Add a new table for system role assignments

This commit introduces an additive only database migration for a new database table. This table will be used only for system-level role assignments instead of tacking the functionality into the existing assignment table. The reason for this is that it will be easier to implement as a separate table and it will be easier to extend functionality in the future to support more complex system role assignments. bp system-scope Change-Id: Ia0722004b7b851c46e8a72780b3acd31f16f78a6
2017-09-27 18:57:28 +00:00 · 2017-09-27 18:57:28 +00:00 · bd729623f5
parent c449172a15
commit bd729623f5
4 changed files with 106 additions and 0 deletions
--- a/keystone/common/sql/contract_repo/versions/031_contract_system_assignment_table.py
+++ b/keystone/common/sql/contract_repo/versions/031_contract_system_assignment_table.py
@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+def upgrade(migrate_engine):
+    # NOTE(lbragstad): System assignments only require additive changes.
+    pass
--- a/keystone/common/sql/data_migration_repo/versions/031_migrate_system_assignment_table.py
+++ b/keystone/common/sql/data_migration_repo/versions/031_migrate_system_assignment_table.py
@ -0,0 +1,17 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+def upgrade(migrate_engine):
+    # NOTE(lbragstad): A migration isn't required here since system assignments
+    # are a new feature in Queens.
+    pass
--- a/keystone/common/sql/expand_repo/versions/031_expand_system_assignment_table.py
+++ b/keystone/common/sql/expand_repo/versions/031_expand_system_assignment_table.py
@ -0,0 +1,33 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import sqlalchemy as sql
+
+
+def upgrade(migrate_engine):
+    meta = sql.MetaData()
+    meta.bind = migrate_engine
+    system_assignment = sql.Table(
+        'system_assignment',
+        meta,
+        sql.Column('type', sql.String(64), nullable=False),
+        sql.Column('actor_id', sql.String(64), nullable=False),
+        sql.Column('target_id', sql.String(64), nullable=False),
+        sql.Column('role_id', sql.String(64), nullable=False),
+        sql.Column('inherited', sql.Boolean, default=False, nullable=False),
+        sql.PrimaryKeyConstraint(
+            'type', 'actor_id', 'target_id', 'role_id', 'inherited'
+        ),
+        mysql_engine='InnoDB',
+        mysql_charset='utf8'
+    )
+    system_assignment.create()
--- a/keystone/tests/unit/test_sql_upgrade.py
+++ b/keystone/tests/unit/test_sql_upgrade.py
@ -2491,6 +2491,46 @@ class FullMigration(SqlMigrateBase, unit.TestCase):

        session.close()

+    def test_migration_031_adds_system_assignment_table(self):
+        self.expand(30)
+        self.migrate(30)
+        self.contract(30)
+
+        system_assignment_table_name = 'system_assignment'
+        self.assertTableDoesNotExist(system_assignment_table_name)
+
+        self.expand(31)
+        self.migrate(31)
+        self.contract(31)
+
+        self.assertTableExists(system_assignment_table_name)
+        self.assertTableColumns(
+            system_assignment_table_name,
+            ['type', 'actor_id', 'target_id', 'role_id', 'inherited']
+        )
+
+        system_assignment_table = sqlalchemy.Table(
+            system_assignment_table_name, self.metadata, autoload=True
+        )
+
+        system_user = {
+            'type': 'UserSystem',
+            'target_id': uuid.uuid4().hex,
+            'actor_id': uuid.uuid4().hex,
+            'role_id': uuid.uuid4().hex,
+            'inherited': False
+        }
+        system_assignment_table.insert().values(system_user).execute()
+
+        system_group = {
+            'type': 'GroupSystem',
+            'target_id': uuid.uuid4().hex,
+            'actor_id': uuid.uuid4().hex,
+            'role_id': uuid.uuid4().hex,
+            'inherited': False
+        }
+        system_assignment_table.insert().values(system_group).execute()
+

 class MySQLOpportunisticFullMigration(FullMigration):
    FIXTURE = test_base.MySQLOpportunisticFixture