From 55ef19de4457b11052e45927d10742e7409c407d Mon Sep 17 00:00:00 2001 From: wangxiyuan Date: Mon, 27 Nov 2017 10:46:15 +0800 Subject: [PATCH] Remove member role assignment "add_user_to_project" and "remove_user_from_project" are only used for V2. This patch removed these two useless functions. Change-Id: I94f7573997035c4395ec77eabe0d6e45ff9c3bf7 --- keystone/assignment/core.py | 39 --------- .../tests/unit/assignment/test_backends.py | 87 ++----------------- keystone/tests/unit/core.py | 6 +- keystone/tests/unit/identity/test_backends.py | 11 ++- keystone/tests/unit/test_backend_ldap.py | 7 +- keystone/tests/unit/test_backend_sql.py | 14 ++- keystone/tests/unit/test_v3_auth.py | 2 - keystone/tests/unit/test_v3_resource.py | 8 +- 8 files changed, 38 insertions(+), 136 deletions(-) diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py index 1f82b74415..1fa50bab25 100644 --- a/keystone/assignment/core.py +++ b/keystone/assignment/core.py @@ -162,24 +162,6 @@ class Manager(manager.Manager): "was already created", CONF.member_role_id) - def add_user_to_project(self, tenant_id, user_id): - """Add user to a tenant by creating a default role relationship. - - :raises keystone.exception.ProjectNotFound: If the project doesn't - exist. - :raises keystone.exception.UserNotFound: If the user doesn't exist. - - """ - self.resource_api.get_project(tenant_id) - self.ensure_default_role() - - # now that default role exists, the add should succeed - self.driver.add_role_to_user_and_project( - user_id, - tenant_id, - CONF.member_role_id) - COMPUTED_ASSIGNMENTS_REGION.invalidate() - @notifications.role_assignment('created') def _add_role_to_user_and_project_adapter(self, role_id, user_id=None, group_id=None, domain_id=None, @@ -200,27 +182,6 @@ class Manager(manager.Manager): role_id, user_id=user_id, project_id=tenant_id) COMPUTED_ASSIGNMENTS_REGION.invalidate() - def remove_user_from_project(self, tenant_id, user_id): - """Remove user from a tenant. - - :raises keystone.exception.ProjectNotFound: If the project doesn't - exist. - :raises keystone.exception.UserNotFound: If the user doesn't exist. - - """ - roles = self.get_roles_for_user_and_project(user_id, tenant_id) - if not roles: - raise exception.NotFound(tenant_id) - for role_id in roles: - try: - self.driver.remove_role_from_user_and_project(user_id, - tenant_id, - role_id) - except exception.RoleNotFound: - LOG.debug("Removing role %s failed because it does not exist.", - role_id) - COMPUTED_ASSIGNMENTS_REGION.invalidate() - # TODO(henry-nash): We might want to consider list limiting this at some # point in the future. @MEMOIZE_COMPUTED_ASSIGNMENTS diff --git a/keystone/tests/unit/assignment/test_backends.py b/keystone/tests/unit/assignment/test_backends.py index 30386a7ce7..18f2595a46 100644 --- a/keystone/tests/unit/assignment/test_backends.py +++ b/keystone/tests/unit/assignment/test_backends.py @@ -1779,86 +1779,6 @@ class AssignmentTests(AssignmentTestHelperMixin): user_id=self.user_foo['id'], source_from_group_ids=[group['id']]) - def test_add_user_to_project(self): - self.assignment_api.add_user_to_project(self.tenant_baz['id'], - self.user_foo['id']) - tenants = self.assignment_api.list_projects_for_user( - self.user_foo['id']) - self.assertIn(self.tenant_baz, tenants) - - def test_add_user_to_project_missing_default_role(self): - self.role_api.delete_role(CONF.member_role_id) - self.assertRaises(exception.RoleNotFound, - self.role_api.get_role, - CONF.member_role_id) - self.assignment_api.add_user_to_project(self.tenant_baz['id'], - self.user_foo['id']) - tenants = ( - self.assignment_api.list_projects_for_user(self.user_foo['id'])) - self.assertIn(self.tenant_baz, tenants) - default_role = self.role_api.get_role(CONF.member_role_id) - self.assertIsNotNone(default_role) - - def test_add_user_to_project_returns_not_found(self): - self.assertRaises(exception.ProjectNotFound, - self.assignment_api.add_user_to_project, - uuid.uuid4().hex, - self.user_foo['id']) - - def test_add_user_to_project_no_user(self): - # If add_user_to_project and