Expose bug in /role_assignments API with system-scope
The role_assignment API supports a bunch of query parameters that
gives users flexibility when querying for role assignments. This
commit exposes an issue when querying keystone for a specific role
using /role_assignments?role.id={role_id}. The expected result was
that the returned list would only contain role assignments for that
specific role ID. The actual result is a set of role assignments with
that role ID and all system role assignments.
This caused issues in tempest because tempest goes through and cleans
up resources using `tearDownClass`, and it is common to remove
specific roles used in the test class. The problem is that keystone
queries the role assignment API for all role assignment with a
specific role ID, which is the equivalent to
`GET /v3/role_assignments?role.id={role_id}` when deleting a role. The
list returned included false positives, which were system role
assignments, resulting in revocation events getting persisted for
users in those role assignments. This prevented the administrator in
tempest from cleaning up the rest of the resources because the
revocation event would make the token being used to do resource
cleanup.
Reviewed: https:/ /review. openstack. org/544011 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=a226a3d8be5 ba720f149606a84 df0432ec4858c7
Committed: https:/
Submitter: Zuul
Branch: master
commit a226a3d8be5ba72 0f149606a84df04 32ec4858c7
Author: Lance Bragstad <email address hidden>
Date: Tue Feb 13 16:52:57 2018 +0000
Expose bug in /role_assignments API with system-scope
The role_assignment API supports a bunch of query parameters that ts?role. id={role_ id}. The expected result was
gives users flexibility when querying for role assignments. This
commit exposes an issue when querying keystone for a specific role
using /role_assignmen
that the returned list would only contain role assignments for that
specific role ID. The actual result is a set of role assignments with
that role ID and all system role assignments.
This caused issues in tempest because tempest goes through and cleans assignments? role.id= {role_id} ` when deleting a role. The
up resources using `tearDownClass`, and it is common to remove
specific roles used in the test class. The problem is that keystone
queries the role assignment API for all role assignment with a
specific role ID, which is the equivalent to
`GET /v3/role_
list returned included false positives, which were system role
assignments, resulting in revocation events getting persisted for
users in those role assignments. This prevented the administrator in
tempest from cleaning up the rest of the resources because the
revocation event would make the token being used to do resource
cleanup.
This commit exposes the bug using tests.
Change-Id: If93400be3c9d3f e8e266bb36c16ac cca93d77154
Partial-Bug: 1748970