Comment 9 for bug 1748970

Reviewed: https://review.openstack.org/544011
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a226a3d8be5ba720f149606a84df0432ec4858c7
Submitter: Zuul
Branch: master

commit a226a3d8be5ba720f149606a84df0432ec4858c7
Author: Lance Bragstad <email address hidden>
Date: Tue Feb 13 16:52:57 2018 +0000

    Expose bug in /role_assignments API with system-scope

    The role_assignment API supports a bunch of query parameters that
    gives users flexibility when querying for role assignments. This
    commit exposes an issue when querying keystone for a specific role
    using /role_assignments?role.id={role_id}. The expected result was
    that the returned list would only contain role assignments for that
    specific role ID. The actual result is a set of role assignments with
    that role ID and all system role assignments.

    This caused issues in tempest because tempest goes through and cleans
    up resources using `tearDownClass`, and it is common to remove
    specific roles used in the test class. The problem is that keystone
    queries the role assignment API for all role assignment with a
    specific role ID, which is the equivalent to
    `GET /v3/role_assignments?role.id={role_id}` when deleting a role. The
    list returned included false positives, which were system role
    assignments, resulting in revocation events getting persisted for
    users in those role assignments. This prevented the administrator in
    tempest from cleaning up the rest of the resources because the
    revocation event would make the token being used to do resource
    cleanup.

    This commit exposes the bug using tests.

    Change-Id: If93400be3c9d3fe8e266bb36c16accca93d77154
    Partial-Bug: 1748970