Merge "Except forbidden when clearing default project IDs"

2017-08-08 23:00:17 +00:00 · 2017-08-08 23:00:17 +00:00 · 4973bfa34e
parent de5efb2348 b068d71b59
commit 4973bfa34e
2 changed files with 29 additions and 1 deletions
--- a/keystone/identity/core.py
+++ b/keystone/identity/core.py
@ -530,7 +530,15 @@ class Manager(manager.Manager):

        """
        project_id = payload['resource_info']
-        self.driver.unset_default_project_id(project_id)
+        try:
+            self.driver.unset_default_project_id(project_id)
+        except exception.Forbidden:
+            # NOTE(lbragstad): If the driver throws a Forbidden, it's because
+            # the driver doesn't support writes. This is the case with the
+            # in-tree LDAP implementation since it is read-only. This also
+            # ensures consistency for out-of-tree backends that might be
+            # read-only.
+            pass

    # Domain ID normalization methods
    def _set_domain_id_and_mapping(self, ref, domain_id, driver,
--- a/keystone/tests/unit/test_backend_ldap.py
+++ b/keystone/tests/unit/test_backend_ldap.py
@ -31,6 +31,7 @@ from keystone.common import driver_hints
 import keystone.conf
 from keystone import exception
 from keystone import identity
+from keystone.identity.backends import ldap as ldap_identity
 from keystone.identity.backends.ldap import common as common_ldap
 from keystone.identity.mapping_backends import mapping as map
 from keystone.tests import unit
@ -1723,6 +1724,25 @@ class LDAPIdentity(BaseLDAPIdentity, unit.TestCase):
        self.assertEqual('crap', user_ref['id'])
        self.assertEqual('Foo Bar', user_ref['name'])

+    def test_identity_manager_catches_forbidden_when_deleting_a_project(self):
+        # The identity API registers a callback that listens for notifications
+        # that a project has been deleted. When it receives one, it uses the ID
+        # and attempts to clear any users who have `default_project_id`
+        # attributes associated to that project. Since the LDAP backend is
+        # read-only, clearing the `default_project_id` requires a write which
+        # isn't possible.
+        project = unit.new_project_ref(
+            domain_id=CONF.identity.default_domain_id
+        )
+        project = self.resource_api.create_project(project['id'], project)
+        with mock.patch.object(
+            ldap_identity.Identity, '_disallow_write'
+        ) as mocked:
+            mocked.side_effect = exception.Forbidden()
+            self.resource_api.delete_project(project['id'])
+
+        mocked.assert_called_once()
+

 class LDAPLimitTests(unit.TestCase, identity_tests.LimitTests):
    def setUp(self):