summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZuul <zuul@review.openstack.org>2017-12-07 01:32:13 +0000
committerGerrit Code Review <review@openstack.org>2017-12-07 01:32:13 +0000
commit15ec1abca3cbe7a750af544c94759f052db6229c (patch)
treeb4d83c39d4d6d12e622ae80a5d6aac501ae7321d
parent90d739b52ba78d56f27b0c04f818ef7f6eda08fb (diff)
parent55ef19de4457b11052e45927d10742e7409c407d (diff)
Merge "Remove member role assignment"
-rw-r--r--keystone/assignment/core.py39
-rw-r--r--keystone/tests/unit/assignment/test_backends.py87
-rw-r--r--keystone/tests/unit/core.py6
-rw-r--r--keystone/tests/unit/identity/test_backends.py11
-rw-r--r--keystone/tests/unit/test_backend_ldap.py7
-rw-r--r--keystone/tests/unit/test_backend_sql.py14
-rw-r--r--keystone/tests/unit/test_v3_auth.py2
-rw-r--r--keystone/tests/unit/test_v3_resource.py8
8 files changed, 38 insertions, 136 deletions
diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
index 1f82b74..1fa50ba 100644
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@@ -162,24 +162,6 @@ class Manager(manager.Manager):
162 "was already created", 162 "was already created",
163 CONF.member_role_id) 163 CONF.member_role_id)
164 164
165 def add_user_to_project(self, tenant_id, user_id):
166 """Add user to a tenant by creating a default role relationship.
167
168 :raises keystone.exception.ProjectNotFound: If the project doesn't
169 exist.
170 :raises keystone.exception.UserNotFound: If the user doesn't exist.
171
172 """
173 self.resource_api.get_project(tenant_id)
174 self.ensure_default_role()
175
176 # now that default role exists, the add should succeed
177 self.driver.add_role_to_user_and_project(
178 user_id,
179 tenant_id,
180 CONF.member_role_id)
181 COMPUTED_ASSIGNMENTS_REGION.invalidate()
182
183 @notifications.role_assignment('created') 165 @notifications.role_assignment('created')
184 def _add_role_to_user_and_project_adapter(self, role_id, user_id=None, 166 def _add_role_to_user_and_project_adapter(self, role_id, user_id=None,
185 group_id=None, domain_id=None, 167 group_id=None, domain_id=None,
@@ -200,27 +182,6 @@ class Manager(manager.Manager):
200 role_id, user_id=user_id, project_id=tenant_id) 182 role_id, user_id=user_id, project_id=tenant_id)
201 COMPUTED_ASSIGNMENTS_REGION.invalidate() 183 COMPUTED_ASSIGNMENTS_REGION.invalidate()
202 184
203 def remove_user_from_project(self, tenant_id, user_id):
204 """Remove user from a tenant.
205
206 :raises keystone.exception.ProjectNotFound: If the project doesn't
207 exist.
208 :raises keystone.exception.UserNotFound: If the user doesn't exist.
209
210 """
211 roles = self.get_roles_for_user_and_project(user_id, tenant_id)
212 if not roles:
213 raise exception.NotFound(tenant_id)
214 for role_id in roles:
215 try:
216 self.driver.remove_role_from_user_and_project(user_id,
217 tenant_id,
218 role_id)
219 except exception.RoleNotFound:
220 LOG.debug("Removing role %s failed because it does not exist.",
221 role_id)
222 COMPUTED_ASSIGNMENTS_REGION.invalidate()
223
224 # TODO(henry-nash): We might want to consider list limiting this at some 185 # TODO(henry-nash): We might want to consider list limiting this at some
225 # point in the future. 186 # point in the future.
