Expose bug in system assignment when deleting groups

Project and domain role assignment are cleaned up when deleting
groups. This commit introduces a test case that shows this isn't the
case for system role assignments. A subsequent patch will implement
a fix to make sure system role assignments are removed when groups
are deleted, to be consistent with project and domain assignments.

Change-Id: I9b452aff144fd8867cdac2f44cbcaa0d1de63a12
Partial-Bug: 1749267
This commit is contained in:
Lance Bragstad 2018-02-13 20:37:03 +00:00
parent 69b8815d04
commit 3fa997531f
1 changed files with 25 additions and 0 deletions

View File

@ -24,6 +24,7 @@ import keystone.conf
from keystone import exception
from keystone.tests import unit
from keystone.tests.unit import test_v3
from keystone.tests.unit import utils as test_utils
CONF = keystone.conf.CONF
@ -425,6 +426,30 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
self.head('/auth/tokens', token=token,
expected_status=http_client.UNAUTHORIZED)
@test_utils.wip("Waiting on a fix for bug #1749267")
def test_delete_group_before_removing_system_assignments_succeeds(self):
system_role = self._create_new_role()
group = self._create_group()
path = (
'/system/groups/%(group_id)s/roles/%(role_id)s' %
{'group_id': group['id'], 'role_id': system_role}
)
self.put(path)
response = self.get('/role_assignments')
number_of_assignments = len(response.json_body['role_assignments'])
path = '/groups/%(group_id)s' % {'group_id': group['id']}
self.delete(path)
# The group with the system role assignment is a new group and only has
# one role on the system. We should expect one less role assignment in
# the list.
response = self.get('/role_assignments')
self.assertValidRoleAssignmentListResponse(
response, expected_length=number_of_assignments - 1
)
@unit.skip_if_cache_disabled('assignment')
def test_delete_grant_from_user_and_project_invalidate_cache(self):
# create a new project