From 7ac0891375656d156f1a9601e3520052dddb39d0 Mon Sep 17 00:00:00 2001 From: Vishakha Agarwal Date: Wed, 27 May 2020 12:08:41 +0530 Subject: [PATCH] Delete system role assignments from system_assignment table This patch ensures to delete the system role assignments from all the assignment tables in keystone after deleting the role user has over the system. This also make sure of deleting stale role assignments before deleting role for the deployments that are already in this state. Closes-Bug: #1878938 Change-Id: I4df19c45c870ff3fb78578ca1fb7dd0d35da3c82 (cherry picked from commit c1dcbb05b4488f1fa3e7af4d9171d11702d94119) (cherry picked from commit b83170a386ba8da2195c7494d04d832ce9b6d7b0) (cherry picked from commit 6f93063ff95f3c65af106a09281427e411d01850) --- keystone/assignment/backends/sql.py | 5 +++++ .../tests/unit/assignment/test_backends.py | 19 +++++++++++++++++++ .../notes/bug-1878938-70ee2af6fdf66004.yaml | 16 ++++++++++++++++ 3 files changed, 40 insertions(+) create mode 100644 releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml diff --git a/keystone/assignment/backends/sql.py b/keystone/assignment/backends/sql.py index 6822811caa..5eda2b724b 100644 --- a/keystone/assignment/backends/sql.py +++ b/keystone/assignment/backends/sql.py @@ -262,6 +262,11 @@ class Assignment(base.AssignmentDriverBase): q = q.filter_by(role_id=role_id) q.delete(False) + with sql.session_for_write() as session: + q = session.query(SystemRoleAssignment) + q = q.filter_by(role_id=role_id) + q.delete(False) + def delete_domain_assignments(self, domain_id): with sql.session_for_write() as session: q = session.query(RoleAssignment) diff --git a/keystone/tests/unit/assignment/test_backends.py b/keystone/tests/unit/assignment/test_backends.py index dd327c8791..cdf89664a8 100644 --- a/keystone/tests/unit/assignment/test_backends.py +++ b/keystone/tests/unit/assignment/test_backends.py @@ -4225,3 +4225,22 @@ class SystemAssignmentTests(AssignmentTestHelperMixin): group_id, role['id'] ) + + def test_delete_role_with_system_assignments(self): + role = unit.new_role_ref() + PROVIDERS.role_api.create_role(role['id'], role) + domain = unit.new_domain_ref() + PROVIDERS.resource_api.create_domain(domain['id'], domain) + user = unit.new_user_ref(domain_id=domain['id']) + user = PROVIDERS.identity_api.create_user(user) + + # creating a system grant for user + PROVIDERS.assignment_api.create_system_grant_for_user( + user['id'], role['id'] + ) + # deleting the role user has on system + PROVIDERS.role_api.delete_role(role['id']) + system_roles = PROVIDERS.assignment_api.list_role_assignments( + role_id=role['id'] + ) + self.assertEqual(len(system_roles), 0) diff --git a/releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml b/releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml new file mode 100644 index 0000000000..21a53b4821 --- /dev/null +++ b/releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml @@ -0,0 +1,16 @@ +--- +fixes: + - | + [`bug 1878938 `_] + Previously when a user used to have system role assignment and tries to delete + the same role, the system role assignments still existed in system_assignment + table. This causes keystone to return `HTTP 404 Not Found` errors when listing + role assignments with names (e.g., `--names` or `?include_names`). + + If you are affected by this bug, you must remove stale role assignments + manually. The following is an example SQL statement you can use to fix the + issue, but you should verify it's applicability to your deployment's SQL + implementation and version. + + SQL: + - delete from system_assignment where role_id not in (select id from role);