Fix failure of delete domain group grant when identity is LDAP.
When deleting a domain group assignment while using a non domain-aware backend, such as LDAP, an AttributeError was being raised when trying to find all the relevent tokens. This was due to a hang over from when you had to pass domain scope to list_user_in_group(). This only affected domain group grants, by luck we got away with it for group project grants. Change-Id: I47b61886698232a7d3dfb4b502d61723cb0eb786 Closes-Bug: 1373113
This commit is contained in:
parent
d8d1477d83
commit
5b331f469d
|
@ -566,8 +566,7 @@ class Manager(manager.Manager):
|
|||
try:
|
||||
# NOTE(morganfainberg): The user ids are the important part
|
||||
# for invalidating tokens below, so extract them here.
|
||||
for user in self.identity_api.list_users_in_group(group_id,
|
||||
domain_id):
|
||||
for user in self.identity_api.list_users_in_group(group_id):
|
||||
if user['id'] != user_id:
|
||||
self._emit_invalidate_user_token_persistence(
|
||||
user['id'])
|
||||
|
|
|
@ -1962,6 +1962,47 @@ class LdapIdentitySqlAssignment(BaseLDAPIdentity, tests.SQLDriverOverrides,
|
|||
domain['id'],
|
||||
domain)
|
||||
|
||||
def test_get_and_remove_role_grant_by_group_and_domain(self):
|
||||
# TODO(henry-nash): We should really rewrite the tests in test_backend
|
||||
# to be more flexible as to where the domains are sourced from, so
|
||||
# that we would not need to override such tests here. This is raised
|
||||
# as bug 1373865.
|
||||
new_domain = self._get_domain_fixture()
|
||||
new_group = {'domain_id': new_domain['id'], 'name': uuid.uuid4().hex}
|
||||
new_group = self.identity_api.create_group(new_group)
|
||||
new_user = {'name': 'new_user', 'password': uuid.uuid4().hex,
|
||||
'enabled': True, 'domain_id': new_domain['id']}
|
||||
new_user = self.identity_api.create_user(new_user)
|
||||
self.identity_api.add_user_to_group(new_user['id'],
|
||||
new_group['id'])
|
||||
|
||||
roles_ref = self.assignment_api.list_grants(
|
||||
group_id=new_group['id'],
|
||||
domain_id=new_domain['id'])
|
||||
self.assertEqual(0, len(roles_ref))
|
||||
|
||||
self.assignment_api.create_grant(group_id=new_group['id'],
|
||||
domain_id=new_domain['id'],
|
||||
role_id='member')
|
||||
|
||||
roles_ref = self.assignment_api.list_grants(
|
||||
group_id=new_group['id'],
|
||||
domain_id=new_domain['id'])
|
||||
self.assertDictEqual(roles_ref[0], self.role_member)
|
||||
|
||||
self.assignment_api.delete_grant(group_id=new_group['id'],
|
||||
domain_id=new_domain['id'],
|
||||
role_id='member')
|
||||
roles_ref = self.assignment_api.list_grants(
|
||||
group_id=new_group['id'],
|
||||
domain_id=new_domain['id'])
|
||||
self.assertEqual(0, len(roles_ref))
|
||||
self.assertRaises(exception.NotFound,
|
||||
self.assignment_api.delete_grant,
|
||||
group_id=new_group['id'],
|
||||
domain_id=new_domain['id'],
|
||||
role_id='member')
|
||||
|
||||
|
||||
class LdapIdentitySqlAssignmentWithMapping(LdapIdentitySqlAssignment):
|
||||
"""Class to test mapping of default LDAP backend.
|
||||
|
|
Loading…
Reference in New Issue