From 8646f40a4080eddb5f9cc58df2ce478ccfd38a77 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Tue, 13 Feb 2018 20:47:54 +0000 Subject: [PATCH] Delete system role assignments when deleting groups Keystone removes role assignments that groups have on projects and domains when deleting groups. This should apply to system role assignments, too. Change-Id: Iebedfcae0b77e350e5359b97fa87894af3f1c8ba Closes-Bug: 1749267 (cherry picked from commit 5a24b96d951537fb12deb7050eb2e7dd7d40fc81) --- keystone/assignment/core.py | 11 +++++++++++ keystone/tests/unit/test_v3_assignment.py | 2 -- releasenotes/notes/bug-1749267-96153d2fa6868f67.yaml | 5 +++++ 3 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/bug-1749267-96153d2fa6868f67.yaml diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py index a750309f7e..e377b21c28 100644 --- a/keystone/assignment/core.py +++ b/keystone/assignment/core.py @@ -1042,6 +1042,17 @@ class Manager(manager.Manager): role_assign_list.append(new_assign) return role_assign_list + def delete_group_assignments(self, group_id): + # FIXME(lbragstad): This should be refactored in the Rocky release so + # that we can pass the group_id to the system assignment backend like + # we do with the project and domain assignment backend. Holding off on + # this because it will require an interface change to the backend, + # making it harder to backport for Queens RC. + self.driver.delete_group_assignments(group_id) + system_assignments = self.list_system_grants_for_group(group_id) + for assignment in system_assignments: + self.delete_system_grant_for_group(group_id, assignment['id']) + def delete_tokens_for_role_assignments(self, role_id): assignments = self.list_role_assignments(role_id=role_id) diff --git a/keystone/tests/unit/test_v3_assignment.py b/keystone/tests/unit/test_v3_assignment.py index ae93166e76..ca32aadbf7 100644 --- a/keystone/tests/unit/test_v3_assignment.py +++ b/keystone/tests/unit/test_v3_assignment.py @@ -24,7 +24,6 @@ import keystone.conf from keystone import exception from keystone.tests import unit from keystone.tests.unit import test_v3 -from keystone.tests.unit import utils as test_utils CONF = keystone.conf.CONF @@ -449,7 +448,6 @@ class AssignmentTestCase(test_v3.RestfulTestCase, self.head('/auth/tokens', token=token, expected_status=http_client.UNAUTHORIZED) - @test_utils.wip("Waiting on a fix for bug #1749267") def test_delete_group_before_removing_system_assignments_succeeds(self): system_role = self._create_new_role() group = self._create_group() diff --git a/releasenotes/notes/bug-1749267-96153d2fa6868f67.yaml b/releasenotes/notes/bug-1749267-96153d2fa6868f67.yaml new file mode 100644 index 0000000000..310247ae7b --- /dev/null +++ b/releasenotes/notes/bug-1749267-96153d2fa6868f67.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + [`bug 1749267 `_] + A group's system role assignments are removed when the group is deleted.