Fix querying role_assignment with system roles
This commit removes system role assignments when querying keystone for a list of assignments pertaining to a specific role. For example, `GET /v3/role_assignments?role.id={role_id}`, now returns assignments only for that role. Previously, the list contained false positives because some system role assignments weren't being removed. This was introduced in queens with the system scope work. Change-Id: Iab35ae01bb715da5813e62cd09900de555dceaaa Closes-Bug: 1748970
This commit is contained in:
parent
a226a3d8be
commit
8748e729b2
|
@ -899,6 +899,10 @@ class Manager(manager.Manager):
|
|||
a['system'] = {'all': True}
|
||||
system_assignments.append(a)
|
||||
|
||||
for i, assignment in enumerate(system_assignments):
|
||||
if role_id and role_id != assignment['role_id']:
|
||||
system_assignments.pop(i)
|
||||
|
||||
assignments = []
|
||||
for assignment in itertools.chain(
|
||||
project_and_domain_assignments, system_assignments):
|
||||
|
|
|
@ -24,7 +24,6 @@ import keystone.conf
|
|||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit import test_v3
|
||||
from keystone.tests.unit import utils as test_utils
|
||||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
|
@ -3569,7 +3568,6 @@ class UserSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
|
|||
) % {'project_id': self.project_id}
|
||||
self.get(path, expected_status=http_client.BAD_REQUEST)
|
||||
|
||||
@test_utils.wip("Waiting on fix for bug #1748970")
|
||||
def test_query_for_role_id_does_not_return_system_user_roles(self):
|
||||
system_role_id = self._create_new_role()
|
||||
|
||||
|
@ -3580,12 +3578,8 @@ class UserSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
|
|||
}
|
||||
self.put(member_url)
|
||||
|
||||
# The user has a role on the system and on a project, but self.role_id
|
||||
# is only given to the user on the project. If we ask for role
|
||||
# assignments matching that role for that specific user, we should only
|
||||
# get one back. Instead, we get two back because the role assignment
|
||||
# API isn't filtering out system role assignments when queried for a
|
||||
# specific role.
|
||||
# Make sure we only get one role assignment back since the system role
|
||||
# assignment shouldn't be returned.
|
||||
path = (
|
||||
'/role_assignments?role.id=%(role_id)s&user.id=%(user_id)s'
|
||||
) % {'role_id': self.role_id, 'user_id': self.user['id']}
|
||||
|
@ -3862,7 +3856,6 @@ class GroupSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
|
|||
)
|
||||
self.assertValidRoleAssignmentListResponse(response, expected_length=0)
|
||||
|
||||
@test_utils.wip("Waiting on fix for bug #1748970")
|
||||
def test_query_for_role_id_does_not_return_system_group_roles(self):
|
||||
system_role_id = self._create_new_role()
|
||||
group = self._create_group()
|
||||
|
@ -3883,12 +3876,8 @@ class GroupSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
|
|||
)
|
||||
self.put(member_url)
|
||||
|
||||
# The group has a role on the system and on a project, but self.role_id
|
||||
# is only given to the group on the project. If we ask for role
|
||||
# assignments matching that role for that specific group, we should
|
||||
# only get one back. Instead, we get two back because the role
|
||||
# assignment API isn't filtering out system role assignments when
|
||||
# queried for a specific role.
|
||||
# Make sure we only get one role assignment back since the system role
|
||||
# assignment shouldn't be returned.
|
||||
path = (
|
||||
'/role_assignments?role.id=%(role_id)s&group.id=%(group_id)s'
|
||||
) % {'role_id': self.role_id, 'group_id': group['id']}
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1748970 <https://bugs.launchpad.net/keystone/+bug/1748970>`_]
|
||||
A bug was introduced in Queens that resulted in system role assignments
|
||||
being returned when querying the role assignments API for a specific role.
|
||||
The issue is fixed and the list of roles returned from
|
||||
``GET /v3/role_assignments?role.id={role_id}`` respects system role
|
||||
assignments.
|
Loading…
Reference in New Issue