openstack/keystone
Code Issues Proposed changes

Delete system role assignments when deleting groups

Browse Source 
Keystone removes role assignments that groups have on projects and
domains when deleting groups. This should apply to system role
assignments, too.

Change-Id: Iebedfcae0b77e350e5359b97fa87894af3f1c8ba
Closes-Bug: 1749267
This commit is contained in:
Lance Bragstad 2018-02-13 20:47:54 +00:00
parent 3fa997531f
commit 5a24b96d95
3 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
keystone/assignment/core.py
View File

@ -1038,6 +1038,17 @@ class Manager(manager.Manager):
role_assign_list.append(new_assign)
return role_assign_list
def delete_group_assignments(self, group_id):
# FIXME(lbragstad): This should be refactored in the Rocky release so
# that we can pass the group_id to the system assignment backend like
# we do with the project and domain assignment backend. Holding off on
# this because it will require an interface change to the backend,
# making it harder to backport for Queens RC.
self.driver.delete_group_assignments(group_id)
system_assignments = self.list_system_grants_for_group(group_id)
for assignment in system_assignments:
self.delete_system_grant_for_group(group_id, assignment['id'])
def delete_tokens_for_role_assignments(self, role_id):
assignments = self.list_role_assignments(role_id=role_id)

2
keystone/tests/unit/test_v3_assignment.py
View File

@ -24,7 +24,6 @@ import keystone.conf
from keystone import exception
from keystone.tests import unit
from keystone.tests.unit import test_v3
from keystone.tests.unit import utils as test_utils
CONF = keystone.conf.CONF
@ -426,7 +425,6 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
self.head('/auth/tokens', token=token,
expected_status=http_client.UNAUTHORIZED)
@test_utils.wip("Waiting on a fix for bug #1749267")
def test_delete_group_before_removing_system_assignments_succeeds(self):
system_role = self._create_new_role()
group = self._create_group()

5
releasenotes/notes/bug-1749267-96153d2fa6868f67.yaml Normal file
View File

@ -0,0 +1,5 @@
---
fixes:
- |
[`bug 1749267 <https://bugs.launchpad.net/keystone/+bug/1749267>`_]
A group's system role assignments are removed when the group is deleted.