Fix querying role_assignment with system roles

This commit removes system role assignments when querying keystone
for a list of assignments pertaining to a specific role. For example,
`GET /v3/role_assignments?role.id={role_id}`, now returns assignments
only for that role. Previously, the list contained false positives
because some system role assignments weren't being removed. This
was introduced in queens with the system scope work.

Change-Id: Iab35ae01bb715da5813e62cd09900de555dceaaa
Closes-Bug: 1748970
This commit is contained in:
Lance Bragstad 2018-02-13 17:09:55 +00:00
parent a226a3d8be
commit 8748e729b2
3 changed files with 17 additions and 15 deletions

View File

@ -899,6 +899,10 @@ class Manager(manager.Manager):
a['system'] = {'all': True}
system_assignments.append(a)
for i, assignment in enumerate(system_assignments):
if role_id and role_id != assignment['role_id']:
system_assignments.pop(i)
assignments = []
for assignment in itertools.chain(
project_and_domain_assignments, system_assignments):

View File

@ -24,7 +24,6 @@ import keystone.conf
from keystone import exception
from keystone.tests import unit
from keystone.tests.unit import test_v3
from keystone.tests.unit import utils as test_utils
CONF = keystone.conf.CONF
@ -3569,7 +3568,6 @@ class UserSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
) % {'project_id': self.project_id}
self.get(path, expected_status=http_client.BAD_REQUEST)
@test_utils.wip("Waiting on fix for bug #1748970")
def test_query_for_role_id_does_not_return_system_user_roles(self):
system_role_id = self._create_new_role()
@ -3580,12 +3578,8 @@ class UserSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
}
self.put(member_url)
# The user has a role on the system and on a project, but self.role_id
# is only given to the user on the project. If we ask for role
# assignments matching that role for that specific user, we should only
# get one back. Instead, we get two back because the role assignment
# API isn't filtering out system role assignments when queried for a
# specific role.
# Make sure we only get one role assignment back since the system role
# assignment shouldn't be returned.
path = (
'/role_assignments?role.id=%(role_id)s&user.id=%(user_id)s'
) % {'role_id': self.role_id, 'user_id': self.user['id']}
@ -3862,7 +3856,6 @@ class GroupSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
)
self.assertValidRoleAssignmentListResponse(response, expected_length=0)
@test_utils.wip("Waiting on fix for bug #1748970")
def test_query_for_role_id_does_not_return_system_group_roles(self):
system_role_id = self._create_new_role()
group = self._create_group()
@ -3883,12 +3876,8 @@ class GroupSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
)
self.put(member_url)
# The group has a role on the system and on a project, but self.role_id
# is only given to the group on the project. If we ask for role
# assignments matching that role for that specific group, we should
# only get one back. Instead, we get two back because the role
# assignment API isn't filtering out system role assignments when
# queried for a specific role.
# Make sure we only get one role assignment back since the system role
# assignment shouldn't be returned.
path = (
'/role_assignments?role.id=%(role_id)s&group.id=%(group_id)s'
) % {'role_id': self.role_id, 'group_id': group['id']}

View File

@ -0,0 +1,9 @@
---
fixes:
- |
[`bug 1748970 <https://bugs.launchpad.net/keystone/+bug/1748970>`_]
A bug was introduced in Queens that resulted in system role assignments
being returned when querying the role assignments API for a specific role.
The issue is fixed and the list of roles returned from
``GET /v3/role_assignments?role.id={role_id}`` respects system role
assignments.