Expand implied roles in system-scoped tokens
The implementation for system-scoped tokens lacked support for expanding implied roles. This patch modifies the token model so that it generates implied roles on the system in the token response. Change-Id: I46ff38a9cff6c605ccb9a52b1533f01fa4faec17 Closes-Bug: 1788694
This commit is contained in:
parent
6d7cfdb4ba
commit
9051d403a3
|
@ -12,8 +12,6 @@
|
||||||
|
|
||||||
"""Unified in-memory token model."""
|
"""Unified in-memory token model."""
|
||||||
|
|
||||||
import itertools
|
|
||||||
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_serialization import msgpackutils
|
from oslo_serialization import msgpackutils
|
||||||
from oslo_utils import reflection
|
from oslo_utils import reflection
|
||||||
|
@ -254,6 +252,7 @@ class TokenModel(object):
|
||||||
roles = []
|
roles = []
|
||||||
groups = PROVIDERS.identity_api.list_groups_for_user(self.user_id)
|
groups = PROVIDERS.identity_api.list_groups_for_user(self.user_id)
|
||||||
all_group_roles = []
|
all_group_roles = []
|
||||||
|
assignments = []
|
||||||
for group in groups:
|
for group in groups:
|
||||||
group_roles = (
|
group_roles = (
|
||||||
PROVIDERS.assignment_api.list_system_grants_for_group(
|
PROVIDERS.assignment_api.list_system_grants_for_group(
|
||||||
|
@ -262,10 +261,25 @@ class TokenModel(object):
|
||||||
)
|
)
|
||||||
for role in group_roles:
|
for role in group_roles:
|
||||||
all_group_roles.append(role)
|
all_group_roles.append(role)
|
||||||
|
assignment = {'group_id': group['id'], 'role_id': role['id']}
|
||||||
|
assignments.append(assignment)
|
||||||
user_roles = PROVIDERS.assignment_api.list_system_grants_for_user(
|
user_roles = PROVIDERS.assignment_api.list_system_grants_for_user(
|
||||||
self.user_id
|
self.user_id
|
||||||
)
|
)
|
||||||
for role in itertools.chain(all_group_roles, user_roles):
|
for role in user_roles:
|
||||||
|
assignment = {'user_id': self.user_id, 'role_id': role['id']}
|
||||||
|
assignments.append(assignment)
|
||||||
|
|
||||||
|
# NOTE(lbragstad): The whole reason we need to build out a list of
|
||||||
|
# "assignments" as opposed to just using the nice list of roles we
|
||||||
|
# already have is because the add_implied_roles() method operates on a
|
||||||
|
# list of assignment dictionaries (containing role_id,
|
||||||
|
# user_id/group_id, project_id, et cetera). That method could probably
|
||||||
|
# be fixed to be more clear by operating on actual roles instead of
|
||||||
|
# just assignments.
|
||||||
|
assignments = PROVIDERS.assignment_api.add_implied_roles(assignments)
|
||||||
|
for assignment in assignments:
|
||||||
|
role = PROVIDERS.role_api.get_role(assignment['role_id'])
|
||||||
roles.append({'id': role['id'], 'name': role['name']})
|
roles.append({'id': role['id'], 'name': role['name']})
|
||||||
|
|
||||||
return roles
|
return roles
|
||||||
|
|
|
@ -45,7 +45,6 @@ from keystone.tests.common import auth as common_auth
|
||||||
from keystone.tests import unit
|
from keystone.tests import unit
|
||||||
from keystone.tests.unit import ksfixtures
|
from keystone.tests.unit import ksfixtures
|
||||||
from keystone.tests.unit import test_v3
|
from keystone.tests.unit import test_v3
|
||||||
from keystone.tests.unit import utils as test_utils
|
|
||||||
|
|
||||||
|
|
||||||
CONF = keystone.conf.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
@ -1860,11 +1859,6 @@ class TokenAPITests(object):
|
||||||
|
|
||||||
self._create_implied_role_shows_in_v3_token(True)
|
self._create_implied_role_shows_in_v3_token(True)
|
||||||
|
|
||||||
@test_utils.wip(
|
|
||||||
"Skipped until system-scoped support expanding implied roles",
|
|
||||||
expected_exception=matchers._impl.MismatchError,
|
|
||||||
bug='#1788694'
|
|
||||||
)
|
|
||||||
def test_create_implied_role_shows_in_v3_system_token(self):
|
def test_create_implied_role_shows_in_v3_system_token(self):
|
||||||
self.config_fixture.config(group='token', infer_roles=True)
|
self.config_fixture.config(group='token', infer_roles=True)
|
||||||
PROVIDERS.assignment_api.create_system_grant_for_user(
|
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1788694 <https://bugs.launchpad.net/keystone/+bug/1788694>`_]
|
||||||
|
System-scoped tokens now support expanding role assignments to include
|
||||||
|
implied roles in token creation and validation responses.
|
Loading…
Reference in New Issue