Browse Source

Delete system role assignments from system_assignment table

This patch ensures to delete the system role assignments from
all the assignment tables in keystone after deleting the role
user has over the system.

This also make sure of deleting stale role assignments before
deleting role for the deployments that are already in this state.

Closes-Bug: #1878938

Change-Id: I4df19c45c870ff3fb78578ca1fb7dd0d35da3c82
changes/87/731087/10
Vishakha Agarwal 1 year ago
parent
commit
c1dcbb05b4
  1. 5
      keystone/assignment/backends/sql.py
  2. 19
      keystone/tests/unit/assignment/test_backends.py
  3. 16
      releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml

5
keystone/assignment/backends/sql.py

@ -262,6 +262,11 @@ class Assignment(base.AssignmentDriverBase):
q = q.filter_by(role_id=role_id)
q.delete(False)
with sql.session_for_write() as session:
q = session.query(SystemRoleAssignment)
q = q.filter_by(role_id=role_id)
q.delete(False)
def delete_domain_assignments(self, domain_id):
with sql.session_for_write() as session:
q = session.query(RoleAssignment)

19
keystone/tests/unit/assignment/test_backends.py

@ -4225,3 +4225,22 @@ class SystemAssignmentTests(AssignmentTestHelperMixin):
group_id,
role['id']
)
def test_delete_role_with_system_assignments(self):
role = unit.new_role_ref()
PROVIDERS.role_api.create_role(role['id'], role)
domain = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(domain['id'], domain)
user = unit.new_user_ref(domain_id=domain['id'])
user = PROVIDERS.identity_api.create_user(user)
# creating a system grant for user
PROVIDERS.assignment_api.create_system_grant_for_user(
user['id'], role['id']
)
# deleting the role user has on system
PROVIDERS.role_api.delete_role(role['id'])
system_roles = PROVIDERS.assignment_api.list_role_assignments(
role_id=role['id']
)
self.assertEqual(len(system_roles), 0)

16
releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml

@ -0,0 +1,16 @@
---
fixes:
- |
[`bug 1878938 <https://bugs.launchpad.net/keystone/+bug/1878938>`_]
Previously when a user used to have system role assignment and tries to delete
the same role, the system role assignments still existed in system_assignment
table. This fix ensures that deleting a role should delete all the its assignments
from every assignment table.
If you are affected by this bug, a fix in the keystone database will be
needed so we recommend to remove the stale role assignmensts before doing this
process.
SQL:
- delete from assignment where role_id not in (select id from role);
- delete from system_assignment where role_id not in (select id from role);
Loading…
Cancel
Save