diff --git a/keystone/cmd/bootstrap.py b/keystone/cmd/bootstrap.py index 3c2f5e01ef..700864b189 100644 --- a/keystone/cmd/bootstrap.py +++ b/keystone/cmd/bootstrap.py @@ -42,6 +42,9 @@ class Bootstrapper(object): self.member_role_id = None self.member_role_name = 'member' + self.manager_role_id = None + self.manager_role_name = 'manager' + self.admin_role_id = None self.admin_role_name = None @@ -68,6 +71,7 @@ class Bootstrapper(object): self._bootstrap_admin_user() self._bootstrap_reader_role() self._bootstrap_member_role() + self._bootstrap_manager_role() self._bootstrap_admin_role() self._bootstrap_service_role() self._bootstrap_project_role_assignment() @@ -177,10 +181,23 @@ class Bootstrapper(object): self.member_role_id = role['id'] self._ensure_implied_role(self.member_role_id, self.reader_role_id) + def _bootstrap_manager_role(self): + role = self._ensure_role_exists(self.manager_role_name) + self.manager_role_id = role['id'] + self._ensure_implied_role(self.manager_role_id, self.member_role_id) + def _bootstrap_admin_role(self): role = self._ensure_role_exists(self.admin_role_name) self.admin_role_id = role['id'] - self._ensure_implied_role(self.admin_role_id, self.member_role_id) + self._ensure_implied_role(self.admin_role_id, self.manager_role_id) + # NOTE(dmendiza): deployments older than 2023.2 did not have a + # "manager" role, so we need to clean up the old admin -> member + # implied role + try: + PROVIDERS.role_api.delete_implied_role(self.admin_role_id, + self.member_role_id) + except exception.ImpliedRoleNotFound: + pass def _bootstrap_admin_user(self): # NOTE(morganfainberg): Do not create the user if it already exists. diff --git a/keystone/cmd/cli.py b/keystone/cmd/cli.py index 488a22110e..9239cac1cf 100644 --- a/keystone/cmd/cli.py +++ b/keystone/cmd/cli.py @@ -186,6 +186,7 @@ class BootStrap(BaseApp): self.service_role_id = self.bootstrapper.service_role_id self.reader_role_id = self.bootstrapper.reader_role_id self.member_role_id = self.bootstrapper.member_role_id + self.manager_role_id = self.bootstrapper.manager_role_id self.role_id = self.bootstrapper.admin_role_id self.project_id = self.bootstrapper.project_id diff --git a/keystone/tests/unit/test_cli.py b/keystone/tests/unit/test_cli.py index d8899ff1db..e18f090fa0 100644 --- a/keystone/tests/unit/test_cli.py +++ b/keystone/tests/unit/test_cli.py @@ -132,22 +132,24 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase): bootstrap.username, 'default') admin_role = PROVIDERS.role_api.get_role(bootstrap.role_id) - reader_role = PROVIDERS.role_api.get_role(bootstrap.reader_role_id) + manager_role = PROVIDERS.role_api.get_role(bootstrap.manager_role_id) member_role = PROVIDERS.role_api.get_role(bootstrap.member_role_id) + reader_role = PROVIDERS.role_api.get_role(bootstrap.reader_role_id) service_role = PROVIDERS.role_api.get_role(bootstrap.service_role_id) role_list = ( PROVIDERS.assignment_api.get_roles_for_user_and_project( user['id'], project['id'])) - role_list_len = 4 + role_list_len = 5 if bootstrap.bootstrapper.project_name: - role_list_len = 3 + role_list_len = 4 self.assertIs(role_list_len, len(role_list)) self.assertIn(admin_role['id'], role_list) - self.assertIn(reader_role['id'], role_list) + self.assertIn(manager_role['id'], role_list) self.assertIn(member_role['id'], role_list) + self.assertIn(reader_role['id'], role_list) if not bootstrap.bootstrapper.project_name: self.assertIn(service_role['id'], role_list)