Feature/system assignment group#796
Draft
konac-hamza wants to merge 4 commits into
Draft
Conversation
feat: Add system group role assignment API
d13e0f2 to
9289461
Compare
9289461 to
b3a55d7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
#757 System group role assignment API
This PR covers CRUD operations for system role assignments of group actors.
When listing roles for a system group, the API was returning all system role assignments in the database instead of only those belonging to the requested group. The root cause was that
group_idwas never added to the actors filter inlist_assignments, whileuser_idwas handled correctly. With an empty actors list, the database query had no filter and returned every system assignment. The fix was addinggroup_idto the actors list the same wayuser_idis handled.When revoking a group role assignment, the implementation was creating a revocation event with only
role_idset and nouser_id. This caused all tokens holding that role to be invalidated, not just tokens of users in the revoked group. This matches Python Keystone bug #1662514, which was fixed by only creating revocation events for group assignments whenrevoke_by_id = trueis set in config (default:false). The fix addsrevoke_by_idto the token config and skips revocation events for group assignments by default.Known Limitations
Effective role listing with
group_idandeffective=trueis not yet fully implemented. Python Keystone handles this case by expanding the group into its members vialist_users_in_groupand including their direct role assignments in the result. The Rust identity backend does not yet implementlist_users_in_group, so this expansion is currently missing. This will be tracked and implemented separately.