226 @MEMOIZE_COMPUTED_ASSIGNMENTS 187 @MEMOIZE_COMPUTED_ASSIGNMENTS
diff --git a/keystone/tests/unit/assignment/test_backends.py b/keystone/tests/unit/assignment/test_backends.py
index 30386a7..18f2595 100644
--- a/keystone/tests/unit/assignment/test_backends.py
+++ b/keystone/tests/unit/assignment/test_backends.py
@@ -1779,86 +1779,6 @@ class AssignmentTests(AssignmentTestHelperMixin):
1779 user_id=self.user_foo['id'], 1779 user_id=self.user_foo['id'],
1780 source_from_group_ids=[group['id']]) 1780 source_from_group_ids=[group['id']])
1781 1781
1782 def test_add_user_to_project(self):
1783 self.assignment_api.add_user_to_project(self.tenant_baz['id'],
1784 self.user_foo['id'])
1785 tenants = self.assignment_api.list_projects_for_user(
1786 self.user_foo['id'])
1787 self.assertIn(self.tenant_baz, tenants)
1788
1789 def test_add_user_to_project_missing_default_role(self):
1790 self.role_api.delete_role(CONF.member_role_id)
1791 self.assertRaises(exception.RoleNotFound,
1792 self.role_api.get_role,
1793 CONF.member_role_id)
1794 self.assignment_api.add_user_to_project(self.tenant_baz['id'],
1795 self.user_foo['id'])
1796 tenants = (
1797 self.assignment_api.list_projects_for_user(self.user_foo['id']))
1798 self.assertIn(self.tenant_baz, tenants)
1799 default_role = self.role_api.get_role(CONF.member_role_id)
1800 self.assertIsNotNone(default_role)
1801
1802 def test_add_user_to_project_returns_not_found(self):
1803 self.assertRaises(exception.ProjectNotFound,
1804 self.assignment_api.add_user_to_project,
1805 uuid.uuid4().hex,
1806 self.user_foo['id'])
1807
1808 def test_add_user_to_project_no_user(self):
1809 # If add_user_to_project and the user doesn't exist, then
1810 # no error.
1811 user_id_not_exist = uuid.uuid4().hex
1812 self.assignment_api.add_user_to_project(self.tenant_bar['id'],
1813 user_id_not_exist)
1814
1815 def test_remove_user_from_project(self):
1816 self.assignment_api.add_user_to_project(self.tenant_baz['id'],
1817 self.user_foo['id'])
1818 self.assignment_api.remove_user_from_project(self.tenant_baz['id'],
1819 self.user_foo['id'])
1820 tenants = self.assignment_api.list_projects_for_user(
1821 self.user_foo['id'])
1822 self.assertNotIn(self.tenant_baz, tenants)
1823
1824 def test_remove_user_from_project_race_delete_role(self):
1825 self.assignment_api.add_user_to_project(self.tenant_baz['id'],
1826 self.user_foo['id'])
1827 self.assignment_api.add_role_to_user_and_project(
1828 tenant_id=self.tenant_baz['id'],
1829 user_id=self.user_foo['id'],
1830 role_id=self.role_other['id'])
1831
1832 # Mock a race condition, delete a role after
1833 # get_roles_for_user_and_project() is called in
1834 # remove_user_from_project().
1835 roles = self.assignment_api.get_roles_for_user_and_project(
1836 self.user_foo['id'], self.tenant_baz['id'])
1837 self.role_api.delete_role(self.role_other['id'])
1838 self.assignment_api.get_roles_for_user_and_project = mock.Mock(
1839 return_value=roles)
1840 self.assignment_api.remove_user_from_project(self.tenant_baz['id'],
1841 self.user_foo['id'])
1842 tenants = self.assignment_api.list_projects_for_user(
1843 self.user_foo['id'])
1844 self.assertNotIn(self.tenant_baz, tenants)
1845
1846 def test_remove_user_from_project_returns_not_found(self):
1847 self.assertRaises(exception.ProjectNotFound,
1848 self.assignment_api.remove_user_from_project,
1849 uuid.uuid4().hex,
1850 self.user_foo['id'])
1851
1852 self.assertRaises(exception.UserNotFound,
1853 self.assignment_api.remove_user_from_project,
1854 self.tenant_bar['id'],
1855 uuid.uuid4().hex)
1856
1857 self.assertRaises(exception.NotFound,
1858 self.assignment_api.remove_user_from_project,
1859 self.tenant_baz['id'],
1860 self.user_foo['id'])
1861
1862 def test_list_user_project_ids_returns_not_found(self): 1782 def test_list_user_project_ids_returns_not_found(self):
1863 self.assertRaises(exception.UserNotFound, 1783 self.assertRaises(exception.UserNotFound,
1864 self.assignment_api.list_projects_for_user, 1784 self.assignment_api.list_projects_for_user,
@@ -1867,8 +1787,11 @@ class AssignmentTests(AssignmentTestHelperMixin):
1867 def test_delete_user_with_project_association(self): 1787 def test_delete_user_with_project_association(self):
1868 user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) 1788 user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
1869 user = self.identity_api.create_user(user) 1789 user = self.identity_api.create_user(user)
1870 self.assignment_api.add_user_to_project(self.tenant_bar['id'], 1790 role_member = unit.new_role_ref()
1871 user['id']) 1791 self.role_api.create_role(role_member['id'], role_member)
1792 self.assignment_api.add_role_to_user_and_project(user['id'],
1793 self.tenant_bar['id'],
1794 role_member['id'])
1872 self.identity_api.delete_user(user['id']) 1795 self.identity_api.delete_user(user['id'])
1873 self.assertRaises(exception.UserNotFound, 1796 self.assertRaises(exception.UserNotFound,
1874 self.assignment_api.list_projects_for_user, 1797 self.assignment_api.list_projects_for_user,
diff --git a/keystone/tests/unit/core.py b/keystone/tests/unit/core.py
index cd631d5..4f18e8f 100644
--- a/keystone/tests/unit/core.py
+++ b/keystone/tests/unit/core.py
@@ -739,9 +739,11 @@ class TestCase(BaseTestCase):
739 # the dict returned. 739 # the dict returned.
