-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixing bug in LDAP reconcile loop #13342
Fixing bug in LDAP reconcile loop #13342
Conversation
3d29d00
to
df94658
Compare
continue | ||
if role_name not in roles: | ||
roles.append(role_name) | ||
model_roles = Team.objects.filter(name__in=team_names).values_list('name', 'organization__name', *roles, named=True) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now this query performs the same filter as before, but it returns more values so that you capture the organization name... (continuing walk-through)
if object_type == 'organization': | ||
desired_state = desired_states.get(row.name, {}) | ||
else: | ||
desired_state = desired_states.get(row.organization__name, {}).get(row.name, {}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here, we have the possibility that the team in question is unwanted, because it has the same name as a team listed in the configuration, but it's in another organization. In that event, desired_states
should be lacking either the team's org name key or the team name key, and this should return {}
# The mapping was not defined for this [org/team]/role so we can just pass | ||
pass | ||
continue |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And here, where we have an unwanted "extra" team returned by the query, we hit the continue
because it was not in the configuration (the desired_states
). We don't remove or add the user, and that fixes the bug.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know tests are still failing, and I don't know why, but I can follow everything here and I believe it fixes the bug.
We should add test coverage, even unit tests feel workable. But for the core code changes, I can read this and see through to the fix.
df94658
to
d85bfa3
Compare
We should def add test coverage for this function. |
d85bfa3
to
7e40a4d
Compare
…nsible#6265) Fixing bug in LDAP reconcile loop
SUMMARY
The LDAP reconcile loop did not account for the same team name in multiple organizations. It would add or remove the user from any team by a name (which is not unique). This change now forces the reconcile loop to consider the team along with the organization.
ISSUE TYPE
COMPONENT NAME
AWX VERSION
ADDITIONAL INFORMATION