)]}'
{"keystone/assignment/backends/sql.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1657a1b1adbee3b77558e8a1258a2c64b87bfe85","unresolved":false,"context_lines":[{"line_number":257,"context_line":"            q.delete(False)"},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"    def delete_role_assignments(self, role_id):"},{"line_number":260,"context_line":"        with sql.session_for_write() as session:"},{"line_number":261,"context_line":"            q \u003d session.query(RoleAssignment)"},{"line_number":262,"context_line":"            q \u003d q.filter_by(role_id\u003drole_id)"},{"line_number":263,"context_line":"            q.delete(False)"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":"    def delete_domain_assignments(self, domain_id):"},{"line_number":266,"context_line":"        with sql.session_for_write() as session:"}],"source_content_type":"text/x-python","patch_set":5,"id":"bf51134e_d5a667ab","line":263,"range":{"start_line":260,"start_character":0,"end_line":263,"end_character":27},"updated":"2020-06-23 20:56:28.000000000","message":"We could add to this method and use a separate context manager for the SystemRoleAssignment model. If we do that, then we don\u0027t need a separate change in the manager to clean up system role assignments.","commit_id":"aad6021e4edfae5608a3b22f31276bb6b4d60b52"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"bb27af343fac679920ac0c49a5c609a2986ca74e","unresolved":false,"context_lines":[{"line_number":257,"context_line":"            q.delete(False)"},{"line_number":258,"context_line":""},{"line_number":259,"context_line":"    def delete_role_assignments(self, role_id):"},{"line_number":260,"context_line":"        with sql.session_for_write() as session:"},{"line_number":261,"context_line":"            q \u003d session.query(RoleAssignment)"},{"line_number":262,"context_line":"            q \u003d q.filter_by(role_id\u003drole_id)"},{"line_number":263,"context_line":"            q.delete(False)"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":"    def delete_domain_assignments(self, domain_id):"},{"line_number":266,"context_line":"        with sql.session_for_write() as session:"}],"source_content_type":"text/x-python","patch_set":5,"id":"bf51134e_3c722b4a","line":263,"range":{"start_line":260,"start_character":0,"end_line":263,"end_character":27},"in_reply_to":"bf51134e_d5a667ab","updated":"2020-06-24 01:41:36.000000000","message":"Something like this might work:\n\n  def delete_role_assignments(self, role_id):\n      with sql.session_for_write() as session:\n          q \u003d session.query(RoleAssignment)\n          q \u003d q.filter_by(role_id\u003drole_id)\n          q.delete(False)\n\n      with sql.session_for_write() as session:\n          q \u003d session.query(SystemRoleAssignment)\n          q \u003d q.filter_by(role_id\u003drole_id)\n          q.delete(False)","commit_id":"aad6021e4edfae5608a3b22f31276bb6b4d60b52"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1657a1b1adbee3b77558e8a1258a2c64b87bfe85","unresolved":false,"context_lines":[{"line_number":350,"context_line":"                    role_id\u003drole_id, actor_id\u003dactor_id, target_id\u003dtarget_id"},{"line_number":351,"context_line":"                )"},{"line_number":352,"context_line":""},{"line_number":353,"context_line":"    def delete_system_assignments(self, role_id):"},{"line_number":354,"context_line":"        with sql.session_for_write() as session:"},{"line_number":355,"context_line":"            q \u003d session.query(SystemRoleAssignment)"},{"line_number":356,"context_line":"            q \u003d q.filter_by(role_id\u003drole_id)"}],"source_content_type":"text/x-python","patch_set":5,"id":"bf51134e_75fddb6c","line":353,"updated":"2020-06-23 20:56:28.000000000","message":"This is adding an undocumented method to an interface (base.py). If we go this route, we need to document the new method signature in the abstract base class found in base.py.\n\nPeople who write their own assignment drivers use the interface to ensure they\u0027re providing an implementation keystone can use.","commit_id":"aad6021e4edfae5608a3b22f31276bb6b4d60b52"}],"keystone/assignment/core.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"8b0ac4ca8878ffadc214c9ba325e63f03aae383b","unresolved":false,"context_lines":[{"line_number":1245,"context_line":"        assignment_type \u003d None"},{"line_number":1246,"context_line":"        return self.driver.list_system_grants("},{"line_number":1247,"context_line":"            actor_id, target_id, assignment_type"},{"line_number":1248,"context_line":"        )"},{"line_number":1249,"context_line":""},{"line_number":1250,"context_line":""},{"line_number":1251,"context_line":"class RoleManager(manager.Manager):"}],"source_content_type":"text/x-python","patch_set":5,"id":"bf51134e_7ce303da","line":1248,"updated":"2020-06-24 01:43:55.000000000","message":"I added another method here to clean up stale role assignments: \n\n    def remove_stale_role_assignments(self):\n        role_ids \u003d [role[\u0027id\u0027] for role in PROVIDERS.role_api.list_roles()]\n        assignments \u003d self.list_role_assignments()\n        for assignment in self.list_role_assignments():\n            if assignment[\u0027role_id\u0027] not in role_ids:\n                PROVIDERS.assignment_api.delete_role_assignments(assignment[\u0027role_id\u0027])\n\n\nThis is only one possible solution, we can certainly look into other options.