740 user_copy['password'] = user['password'] 740 user_copy['password'] = user['password']
741 741
742 # fixtures.ROLES[2] is the _member_ role.
742 for tenant_id in tenants: 743 for tenant_id in tenants:
743 self.assignment_api.add_user_to_project( 744 self.assignment_api.add_role_to_user_and_project(
744 tenant_id, user_copy['id']) 745 user_copy['id'], tenant_id, fixtures.ROLES[2]['id'])
746
745 # Use the ID from the fixture as the attribute name, so 747 # Use the ID from the fixture as the attribute name, so
746 # that our tests can easily reference each user dict, while 748 # that our tests can easily reference each user dict, while
747 # the ID in the dict will be the real public ID. 749 # the ID in the dict will be the real public ID.
diff --git a/keystone/tests/unit/identity/test_backends.py b/keystone/tests/unit/identity/test_backends.py
index 866ea65..64b2826 100644
--- a/keystone/tests/unit/identity/test_backends.py
+++ b/keystone/tests/unit/identity/test_backends.py
@@ -74,8 +74,13 @@ class IdentityTests(object):
74 del user['id'] 74 del user['id']
75 75
76 new_user = self.identity_api.create_user(user) 76 new_user = self.identity_api.create_user(user)
77 self.assignment_api.add_user_to_project(self.tenant_baz['id'], 77
78 new_user['id']) 78 role_member = unit.new_role_ref()
79 self.role_api.create_role(role_member['id'], role_member)
80
81 self.assignment_api.add_role_to_user_and_project(new_user['id'],
82 self.tenant_baz['id'],
83 role_member['id'])
79 user_ref = self.identity_api.authenticate( 84 user_ref = self.identity_api.authenticate(
80 self.make_request(), 85 self.make_request(),
81 user_id=new_user['id'], 86 user_id=new_user['id'],
@@ -89,7 +94,7 @@ class IdentityTests(object):
89 role_list = self.assignment_api.get_roles_for_user_and_project( 94 role_list = self.assignment_api.get_roles_for_user_and_project(
90 new_user['id'], self.tenant_baz['id']) 95 new_user['id'], self.tenant_baz['id'])
91 self.assertEqual(1, len(role_list)) 96 self.assertEqual(1, len(role_list))
92 self.assertIn(CONF.member_role_id, role_list) 97 self.assertIn(role_member['id'], role_list)
93 98
94 def test_authenticate_if_no_password_set(self): 99 def test_authenticate_if_no_password_set(self):
95 id_ = uuid.uuid4().hex 100 id_ = uuid.uuid4().hex
diff --git a/keystone/tests/unit/test_backend_ldap.py b/keystone/tests/unit/test_backend_ldap.py
index a113566..ad0f3af 100644
--- a/keystone/tests/unit/test_backend_ldap.py
+++ b/keystone/tests/unit/test_backend_ldap.py
@@ -716,8 +716,11 @@ class BaseLDAPIdentity(LDAPTestSetup, IdentityTests, AssignmentTests,
716 def test_authenticate_requires_simple_bind(self): 716 def test_authenticate_requires_simple_bind(self):
717 user = self.new_user_ref(domain_id=CONF.identity.default_domain_id) 717 user = self.new_user_ref(domain_id=CONF.identity.default_domain_id)
718 user = self.identity_api.create_user(user) 718 user = self.identity_api.create_user(user)
719 self.assignment_api.add_user_to_project(self.tenant_baz['id'], 719 role_member = unit.new_role_ref()
720 user['id']) 720 self.role_api.create_role(role_member['id'], role_member)
721 self.assignment_api.add_role_to_user_and_project(user['id'],
722 self.tenant_baz['id'],
723 role_member['id'])
721 driver = self.identity_api._select_identity_driver( 724 driver = self.identity_api._select_identity_driver(
722 user['domain_id']) 725 user['domain_id'])
723 driver.user.LDAP_USER = None 726 driver.user.LDAP_USER = None
diff --git a/keystone/tests/unit/test_backend_sql.py b/keystone/tests/unit/test_backend_sql.py
index 334e2ab..a4f611a 100644
--- a/keystone/tests/unit/test_backend_sql.py
+++ b/keystone/tests/unit/test_backend_sql.py
@@ -268,8 +268,11 @@ class SqlIdentity(SqlTests,
268 def test_delete_user_with_project_association(self): 268 def test_delete_user_with_project_association(self):
