diff --git a/src/spaceone/identity/error/custom.py b/src/spaceone/identity/error/custom.py index 69c31481..fa37fadc 100644 --- a/src/spaceone/identity/error/custom.py +++ b/src/spaceone/identity/error/custom.py @@ -19,3 +19,7 @@ class ERROR_ROLE_DOES_NOT_EXIST_OF_USER(ERROR_NOT_FOUND): class ERROR_NOT_ALLOWED_TO_DELETE_ROLE_BINDING(ERROR_INVALID_ARGUMENT): _message = "Not allowed to delete role binding. (workspace_group_id = {workspace_group_id}, role_binding_id = {role_binding_id})" + + +class ERROR_ROLE_IN_USED_AT_ROLE_BINDING(ERROR_INVALID_ARGUMENT): + _message = "Role is in used at RoleBinding. (role_id = {role_id})" diff --git a/src/spaceone/identity/service/role_service.py b/src/spaceone/identity/service/role_service.py index 281dd70f..257bdd49 100644 --- a/src/spaceone/identity/service/role_service.py +++ b/src/spaceone/identity/service/role_service.py @@ -5,6 +5,8 @@ from spaceone.core.service import * from spaceone.core.service.utils import * +from spaceone.identity.error.custom import ERROR_ROLE_IN_USED_AT_ROLE_BINDING +from spaceone.identity.manager.role_binding_manager import RoleBindingManager from spaceone.identity.manager.role_manager import RoleManager from spaceone.identity.model.role.request import * from spaceone.identity.model.role.request import BasicRoleSearchQueryRequest @@ -23,6 +25,7 @@ class RoleService(BaseService): def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.role_mgr = RoleManager() + self.rb_mgr = RoleBindingManager() @transaction(permission="identity:Role.write", role_types=["DOMAIN_ADMIN"]) @convert_model @@ -133,6 +136,13 @@ def delete(self, params: RoleDeleteRequest) -> None: if role_vo.is_managed: raise ERROR_PERMISSION_DENIED() + rb_vos = self.rb_mgr.filter_role_bindings( + role_id=role_vo.role_id, domain_id=role_vo.domain_id + ) + + if rb_vos.count() > 0: + raise ERROR_ROLE_IN_USED_AT_ROLE_BINDING(role_id=role_vo.role_id) + self.role_mgr.delete_role_by_vo(role_vo) @transaction(