\n\nI invoked this from delete_role below by calling:\n\n  PROVIDERS.assignment_api.remove_stale_role_assignments()","commit_id":"aad6021e4edfae5608a3b22f31276bb6b4d60b52"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"bb27af343fac679920ac0c49a5c609a2986ca74e","unresolved":false,"context_lines":[{"line_number":1328,"context_line":"        self.get_role.invalidate(self, role_id)"},{"line_number":1329,"context_line":"        return ret"},{"line_number":1330,"context_line":""},{"line_number":1331,"context_line":"    def delete_role(self, role_id, initiator\u003dNone):"},{"line_number":1332,"context_line":"        role \u003d self.driver.get_role(role_id)"},{"line_number":1333,"context_line":"        # Prevent deletion of immutable roles."},{"line_number":1334,"context_line":"        ro_opt.check_immutable_delete(resource_ref\u003drole,"}],"source_content_type":"text/x-python","patch_set":5,"id":"bf51134e_7cbe63b4","line":1331,"updated":"2020-06-24 01:41:36.000000000","message":"This bug is going to be problematic for deployments that are already in this state.\n\nWhen I recreated this locally, I noticed that using ``openstack role assignment list --names`` broke because the role was removed but the assignment wasn\u0027t.\n\nAs far as I can tell, I don\u0027t think you can fix this through the keystone API. Operators would be forced to interact with SQL directly.\n\nWe might want to think about ways to mitigate that issue (e.g., pruning orphaned role assignments prior to role deletion). Or offering a way to clean up orphaned role assignments.","commit_id":"aad6021e4edfae5608a3b22f31276bb6b4d60b52"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1657a1b1adbee3b77558e8a1258a2c64b87bfe85","unresolved":false,"context_lines":[{"line_number":1338,"context_line":""},{"line_number":1339,"context_line":"        # Note(Vishakha): Deleting system role assignments from"},{"line_number":1340,"context_line":"        # system_assignment table."},{"line_number":1341,"context_line":"        PROVIDERS.assignment_api.delete_system_assignments(role_id)"},{"line_number":1342,"context_line":"        PROVIDERS.assignment_api._send_app_cred_notification_for_role_removal("},{"line_number":1343,"context_line":"            role_id"},{"line_number":1344,"context_line":"        )"}],"source_content_type":"text/x-python","patch_set":5,"id":"bf51134e_f59bab6f","line":1341,"range":{"start_line":1341,"start_character":33,"end_line":1341,"end_character":58},"updated":"2020-06-23 20:56:28.000000000","message":"Couldn\u0027t we update the delete_role_assignment method that\u0027s called on line 1337 instead of invoking a separate method?","commit_id":"aad6021e4edfae5608a3b22f31276bb6b4d60b52"},{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"5cd436246d17edf530ffff6f7f2840fb58ae2ddb","unresolved":false,"context_lines":[{"line_number":1338,"context_line":""},{"line_number":1339,"context_line":"        # Note(Vishakha): Deleting system role assignments from"},{"line_number":1340,"context_line":"        # system_assignment table."},{"line_number":1341,"context_line":"        PROVIDERS.assignment_api.delete_system_assignments(role_id)"},{"line_number":1342,"context_line":"        PROVIDERS.assignment_api._send_app_cred_notification_for_role_removal("},{"line_number":1343,"context_line":"            role_id"},{"line_number":1344,"context_line":"        )"}],"source_content_type":"text/x-python","patch_set":5,"id":"bf51134e_a63e0fbe","line":1341,"range":{"start_line":1341,"start_character":33,"end_line":1341,"end_character":58},"in_reply_to":"bf51134e_f59bab6f","updated":"2020-06-25 12:03:46.000000000","message":"Thanks lance for pointing this out. I thought It wouldn\u0027t be the correct way to update the existing function. That is why I decided to make a separate one same as def delete_domain_assignments and def delete_user_assignments. As per your suggestion, I think it is okay to add in the existing one, so I updated it inside delete_systems_assignments.","commit_id":"aad6021e4edfae5608a3b22f31276bb6b4d60b52"},{"author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"tag":"autogenerated:zuul:check","change_message_id":"52952e2f4d83a9ee357171cd3a44b7358692b4dc","unresolved":false,"context_lines":[{"line_number":1249,"context_line":""},{"line_number":1250,"context_line":"    def remove_stale_role_assignments(self):"},{"line_number":1251,"context_line":"        role_ids \u003d [role[\u0027id\u0027] for role in