admin``, ``member``, and
|
||||||
|
``reader``.
|
Loading…
Reference in New Issue