269 user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) 269 user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
270 user = self.identity_api.create_user(user) 270 user = self.identity_api.create_user(user)
271 self.assignment_api.add_user_to_project(self.tenant_bar['id'], 271 role_member = unit.new_role_ref()
272 user['id']) 272 self.role_api.create_role(role_member['id'], role_member)
273 self.assignment_api.add_role_to_user_and_project(user['id'],
274 self.tenant_bar['id'],
275 role_member['id'])
273 self.identity_api.delete_user(user['id']) 276 self.identity_api.delete_user(user['id'])
274 self.assertRaises(exception.UserNotFound, 277 self.assertRaises(exception.UserNotFound,
275 self.assignment_api.list_projects_for_user, 278 self.assignment_api.list_projects_for_user,
@@ -317,8 +320,11 @@ class SqlIdentity(SqlTests,
317 def test_delete_project_with_user_association(self): 320 def test_delete_project_with_user_association(self):
318 user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) 321 user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
319 user = self.identity_api.create_user(user) 322 user = self.identity_api.create_user(user)
320 self.assignment_api.add_user_to_project(self.tenant_bar['id'], 323 role_member = unit.new_role_ref()
321 user['id']) 324 self.role_api.create_role(role_member['id'], role_member)
325 self.assignment_api.add_role_to_user_and_project(user['id'],
326 self.tenant_bar['id'],
327 role_member['id'])
322 self.resource_api.delete_project(self.tenant_bar['id']) 328 self.resource_api.delete_project(self.tenant_bar['id'])
323 tenants = self.assignment_api.list_projects_for_user(user['id']) 329 tenants = self.assignment_api.list_projects_for_user(user['id'])
324 self.assertEqual([], tenants) 330 self.assertEqual([], tenants)
diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py
index 8eab410..85ebb13 100644
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@@ -1962,8 +1962,6 @@ class TokenAPITests(object):
1962 self.role_api.create_role(role_foo_domain1['id'], role_foo_domain1) 1962 self.role_api.create_role(role_foo_domain1['id'], role_foo_domain1)
1963 role_group_domain1 = unit.new_role_ref() 1963 role_group_domain1 = unit.new_role_ref()
1964 self.role_api.create_role(role_group_domain1['id'], role_group_domain1) 1964 self.role_api.create_role(role_group_domain1['id'], role_group_domain1)
1965 self.assignment_api.add_user_to_project(project1['id'],
1966 user_foo['id'])
1967 new_group = unit.new_group_ref(domain_id=domain1['id']) 1965 new_group = unit.new_group_ref(domain_id=domain1['id'])
1968 new_group = self.identity_api.create_group(new_group) 1966 new_group = self.identity_api.create_group(new_group)
1969 self.identity_api.add_user_to_group(user_foo['id'], 1967 self.identity_api.add_user_to_group(user_foo['id'],
diff --git a/keystone/tests/unit/test_v3_resource.py b/keystone/tests/unit/test_v3_resource.py
index 7325b87..2b1f3d4 100644
--- a/keystone/tests/unit/test_v3_resource.py
+++ b/keystone/tests/unit/test_v3_resource.py
@@ -234,8 +234,12 @@ class ResourceTestCase(test_v3.RestfulTestCase,
234 domain_id=domain2['id'], 234 domain_id=domain2['id'],
235 project_id=project2['id']) 235 project_id=project2['id'])
236 236
237 self.assignment_api.add_user_to_project(project2['id'], 237 role_member = unit.new_role_ref()
238 user2['id']) 238 self.role_api.create_role(role_member['id'], role_member)
239
240 self.assignment_api.add_role_to_user_and_project(user2['id'],
241 project2['id'],
242 role_member['id'])
239 243
240 # First check a user in that domain can authenticate.. 244 # First check a user in that domain can authenticate..
241 auth_data = self.build_authentication_request( 245 auth_data = self.build_authentication_request(