the user doesn't exist, then - # no error. - user_id_not_exist = uuid.uuid4().hex - self.assignment_api.add_user_to_project(self.tenant_bar['id'], - user_id_not_exist) - - def test_remove_user_from_project(self): - self.assignment_api.add_user_to_project(self.tenant_baz['id'], - self.user_foo['id']) - self.assignment_api.remove_user_from_project(self.tenant_baz['id'], - self.user_foo['id']) - tenants = self.assignment_api.list_projects_for_user( - self.user_foo['id']) - self.assertNotIn(self.tenant_baz, tenants) - - def test_remove_user_from_project_race_delete_role(self): - self.assignment_api.add_user_to_project(self.tenant_baz['id'], - self.user_foo['id']) - self.assignment_api.add_role_to_user_and_project( - tenant_id=self.tenant_baz['id'], - user_id=self.user_foo['id'], - role_id=self.role_other['id']) - - # Mock a race condition, delete a role after - # get_roles_for_user_and_project() is called in - # remove_user_from_project(). - roles = self.assignment_api.get_roles_for_user_and_project( - self.user_foo['id'], self.tenant_baz['id']) - self.role_api.delete_role(self.role_other['id']) - self.assignment_api.get_roles_for_user_and_project = mock.Mock( - return_value=roles) - self.assignment_api.remove_user_from_project(self.tenant_baz['id'], - self.user_foo['id']) - tenants = self.assignment_api.list_projects_for_user( - self.user_foo['id']) - self.assertNotIn(self.tenant_baz, tenants) - - def test_remove_user_from_project_returns_not_found(self): - self.assertRaises(exception.ProjectNotFound, - self.assignment_api.remove_user_from_project, - uuid.uuid4().hex, - self.user_foo['id']) - - self.assertRaises(exception.UserNotFound, - self.assignment_api.remove_user_from_project, - self.tenant_bar['id'], - uuid.uuid4().hex) - - self.assertRaises(exception.NotFound, - self.assignment_api.remove_user_from_project, - self.tenant_baz['id'], - self.user_foo['id']) - def test_list_user_project_ids_returns_not_found(self): self.assertRaises(exception.UserNotFound, self.assignment_api.list_projects_for_user, @@ -1867,8 +1787,11 @@ class AssignmentTests(AssignmentTestHelperMixin): def test_delete_user_with_project_association(self): user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user = self.identity_api.create_user(user) - self.assignment_api.add_user_to_project(self.tenant_bar['id'], - user['id']) + role_member = unit.new_role_ref() + self.role_api.create_role(role_member['id'], role_member) + self.assignment_api.add_role_to_user_and_project(user['id'], + self.tenant_bar['id'], + role_member['id']) self.identity_api.delete_user(user['id']) self.assertRaises(exception.UserNotFound, self.assignment_api.list_projects_for_user, diff --git a/keystone/tests/unit/core.py b/keystone/tests/unit/core.py index cd631d51b2..4f18e8fcfe 100644 --- a/keystone/tests/unit/core.py +++ b/keystone/tests/unit/core.py @@ -739,9 +739,11 @@ class TestCase(BaseTestCase): # the dict returned. user_copy['password'] = user['password'] + # fixtures.ROLES[2] is the _member_ role. for tenant_id in tenants: - self.assignment_api.add_user_to_project( - tenant_id, user_copy['id']) + self.assignment_api.add_role_to_user_and_project( + user_copy['id'], tenant_id, fixtures.ROLES[2]['id']) + # Use the ID from the fixture as the attribute name, so # that our tests can easily reference each user dict, while # the ID in the dict will be the real public ID. diff --git a/keystone/tests/unit/identity/test_backends.py b/keystone/tests/unit/identity/test_backends.py index 866ea6585f..64b2826df3 100644 --- a/keystone/tests/unit/identity/test_backends.py +++ b/keystone/tests/unit/identity/test_backends.py @@ -74,8 +74,13 @@ class IdentityTests(object): del user['id'] new_user = self.identity_api.create_user(user) - self.assignment_api.add_user_to_project(self.tenant_baz['id'], - new_user['id']) + + role_member = unit.new_role_ref() + self.role_api.create_role(role_member['id'], role_member) + + self.assignment_api.add_role_to_user_and_project(new_user['id'], + self.tenant_baz['id'], + role_member['id']) user_ref = self.identity_api.authenticate( self.make_request(), user_id=new_user['id'], @@ -89,7 +94,7 @@ class IdentityTests(object): role_list = self.assignment_api.get_roles_for_user_and_project( new_user['id'], self.tenant_baz['id']) self.assertEqual(1, len(role_list)) - self.assertIn(CONF.member_role_id, role_list) + self.assertIn(role_member['id'], role_list) def test_authenticate_if_no_password_set(self): id_ = uuid.uuid4().hex diff --git a/keystone/tests/unit/test_backend_ldap.py b/keystone/tests/unit/test_backend_ldap.py index a113566893..ad0f3af9df 100644 --- a/keystone/tests/unit/test_backend_ldap.py +++ b/keystone/tests/unit/test_backend_ldap.py @@ -716,8 +716,11 @@ class BaseLDAPIdentity(LDAPTestSetup, IdentityTests, AssignmentTests, def test_authenticate_requires_simple_bind(self): user = self.new_user_ref(domain_id=CONF.identity.default_domain_id) user = self.identity_api.create_user(user) - self.assignment_api.add_user_to_project(self.tenant_baz['id'], - user['id']) + role_member = unit.new_role_ref() + self.role_api.create_role(role_member['id'], role_member) + self.assignment_api.add_role_to_user_and_project(user['id'], + self.tenant_baz['id'], + role_member['id']) driver = self.identity_api._select_identity_driver( user['domain_id']) driver.user.LDAP_USER = None diff --git a/keystone/tests/unit/test_backend_sql.py b/keystone/tests/unit/test_backend_sql.py index 334e2abd83..a4f611a4d2 100644 --- a/keystone/tests/unit/test_backend_sql.py +++ b/keystone/tests/unit/test_backend_sql.py @@ -268,8 +268,11 @@ class SqlIdentity(SqlTests, def test_delete_user_with_project_association(self): user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user = self.identity_api.create_user(user) - self.assignment_api.add_user_to_project(self.tenant_bar['id'], - user['id']) + role_member = unit.new_role_ref() + self.role_api.create_role(role_member['id'], role_member) + self.assignment_api.add_role_to_user_and_project(user['id'], + self.tenant_bar['id'], + role_member['id']) self.identity_api.delete_user(user['id']) self.assertRaises(exception.UserNotFound, self.assignment_api.list_projects_for_user, @@ -317,8 +320,11 @@ class SqlIdentity(SqlTests, def test_delete_project_with_user_association(self): user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user = self.identity_api.create_user(user) - self.assignment_api.add_user_to_project(self.tenant_bar['id'], - user['id']) + role_member = unit.new_role_ref() + self.role_api.create_role(role_member['id'], role_member) + self.assignment_api.add_role_to_user_and_project(user['id'], + self.tenant_bar['id'], + role_member['id']) self.resource_api.delete_project(self.tenant_bar['id']) tenants = self.assignment_api.list_projects_for_user(user['id']) self.assertEqual([], tenants) diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index 24655ae827..755b12a67f 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -1962,8 +1962,6 @@ class TokenAPITests(object): self.role_api.create_role(role_foo_domain1['id'], role_foo_domain1) role_group_domain1 = unit.new_role_ref() self.role_api.create_role(role_group_domain1['id'], role_group_domain1) - self.assignment_api.add_user_to_project(project1['id'], - user_foo['id']) new_group = unit.new_group_ref(domain_id=domain1['id']) new_group = self.identity_api.create_group(new_group) self.identity_api.add_user_to_group(user_foo['id'], diff --git a/keystone/tests/unit/test_v3_resource.py b/keystone/tests/unit/test_v3_resource.py index 7325b87c7b..2b1f3d4221 100644 --- a/keystone/tests/unit/test_v3_resource.py +++ b/keystone/tests/unit/test_v3_resource.py @@ -234,8 +234,12 @@ class ResourceTestCase(test_v3.RestfulTestCase, domain_id=domain2['id'], project_id=project2['id']) - self.assignment_api.add_user_to_project(project2['id'], - user2['id']) + role_member = unit.new_role_ref() + self.role_api.create_role(role_member['id'], role_member) + + self.assignment_api.add_role_to_user_and_project(user2['id'], + project2['id'], + role_member['id']) # First check a user in that domain can authenticate.. auth_data = self.build_authentication_request(