Delete system role assignments from system_assignment table
This patch ensures to delete the system role assignments from all the assignment tables in keystone after deleting the role user has over the system. This also make sure of deleting stale role assignments before deleting role for the deployments that are already in this state. Closes-Bug: #1878938 Change-Id: I4df19c45c870ff3fb78578ca1fb7dd0d35da3c82 (cherry picked from commitc1dcbb05b4
) (cherry picked from commitb83170a386
) (cherry picked from commit6f93063ff9
) (cherry picked from commit7ac0891375
) (cherry picked from commite8b477847c
)
This commit is contained in:
parent
353a656dc4
commit
e4e43d75d5
|
@ -262,6 +262,11 @@ class Assignment(base.AssignmentDriverBase):
|
||||||
q = q.filter_by(role_id=role_id)
|
q = q.filter_by(role_id=role_id)
|
||||||
q.delete(False)
|
q.delete(False)
|
||||||
|
|
||||||
|
with sql.session_for_write() as session:
|
||||||
|
q = session.query(SystemRoleAssignment)
|
||||||
|
q = q.filter_by(role_id=role_id)
|
||||||
|
q.delete(False)
|
||||||
|
|
||||||
def delete_domain_assignments(self, domain_id):
|
def delete_domain_assignments(self, domain_id):
|
||||||
with sql.session_for_write() as session:
|
with sql.session_for_write() as session:
|
||||||
q = session.query(RoleAssignment)
|
q = session.query(RoleAssignment)
|
||||||
|
|
|
@ -4226,3 +4226,22 @@ class SystemAssignmentTests(AssignmentTestHelperMixin):
|
||||||
group_id,
|
group_id,
|
||||||
role['id']
|
role['id']
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_delete_role_with_system_assignments(self):
|
||||||
|
role = unit.new_role_ref()
|
||||||
|
PROVIDERS.role_api.create_role(role['id'], role)
|
||||||
|
domain = unit.new_domain_ref()
|
||||||
|
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||||
|
user = unit.new_user_ref(domain_id=domain['id'])
|
||||||
|
user = PROVIDERS.identity_api.create_user(user)
|
||||||
|
|
||||||
|
# creating a system grant for user
|
||||||
|
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||||
|
user['id'], role['id']
|
||||||
|
)
|
||||||
|
# deleting the role user has on system
|
||||||
|
PROVIDERS.role_api.delete_role(role['id'])
|
||||||
|
system_roles = PROVIDERS.assignment_api.list_role_assignments(
|
||||||
|
role_id=role['id']
|
||||||
|
)
|
||||||
|
self.assertEqual(len(system_roles), 0)
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1878938 <https://bugs.launchpad.net/keystone/+bug/1878938>`_]
|
||||||
|
Previously when a user used to have system role assignment and tries to delete
|
||||||
|
the same role, the system role assignments still existed in system_assignment
|
||||||
|
table. This causes keystone to return `HTTP 404 Not Found` errors when listing
|
||||||
|
role assignments with names (e.g., `--names` or `?include_names`).
|
||||||
|
|
||||||
|
If you are affected by this bug, you must remove stale role assignments
|
||||||
|
manually. The following is an example SQL statement you can use to fix the
|
||||||
|
issue, but you should verify it's applicability to your deployment's SQL
|
||||||
|
implementation and version.
|
||||||
|
|
||||||
|
SQL:
|
||||||
|
- delete from system_assignment where role_id not in (select id from role);
|
Loading…
Reference in New Issue