Merge "Delete system role assignments from system_assignment table" into stable/stein
This commit is contained in:
commit
a249bb7913
|
@ -262,6 +262,11 @@ class Assignment(base.AssignmentDriverBase):
|
||||||
q = q.filter_by(role_id=role_id)
|
q = q.filter_by(role_id=role_id)
|
||||||
q.delete(False)
|
q.delete(False)
|
||||||
|
|
||||||
|
with sql.session_for_write() as session:
|
||||||
|
q = session.query(SystemRoleAssignment)
|
||||||
|
q = q.filter_by(role_id=role_id)
|
||||||
|
q.delete(False)
|
||||||
|
|
||||||
def delete_domain_assignments(self, domain_id):
|
def delete_domain_assignments(self, domain_id):
|
||||||
with sql.session_for_write() as session:
|
with sql.session_for_write() as session:
|
||||||
q = session.query(RoleAssignment)
|
q = session.query(RoleAssignment)
|
||||||
|
|
|
@ -4226,3 +4226,22 @@ class SystemAssignmentTests(AssignmentTestHelperMixin):
|
||||||
group_id,
|
group_id,
|
||||||
role['id']
|
role['id']
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_delete_role_with_system_assignments(self):
|
||||||
|
role = unit.new_role_ref()
|
||||||
|
PROVIDERS.role_api.create_role(role['id'], role)
|
||||||
|
domain = unit.new_domain_ref()
|
||||||
|
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||||
|
user = unit.new_user_ref(domain_id=domain['id'])
|
||||||
|
user = PROVIDERS.identity_api.create_user(user)
|
||||||
|
|
||||||
|
# creating a system grant for user
|
||||||
|
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||||
|
user['id'], role['id']
|
||||||
|
)
|
||||||
|
# deleting the role user has on system
|
||||||
|
PROVIDERS.role_api.delete_role(role['id'])
|
||||||
|
system_roles = PROVIDERS.assignment_api.list_role_assignments(
|
||||||
|
role_id=role['id']
|
||||||
|
)
|
||||||
|
self.assertEqual(len(system_roles), 0)
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1878938 <https://bugs.launchpad.net/keystone/+bug/1878938>`_]
|
||||||
|
Previously when a user used to have system role assignment and tries to delete
|
||||||
|
the same role, the system role assignments still existed in system_assignment
|
||||||
|
table. This causes keystone to return `HTTP 404 Not Found` errors when listing
|
||||||
|
role assignments with names (e.g., `--names` or `?include_names`).
|
||||||
|
|
||||||
|
If you are affected by this bug, you must remove stale role assignments
|
||||||
|
manually. The following is an example SQL statement you can use to fix the
|
||||||
|
issue, but you should verify it's applicability to your deployment's SQL
|
||||||
|
implementation and version.
|
||||||
|
|
||||||
|
SQL:
|
||||||
|
- delete from system_assignment where role_id not in (select id from role);
|
Loading…
Reference in New Issue