diff options
author | Samuel de Medeiros Queiroz <samuel@lsd.ufcg.edu.br> | 2015-03-30 19:32:47 -0300 |
---|---|---|
committer | Samuel de Medeiros Queiroz <samuel@lsd.ufcg.edu.br> | 2015-03-31 22:43:45 -0300 |
commit | 93587bf1683ae9d9e764ca51113dabe71cef7521 (patch) | |
tree | 5fa3b743215cfb7b9afcdd0a5365c73060b2ca08 | |
parent | 51317c80836ea63e4a6ca39c92c97927e8a9733e (diff) | |
download | keystone-93587bf1683ae9d9e764ca51113dabe71cef7521.tar.gz |
Fixes bug in Federation list projects endpoint
'/OS-FEDERATION/projects' and '/auth/projects'
API endpoints did not honor project inherited
group role assignments.
This patch fixed this bug.
Closes-Bug: #1424500
Change-Id: I4937289362122952d1b3e1b73c5712601c675bb4
-rw-r--r-- | keystone/assignment/core.py | 19 | ||||
-rw-r--r-- | keystone/tests/unit/test_v3_federation.py | 2 |
2 files changed, 15 insertions, 6 deletions
diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py index 0f9c03e97..396ed3471 100644 --- a/keystone/assignment/core.py +++ b/keystone/assignment/core.py @@ -350,9 +350,11 @@ class Manager(manager.Manager): if not CONF.os_inherit.enabled: return self.resource_api.list_projects_from_ids(project_ids) - # Inherited roles are enabled, so check to see if these groups have any - # roles on any domain, in which case we must add in all the projects - # in that domain. + # os_inherit extension is enabled, so check to see if these groups have + # any inherited role assignment on: i) any domain, in which case we + # must add in all the projects in that domain; ii) any project, in + # which case we must add in all the subprojects under that project in + # the hierarchy. domain_ids = self.driver.list_domain_ids_for_groups( group_ids, inherited=True) @@ -360,8 +362,17 @@ class Manager(manager.Manager): project_ids_from_domains = ( self.resource_api.list_project_ids_from_domain_ids(domain_ids)) + parents_ids = self.list_project_ids_for_groups(group_ids, + driver_hints.Hints(), + inherited=True) + + subproject_ids = [] + for parent_id in parents_ids: + subtree = self.resource_api.list_projects_in_subtree(parent_id) + subproject_ids += [subproject['id'] for subproject in subtree] + return self.resource_api.list_projects_from_ids( - list(set(project_ids + project_ids_from_domains))) + list(set(project_ids + project_ids_from_domains + subproject_ids))) def list_role_assignments_for_role(self, role_id=None): # NOTE(henry-nash): Currently the efficiency of the key driver diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py index d8fb8c054..e19086338 100644 --- a/keystone/tests/unit/test_v3_federation.py +++ b/keystone/tests/unit/test_v3_federation.py @@ -41,7 +41,6 @@ from keystone.tests.unit import federation_fixtures from keystone.tests.unit import ksfixtures from keystone.tests.unit import mapping_fixtures from keystone.tests.unit import test_v3 -from keystone.tests.unit import utils from keystone.token.providers import common as token_common @@ -2295,7 +2294,6 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin): # The advantage would be to reduce the complexity of this test class and # have tests specific to this fuctionality grouped, easing readability and # maintenability. - @utils.wip('waiting on bug #1424500') def test_list_projects_for_inherited_project_assignment(self): # Enable os_inherit extension self.config_fixture.config(group='os_inherit', enabled=True) |