Delete system role assignments from system_assignment table

This patch ensures to delete the system role assignments from
all the assignment tables in keystone after deleting the role
user has over the system.

This also make sure of deleting stale role assignments before
deleting role for the deployments that are already in this state.

Closes-Bug: #1878938

Change-Id: I4df19c45c870ff3fb78578ca1fb7dd0d35da3c82
(cherry picked from commit c1dcbb05b4)
(cherry picked from commit b83170a386)
(cherry picked from commit 6f93063ff9)
This commit is contained in:
Vishakha Agarwal 2020-05-27 12:08:41 +05:30 committed by Lance Bragstad
parent 5a7ebf53bc
commit 7ac0891375
3 changed files with 40 additions and 0 deletions

View File

@ -262,6 +262,11 @@ class Assignment(base.AssignmentDriverBase):
q = q.filter_by(role_id=role_id)
q.delete(False)
with sql.session_for_write() as session:
q = session.query(SystemRoleAssignment)
q = q.filter_by(role_id=role_id)
q.delete(False)
def delete_domain_assignments(self, domain_id):
with sql.session_for_write() as session:
q = session.query(RoleAssignment)

View File

@ -4225,3 +4225,22 @@ class SystemAssignmentTests(AssignmentTestHelperMixin):
group_id,
role['id']
)
def test_delete_role_with_system_assignments(self):
role = unit.new_role_ref()
PROVIDERS.role_api.create_role(role['id'], role)
domain = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(domain['id'], domain)
user = unit.new_user_ref(domain_id=domain['id'])
user = PROVIDERS.identity_api.create_user(user)
# creating a system grant for user
PROVIDERS.assignment_api.create_system_grant_for_user(
user['id'], role['id']
)
# deleting the role user has on system
PROVIDERS.role_api.delete_role(role['id'])
system_roles = PROVIDERS.assignment_api.list_role_assignments(
role_id=role['id']
)
self.assertEqual(len(system_roles), 0)

View File

@ -0,0 +1,16 @@
---
fixes:
- |
[`bug 1878938 <https://bugs.launchpad.net/keystone/+bug/1878938>`_]
Previously when a user used to have system role assignment and tries to delete
the same role, the system role assignments still existed in system_assignment
table. This causes keystone to return `HTTP 404 Not Found` errors when listing
role assignments with names (e.g., `--names` or `?include_names`).
If you are affected by this bug, you must remove stale role assignments
manually. The following is an example SQL statement you can use to fix the
issue, but you should verify it's applicability to your deployment's SQL
implementation and version.
SQL:
- delete from system_assignment where role_id not in (select id from role);