Skip to content

Feature/system assignment group#796

Draft
konac-hamza wants to merge 4 commits into
openstack-experimental:mainfrom
konac-hamza:feature/system-assignment-group
Draft

Feature/system assignment group#796
konac-hamza wants to merge 4 commits into
openstack-experimental:mainfrom
konac-hamza:feature/system-assignment-group

Conversation

@konac-hamza

@konac-hamza konac-hamza commented Jun 15, 2026

Copy link
Copy Markdown
Collaborator

#757 System group role assignment API

This PR covers CRUD operations for system role assignments of group actors.

  • API endpoints and test methods are mirrored from the system user role assignment implementation
  • OPA policy rules are mirrored from the system user role policy package
  • Integration tests are implemented for all endpoints
  • The following bug is fixed in a separate commit:

When listing roles for a system group, the API was returning all system role assignments in the database instead of only those belonging to the requested group. The root cause was that group_id was never added to the actors filter in list_assignments, while user_id was handled correctly. With an empty actors list, the database query had no filter and returned every system assignment. The fix was adding group_id to the actors list the same way user_id is handled.

  • The following bug is fixed in a separate commit:

When revoking a group role assignment, the implementation was creating a revocation event with only role_id set and no user_id. This caused all tokens holding that role to be invalidated, not just tokens of users in the revoked group. This matches Python Keystone bug #1662514, which was fixed by only creating revocation events for group assignments when revoke_by_id = true is set in config (default: false). The fix adds revoke_by_id to the token config and skips revocation events for group assignments by default.

Known Limitations

Effective role listing with group_id and effective=true is not yet fully implemented. Python Keystone handles this case by expanding the group into its members via list_users_in_group and including their direct role assignments in the result. The Rust identity backend does not yet implement list_users_in_group, so this expansion is currently missing. This will be tracked and implemented separately.

@konac-hamza konac-hamza force-pushed the feature/system-assignment-group branch from d13e0f2 to 9289461 Compare June 24, 2026 21:23
@konac-hamza konac-hamza force-pushed the feature/system-assignment-group branch from 9289461 to b3a55d7 Compare June 24, 2026 21:26
@konac-hamza konac-hamza marked this pull request as draft June 24, 2026 22:17
@konac-hamza konac-hamza requested a review from gtema June 24, 2026 22:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant