diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py index 9d9885a0ba..a750309f7e 100644 --- a/keystone/assignment/core.py +++ b/keystone/assignment/core.py @@ -899,6 +899,10 @@ class Manager(manager.Manager): a['system'] = {'all': True} system_assignments.append(a) + for i, assignment in enumerate(system_assignments): + if role_id and role_id != assignment['role_id']: + system_assignments.pop(i) + assignments = [] for assignment in itertools.chain( project_and_domain_assignments, system_assignments): diff --git a/keystone/tests/unit/test_v3_assignment.py b/keystone/tests/unit/test_v3_assignment.py index 96c08308ab..4468bb9f99 100644 --- a/keystone/tests/unit/test_v3_assignment.py +++ b/keystone/tests/unit/test_v3_assignment.py @@ -24,7 +24,6 @@ import keystone.conf from keystone import exception from keystone.tests import unit from keystone.tests.unit import test_v3 -from keystone.tests.unit import utils as test_utils CONF = keystone.conf.CONF @@ -3592,7 +3591,6 @@ class UserSystemRoleAssignmentTestCase(test_v3.RestfulTestCase, ) % {'project_id': self.project_id} self.get(path, expected_status=http_client.BAD_REQUEST) - @test_utils.wip("Waiting on fix for bug #1748970") def test_query_for_role_id_does_not_return_system_user_roles(self): system_role_id = self._create_new_role() @@ -3603,12 +3601,8 @@ class UserSystemRoleAssignmentTestCase(test_v3.RestfulTestCase, } self.put(member_url) - # The user has a role on the system and on a project, but self.role_id - # is only given to the user on the project. If we ask for role - # assignments matching that role for that specific user, we should only - # get one back. Instead, we get two back because the role assignment - # API isn't filtering out system role assignments when queried for a - # specific role. + # Make sure we only get one role assignment back since the system role + # assignment shouldn't be returned. path = ( '/role_assignments?role.id=%(role_id)s&user.id=%(user_id)s' ) % {'role_id': self.role_id, 'user_id': self.user['id']} @@ -3885,7 +3879,6 @@ class GroupSystemRoleAssignmentTestCase(test_v3.RestfulTestCase, ) self.assertValidRoleAssignmentListResponse(response, expected_length=0) - @test_utils.wip("Waiting on fix for bug #1748970") def test_query_for_role_id_does_not_return_system_group_roles(self): system_role_id = self._create_new_role() group = self._create_group() @@ -3906,12 +3899,8 @@ class GroupSystemRoleAssignmentTestCase(test_v3.RestfulTestCase, ) self.put(member_url) - # The group has a role on the system and on a project, but self.role_id - # is only given to the group on the project. If we ask for role - # assignments matching that role for that specific group, we should - # only get one back. Instead, we get two back because the role - # assignment API isn't filtering out system role assignments when - # queried for a specific role. + # Make sure we only get one role assignment back since the system role + # assignment shouldn't be returned. path = ( '/role_assignments?role.id=%(role_id)s&group.id=%(group_id)s' ) % {'role_id': self.role_id, 'group_id': group['id']} diff --git a/releasenotes/notes/bug-1748970-eb63ad2030e296f3.yaml b/releasenotes/notes/bug-1748970-eb63ad2030e296f3.yaml new file mode 100644 index 0000000000..90f1937a7e --- /dev/null +++ b/releasenotes/notes/bug-1748970-eb63ad2030e296f3.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + [`bug 1748970 `_] + A bug was introduced in Queens that resulted in system role assignments + being returned when querying the role assignments API for a specific role. + The issue is fixed and the list of roles returned from + ``GET /v3/role_assignments?role.id={role_id}`` respects system role + assignments.