Merge "Fix querying role_assignment with system roles"

This commit is contained in:
Zuul 2018-02-14 06:55:50 +00:00 committed by Gerrit Code Review
commit 3376bf8fda
3 changed files with 17 additions and 15 deletions

View File

@ -899,6 +899,10 @@ class Manager(manager.Manager):
a['system'] = {'all': True}
system_assignments.append(a)
for i, assignment in enumerate(system_assignments):
if role_id and role_id != assignment['role_id']:
system_assignments.pop(i)
assignments = []
for assignment in itertools.chain(
project_and_domain_assignments, system_assignments):

View File

@ -24,7 +24,6 @@ import keystone.conf
from keystone import exception
from keystone.tests import unit
from keystone.tests.unit import test_v3
from keystone.tests.unit import utils as test_utils
CONF = keystone.conf.CONF
@ -3592,7 +3591,6 @@ class UserSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
) % {'project_id': self.project_id}
self.get(path, expected_status=http_client.BAD_REQUEST)
@test_utils.wip("Waiting on fix for bug #1748970")
def test_query_for_role_id_does_not_return_system_user_roles(self):
system_role_id = self._create_new_role()
@ -3603,12 +3601,8 @@ class UserSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
}
self.put(member_url)
# The user has a role on the system and on a project, but self.role_id
# is only given to the user on the project. If we ask for role
# assignments matching that role for that specific user, we should only
# get one back. Instead, we get two back because the role assignment
# API isn't filtering out system role assignments when queried for a
# specific role.
# Make sure we only get one role assignment back since the system role
# assignment shouldn't be returned.
path = (
'/role_assignments?role.id=%(role_id)s&user.id=%(user_id)s'
) % {'role_id': self.role_id, 'user_id': self.user['id']}
@ -3885,7 +3879,6 @@ class GroupSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
)
self.assertValidRoleAssignmentListResponse(response, expected_length=0)
@test_utils.wip("Waiting on fix for bug #1748970")
def test_query_for_role_id_does_not_return_system_group_roles(self):
system_role_id = self._create_new_role()
group = self._create_group()
@ -3906,12 +3899,8 @@ class GroupSystemRoleAssignmentTestCase(test_v3.RestfulTestCase,
)
self.put(member_url)
# The group has a role on the system and on a project, but self.role_id
# is only given to the group on the project. If we ask for role
# assignments matching that role for that specific group, we should
# only get one back. Instead, we get two back because the role
# assignment API isn't filtering out system role assignments when
# queried for a specific role.
# Make sure we only get one role assignment back since the system role
# assignment shouldn't be returned.
path = (
'/role_assignments?role.id=%(role_id)s&group.id=%(group_id)s'
) % {'role_id': self.role_id, 'group_id': group['id']}

View File

@ -0,0 +1,9 @@
---
fixes:
- |
[`bug 1748970 <https://bugs.launchpad.net/keystone/+bug/1748970>`_]
A bug was introduced in Queens that resulted in system role assignments
being returned when querying the role assignments API for a specific role.
The issue is fixed and the list of roles returned from
``GET /v3/role_assignments?role.id={role_id}`` respects system role
assignments.