Expose bug in /role_assignments API with system-scope
The role_assignment API supports a bunch of query parameters that
gives users flexibility when querying for role assignments. This
commit exposes an issue when querying keystone for a specific role
using /role_assignments?role.id={role_id}. The expected result was
that the returned list would only contain role assignments for that
specific role ID. The actual result is a set of role assignments with
that role ID and all system role assignments.
This caused issues in tempest because tempest goes through and cleans
up resources using `tearDownClass`, and it is common to remove
specific roles used in the test class. The problem is that keystone
queries the role assignment API for all role assignment with a
specific role ID, which is the equivalent to
`GET /v3/role_assignments?role.id={role_id}` when deleting a role. The
list returned included false positives, which were system role
assignments, resulting in revocation events getting persisted for
users in those role assignments. This prevented the administrator in
tempest from cleaning up the rest of the resources because the
revocation event would make the token being used to do resource
cleanup.
This commit exposes the bug using tests.
Change-Id: If93400be3c9d3fe8e266bb36c16accca93d77154
Partial-Bug: 1748970
(cherry picked from commit a226a3d8be5ba720f149606a84df0432ec4858c7)
Reviewed: https:/ /review. openstack. org/544095 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=752d299d58f 63810136966d9dc 9a6e97252c9d32
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 752d299d58f6381 0136966d9dc9a6e 97252c9d32
Author: Lance Bragstad <email address hidden>
Date: Tue Feb 13 16:52:57 2018 +0000
Expose bug in /role_assignments API with system-scope
The role_assignment API supports a bunch of query parameters that ts?role. id={role_ id}. The expected result was
gives users flexibility when querying for role assignments. This
commit exposes an issue when querying keystone for a specific role
using /role_assignmen
that the returned list would only contain role assignments for that
specific role ID. The actual result is a set of role assignments with
that role ID and all system role assignments.
This caused issues in tempest because tempest goes through and cleans assignments? role.id= {role_id} ` when deleting a role. The
up resources using `tearDownClass`, and it is common to remove
specific roles used in the test class. The problem is that keystone
queries the role assignment API for all role assignment with a
specific role ID, which is the equivalent to
`GET /v3/role_
list returned included false positives, which were system role
assignments, resulting in revocation events getting persisted for
users in those role assignments. This prevented the administrator in
tempest from cleaning up the rest of the resources because the
revocation event would make the token being used to do resource
cleanup.
This commit exposes the bug using tests.
Change-Id: If93400be3c9d3f e8e266bb36c16ac cca93d77154 0f149606a84df04 32ec4858c7)
Partial-Bug: 1748970
(cherry picked from commit a226a3d8be5ba72