PROVIDERS.role_api.list_roles()]"},{"line_number":1252,"context_line":"        assignments \u003d self.list_role_assignments()"},{"line_number":1253,"context_line":"        for assignment in self.list_role_assignments():"},{"line_number":1254,"context_line":"            if assignment[\u0027role_id\u0027] not in role_ids:"},{"line_number":1255,"context_line":"                PROVIDERS.assignment_api.delete_role_assignments("}],"source_content_type":"text/x-python","patch_set":6,"id":"bf51134e_4541e6a8","line":1252,"updated":"2020-06-25 14:57:28.000000000","message":"pep8: F841 local variable \u0027assignments\u0027 is assigned to but never used","commit_id":"4566ce8c77c58e295a40b1c01db7403d3a0d157e"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a46698feb14c36dc29ecbe8f8fe27d83002c95d8","unresolved":false,"context_lines":[{"line_number":1253,"context_line":"        for assignment in self.list_role_assignments():"},{"line_number":1254,"context_line":"            if assignment[\u0027role_id\u0027] not in role_ids:"},{"line_number":1255,"context_line":"                PROVIDERS.assignment_api.delete_role_assignments("},{"line_number":1256,"context_line":"                    assignment[\u0027role_id\u0027])"},{"line_number":1257,"context_line":""},{"line_number":1258,"context_line":""},{"line_number":1259,"context_line":"class RoleManager(manager.Manager):"}],"source_content_type":"text/x-python","patch_set":6,"id":"bf51134e_a2cc3835","line":1256,"updated":"2020-06-25 14:19:14.000000000","message":"I\u0027d like to hear what other people think about this approach.","commit_id":"4566ce8c77c58e295a40b1c01db7403d3a0d157e"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"1e5d6e46b9042b3f85b3422893fda197dc6168b9","unresolved":false,"context_lines":[{"line_number":1253,"context_line":"        for assignment in self.list_role_assignments():"},{"line_number":1254,"context_line":"            if assignment[\u0027role_id\u0027] not in role_ids:"},{"line_number":1255,"context_line":"                PROVIDERS.assignment_api.delete_role_assignments("},{"line_number":1256,"context_line":"                    assignment[\u0027role_id\u0027])"},{"line_number":1257,"context_line":""},{"line_number":1258,"context_line":""},{"line_number":1259,"context_line":"class RoleManager(manager.Manager):"}],"source_content_type":"text/x-python","patch_set":6,"id":"bf51134e_8bbdcf03","line":1256,"in_reply_to":"bf51134e_6b8afb63","updated":"2020-07-14 17:37:25.000000000","message":"I understand the hesitation about having this run every time. I didn\u0027t feel entirely comfortable with adding this, but I wasn\u0027t coming up with an alternative.\n\nTo be clear, are you proposing we recommend that people fix this by modifying the database directly using SQL statements?","commit_id":"4566ce8c77c58e295a40b1c01db7403d3a0d157e"},{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"6ea5cfbd901632027bbb706ed205d4c93ede16fa","unresolved":false,"context_lines":[{"line_number":1253,"context_line":"        for assignment in self.list_role_assignments():"},{"line_number":1254,"context_line":"            if assignment[\u0027role_id\u0027] not in role_ids:"},{"line_number":1255,"context_line":"                PROVIDERS.assignment_api.delete_role_assignments("},{"line_number":1256,"context_line":"                    assignment[\u0027role_id\u0027])"},{"line_number":1257,"context_line":""},{"line_number":1258,"context_line":""},{"line_number":1259,"context_line":"class RoleManager(manager.Manager):"}],"source_content_type":"text/x-python","patch_set":6,"id":"bf51134e_5f6746b8","line":1256,"in_reply_to":"bf51134e_8bbdcf03","updated":"2020-07-24 12:18:47.000000000","message":"Done","commit_id":"4566ce8c77c58e295a40b1c01db7403d3a0d157e"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"203e7639a1b5573d9a009c4e4afd45c16cb364ba","unresolved":false,"context_lines":[{"line_number":1253,"context_line":"        for assignment in self.list_role_assignments():"},{"line_number":1254,"context_line":"            if assignment[\u0027role_id\u0027] not in role_ids:"},{"line_number":1255,"context_line":"                PROVIDERS.assignment_api.delete_role_assignments("},{"line_number":1256,"context_line":"                    assignment[\u0027role_id\u0027])"},{"line_number":1257,"context_line":""},{"line_number":1258,"context_line":""},{"line_number":1259,"context_line":"class RoleManager(manager.Manager):"}],"source_content_type":"text/x-python","patch_set":6,"id":"bf51134e_6b8afb63","line":1256,"in_reply_to":"bf51134e_a2cc3835","updated":"2020-07-14 17:34:04.000000000","message":"I am not in favor of having this method here. This will now run every time delete role is called, when it should be just a one-time cleanup and should never be needed again once the bug is fixed. I would prefer to omit this and instead add manual instructions to the release note on how to clean up the database. What do you think?","commit_id":"4566ce8c77c58e295a40b1c01db7403d3a0d157e"}],"releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a46698feb14c36dc29ecbe8f8fe27d83002c95d8","unresolved":false,"context_lines":[{"line_number":4,"context_line":"    [`bug 1878938 \u003chttps://bugs.launchpad.net/keystone/+bug/1878938\u003e`_]"},{"line_number":5,"context_line":"    Previously when a user used to have system role assignment and tries to delete"},{"line_number":6,"context_line":"    the same role, the system role assignments still existed in system_assignment"},{"line_number":7,"context_line":"    table. This fix ensures that deleting a role should delete all the its assignments"},{"line_number":8,"context_line":"    from every assignment table."