Using trustor's session to delete the trust

Now use admin client to delete the trust gives the error: "You are not authorized to perform the requested action: Only admin or trustor can delete a trust.: ForbiddenAction: You are not authorized to perform the requested action: Only admin or trustor can delete a trust." This patch use trustor's session to delete the trust. Change-Id: Ib673128be860f548195181a465a9dff784cdef1a
2019-01-17 15:45:56 +08:00 · 2019-01-17 15:45:56 +08:00 · ea03ab3e7c
parent 4397025f56
commit ea03ab3e7c
3 changed files with 20 additions and 12 deletions
--- a/murano/common/auth_utils.py
+++ b/murano/common/auth_utils.py
@ -118,9 +118,10 @@ def create_trust(trustee_token=None, trustee_project_id=None):
    return trust.id


-def delete_trust(trust):
-    user_client = _create_keystone_admin_client()
-    user_client.trusts.delete(trust)
+def delete_trust(session):
+    user_client = create_keystone_client(
+        token=session.token, project_id=session.project_id)
+    user_client.trusts.delete(session.trust_id)


 def _get_config_option(conf_section, option_name, default=None):
--- a/murano/common/engine.py
+++ b/murano/common/engine.py
@ -323,7 +323,7 @@ class TaskExecutor(object):
    def _delete_trust(self):
        trust_id = self._session.trust_id
        if trust_id:
-            auth_utils.delete_trust(self._session.trust_id)
+            auth_utils.delete_trust(self._session)
            self._session.system_attributes['TrustId'] = None
            self._session.trust_id = None

--- a/murano/tests/unit/common/test_auth_utils.py
+++ b/murano/tests/unit/common/test_auth_utils.py
@ -238,16 +238,23 @@ class TestAuthUtils(base.MuranoTestCase):
            role_names=mock.sentinel.role_names,
            project=mock.sentinel.project_id)

-    @mock.patch.object(
-        auth_utils, '_create_keystone_admin_client', autospec=True)
-    def test_delete_trust(self, mock_create_ks_admin_client):
-        mock_admin_client = mock.Mock()
-        mock_create_ks_admin_client.return_value = mock_admin_client
+    @mock.patch.object(auth_utils, 'create_keystone_client', autospec=True)
+    def test_delete_trust(self, mock_ks_client):
+        mock_auth_ref = mock.Mock(trust_id=mock.sentinel.trust_id,
+                                  token=mock.sentinel.token,
+                                  project_id=mock.sentinel.project_id)
+        mock_user_session = mock.Mock(**{
+            'auth.get_access.return_value': mock_auth_ref
+        })
+        mock_user_client = mock.Mock(
+            session=mock_user_session)

-        auth_utils.delete_trust(mock.sentinel.trust)
+        mock_ks_client.return_value = mock_user_client

-        mock_admin_client.trusts.delete.assert_called_once_with(
-            mock.sentinel.trust)
+        auth_utils.delete_trust(mock_auth_ref)
+
+        mock_user_client.trusts.delete.assert_called_once_with(
+            mock_auth_ref.trust_id)

    def test_get_config_option(self):
        cfg.CONF.set_override('url', 'foourl', 'murano')