Merge "Fix querying role_assignment with system roles"
This commit is contained in:
commit
3376bf8fda
|
@ -899,6 +899,10 @@ class Manager(manager.Manager):
|
|||
a['system'] = {'all': True}
|
||||
system_assignments.append(a)
|
||||
|
||||
for i, assignment in enumerate(system_assignments):
|
||||
if role_id and role_id != assignment['role_id']:
|
||||
system_assignments.pop(i)
|
||||
|
||||
assignments = []
|
||||
for assignment in itertools.chain(
|
||||
project_and_domain_assignments, system_assignments):
|
||||
|
|
|
@ -24,7 +24,6 @@ import keystone.conf
|
|||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit import test_v3
|
||||
from keystone.tests.unit import utils as test_utils
|
||||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
|
@ -3592,7 +3591,6 @@ class UserSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
|
|||
) % {'project_id': self.project_id}
|
||||
self.get(path, expected_status=http_client.BAD_REQUEST)
|
||||
|
||||
@test_utils.wip("Waiting on fix for bug #1748970")
|
||||
def test_query_for_role_id_does_not_return_system_user_roles(self):
|
||||
system_role_id = self._create_new_role()
|
||||
|
||||
|
@ -3603,12 +3601,8 @@ class UserSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
|
|||
}
|
||||
self.put(member_url)
|
||||
|
||||
# The user has a role on the system and on a project, but self.role_id
|
||||
# is only given to the user on the project. If we ask for role
|
||||
# assignments matching that role for that specific user, we should only
|
||||
# get one back. Instead, we get two back because the role assignment
|
||||
# API isn't filtering out system role assignments when queried for a
|
||||
# specific role.
|
||||
# Make sure we only get one role assignment back since the system role
|
||||
# assignment shouldn't be returned.
|
||||
path = (
|
||||
'/role_assignments?role.id=%(role_id)s&user.id=%(user_id)s'
|
||||
) % {'role_id': self.role_id, 'user_id': self.user['id']}
|
||||
|
@ -3885,7 +3879,6 @@ class GroupSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
|
|||
)
|
||||
self.assertValidRoleAssignmentListResponse(response, expected_length=0)
|
||||
|
||||
@test_utils.wip("Waiting on fix for bug #1748970")
|
||||
def test_query_for_role_id_does_not_return_system_group_roles(self):
|
||||
system_role_id = self._create_new_role()
|
||||
group = self._create_group()
|
||||
|
@ -3906,12 +3899,8 @@ class GroupSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
|
|||
)
|
||||
self.put(member_url)
|
||||
|
||||
# The group has a role on the system and on a project, but self.role_id
|
||||
# is only given to the group on the project. If we ask for role
|
||||
# assignments matching that role for that specific group, we should
|
||||
# only get one back. Instead, we get two back because the role
|
||||
# assignment API isn't filtering out system role assignments when
|
||||
# queried for a specific role.
|
||||
# Make sure we only get one role assignment back since the system role
|
||||
# assignment shouldn't be returned.
|
||||
path = (
|
||||
'/role_assignments?role.id=%(role_id)s&group.id=%(group_id)s'
|
||||
) % {'role_id': self.role_id, 'group_id': group['id']}
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1748970 <https://bugs.launchpad.net/keystone/+bug/1748970>`_]
|
||||
A bug was introduced in Queens that resulted in system role assignments
|
||||
being returned when querying the role assignments API for a specific role.
|
||||
The issue is fixed and the list of roles returned from
|
||||
``GET /v3/role_assignments?role.id={role_id}`` respects system role
|
||||
assignments.
|
Loading…
Reference in New Issue