}],"source_content_type":"text/x-yaml","patch_set":6,"id":"bf51134e_e2ebd074","line":7,"range":{"start_line":7,"start_character":16,"end_line":7,"end_character":19},"updated":"2020-06-25 14:19:14.000000000","message":"Using verbiage like \"this fix\" is excellent for commit messages, but it\u0027s not ideal for release notes since they\u0027re all rendered on a single page (the reader doesn\u0027t really know what fix we\u0027re referencing).","commit_id":"4566ce8c77c58e295a40b1c01db7403d3a0d157e"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d62700e11d7588f017fc329731820832594926dd","unresolved":false,"context_lines":[{"line_number":4,"context_line":"    [`bug 1878938 \u003chttps://bugs.launchpad.net/keystone/+bug/1878938\u003e`_]"},{"line_number":5,"context_line":"    Previously when a user used to have system role assignment and tries to delete"},{"line_number":6,"context_line":"    the same role, the system role assignments still existed in system_assignment"},{"line_number":7,"context_line":"    table. This fix ensures that deleting a role should delete all the its assignments"},{"line_number":8,"context_line":"    from every assignment table."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"    If you are affected by this bug, a fix in the keystone database will be"},{"line_number":11,"context_line":"    needed so we recommend to remove the stale role assignmensts before doing this"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"1f621f24_3d4598b4","line":8,"range":{"start_line":7,"start_character":11,"end_line":8,"end_character":32},"updated":"2020-10-29 18:17:05.000000000","message":"nit: wording like this is difficult to parse in a release note because they\u0027re all rendered together, without any context about the patch referenced by \u0027this fix\u0027.\n\nWe might consider omitting this since readers of the release notes probably just want to know what to do and not how keystone fixed the issue.","commit_id":"c1dcbb05b4488f1fa3e7af4d9171d11702d94119"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d62700e11d7588f017fc329731820832594926dd","unresolved":false,"context_lines":[{"line_number":7,"context_line":"    table. This fix ensures that deleting a role should delete all the its assignments"},{"line_number":8,"context_line":"    from every assignment table."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"    If you are affected by this bug, a fix in the keystone database will be"},{"line_number":11,"context_line":"    needed so we recommend to remove the stale role assignmensts before doing this"},{"line_number":12,"context_line":"    process."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"    SQL:"},{"line_number":15,"context_line":"         - delete from assignment where role_id not in (select id from role);"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"1f621f24_3d4c78c6","line":12,"range":{"start_line":10,"start_character":36,"end_line":12,"end_character":12},"updated":"2020-10-29 18:17:05.000000000","message":"I would call this out explicitly and say:\n\n If you are affected by this bug, you must remove stale system role assignment manually. The following is an example SQL statement you can use to do so, but you must verify it\u0027s applicability to your deployment\u0027s SQL implementation and version.","commit_id":"c1dcbb05b4488f1fa3e7af4d9171d11702d94119"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d62700e11d7588f017fc329731820832594926dd","unresolved":false,"context_lines":[{"line_number":12,"context_line":"    process."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"    SQL:"},{"line_number":15,"context_line":"         - delete from assignment where role_id not in (select id from role);"},{"line_number":16,"context_line":"         - delete from system_assignment where role_id not in (select id from role);"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"1f621f24_ddd0e4cc","line":15,"range":{"start_line":15,"start_character":9,"end_line":15,"end_character":77},"updated":"2020-10-29 18:17:05.000000000","message":"I don\u0027t think this is needed, it\u0027s implemented already.\n\nhttps://review.opendev.org/#/c/731087/10/keystone/assignment/backends/sql.py@260","commit_id":"c1dcbb05b4488f1fa3e7af4d9171d11702d94119"}]}