Delete system role assignments when deleting groups

Keystone removes role assignments that groups have on projects and
domains when deleting groups. This should apply to system role
assignments, too.

Change-Id: Iebedfcae0b77e350e5359b97fa87894af3f1c8ba
Closes-Bug: 1749267
This commit is contained in:
Lance Bragstad 2018-02-13 20:47:54 +00:00
parent 3fa997531f
commit 5a24b96d95
3 changed files with 16 additions and 2 deletions

View File

@ -1038,6 +1038,17 @@ class Manager(manager.Manager):
role_assign_list.append(new_assign)
return role_assign_list
def delete_group_assignments(self, group_id):
# FIXME(lbragstad): This should be refactored in the Rocky release so
# that we can pass the group_id to the system assignment backend like
# we do with the project and domain assignment backend. Holding off on
# this because it will require an interface change to the backend,
# making it harder to backport for Queens RC.
self.driver.delete_group_assignments(group_id)
system_assignments = self.list_system_grants_for_group(group_id)
for assignment in system_assignments:
self.delete_system_grant_for_group(group_id, assignment['id'])
def delete_tokens_for_role_assignments(self, role_id):
assignments = self.list_role_assignments(role_id=role_id)

View File

@ -24,7 +24,6 @@ import keystone.conf
from keystone import exception
from keystone.tests import unit
from keystone.tests.unit import test_v3
from keystone.tests.unit import utils as test_utils
CONF = keystone.conf.CONF
@ -426,7 +425,6 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
self.head('/auth/tokens', token=token,
expected_status=http_client.UNAUTHORIZED)
@test_utils.wip("Waiting on a fix for bug #1749267")
def test_delete_group_before_removing_system_assignments_succeeds(self):
system_role = self._create_new_role()
group = self._create_group()

View File

@ -0,0 +1,5 @@
---
fixes:
- |
[`bug 1749267 <https://bugs.launchpad.net/keystone/+bug/1749267>`_]
A group's system role assignments are removed when the group is deleted.