Browse Source

Merge "Delete system role assignments from system_assignment table" into stable/train

changes/90/781490/1
Zuul 1 month ago
committed by Gerrit Code Review
parent
commit
72d8d7ede1
3 changed files with 40 additions and 0 deletions
  1. +5
    -0
      keystone/assignment/backends/sql.py
  2. +19
    -0
      keystone/tests/unit/assignment/test_backends.py
  3. +16
    -0
      releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml

+ 5
- 0
keystone/assignment/backends/sql.py View File

@ -262,6 +262,11 @@ class Assignment(base.AssignmentDriverBase):
q = q.filter_by(role_id=role_id)
q.delete(False)
with sql.session_for_write() as session:
q = session.query(SystemRoleAssignment)
q = q.filter_by(role_id=role_id)
q.delete(False)
def delete_domain_assignments(self, domain_id):
with sql.session_for_write() as session:
q = session.query(RoleAssignment)


+ 19
- 0
keystone/tests/unit/assignment/test_backends.py View File

@ -4226,3 +4226,22 @@ class SystemAssignmentTests(AssignmentTestHelperMixin):
group_id,
role['id']
)
def test_delete_role_with_system_assignments(self):
role = unit.new_role_ref()
PROVIDERS.role_api.create_role(role['id'], role)
domain = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(domain['id'], domain)
user = unit.new_user_ref(domain_id=domain['id'])
user = PROVIDERS.identity_api.create_user(user)
# creating a system grant for user
PROVIDERS.assignment_api.create_system_grant_for_user(
user['id'], role['id']
)
# deleting the role user has on system
PROVIDERS.role_api.delete_role(role['id'])
system_roles = PROVIDERS.assignment_api.list_role_assignments(
role_id=role['id']
)
self.assertEqual(len(system_roles), 0)

+ 16
- 0
releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml View File

@ -0,0 +1,16 @@
---
fixes:
- |
[`bug 1878938 <https://bugs.launchpad.net/keystone/+bug/1878938>`_]
Previously when a user used to have system role assignment and tries to delete
the same role, the system role assignments still existed in system_assignment
table. This causes keystone to return `HTTP 404 Not Found` errors when listing
role assignments with names (e.g., `--names` or `?include_names`).
If you are affected by this bug, you must remove stale role assignments
manually. The following is an example SQL statement you can use to fix the
issue, but you should verify it's applicability to your deployment's SQL
implementation and version.
SQL:
- delete from system_assignment where role_id not in (select id from role);

Loading…
Cancel
Save