a226a3d8be
The role_assignment API supports a bunch of query parameters that gives users flexibility when querying for role assignments. This commit exposes an issue when querying keystone for a specific role using /role_assignments?role.id={role_id}. The expected result was that the returned list would only contain role assignments for that specific role ID. The actual result is a set of role assignments with that role ID and all system role assignments. This caused issues in tempest because tempest goes through and cleans up resources using `tearDownClass`, and it is common to remove specific roles used in the test class. The problem is that keystone queries the role assignment API for all role assignment with a specific role ID, which is the equivalent to `GET /v3/role_assignments?role.id={role_id}` when deleting a role. The list returned included false positives, which were system role assignments, resulting in revocation events getting persisted for users in those role assignments. This prevented the administrator in tempest from cleaning up the rest of the resources because the revocation event would make the token being used to do resource cleanup. This commit exposes the bug using tests. Change-Id: If93400be3c9d3fe8e266bb36c16accca93d77154 Partial-Bug: 1748970 |
||
---|---|---|
api-ref/source | ||
config-generator | ||
devstack | ||
doc | ||
etc | ||
examples/pki | ||
httpd | ||
keystone | ||
keystone_tempest_plugin | ||
playbooks/legacy | ||
rally-jobs | ||
releasenotes | ||
tools | ||
.coveragerc | ||
.gitignore | ||
.gitreview | ||
.mailmap | ||
.stestr.conf | ||
.zuul.yaml | ||
CONTRIBUTING.rst | ||
HACKING.rst | ||
LICENSE | ||
README.rst | ||
babel.cfg | ||
bindep.txt | ||
requirements.txt | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini |
README.rst
Team and repository tags
OpenStack Keystone
Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.
Developer documentation, the source of which is in
doc/source/
, is published at:
The API reference and documentation are available at:
The canonical client library is available at:
https://git.openstack.org/cgit/openstack/python-keystoneclient
Documentation for cloud administrators is available at:
The source of documentation for cloud administrators is available at:
Information about our team meeting is available at:
Bugs and feature requests are tracked on Launchpad at:
Future design work is tracked at:
Contributors are encouraged to join IRC
(#openstack-keystone
on freenode):
For information on contributing to Keystone, see
CONTRIBUTING.rst
.