Delete role bindings when the workspace group is deleted

src/spaceone/identity/manager/workspace_group_manager.py

@@ -4,6 +4,7 @@
 from mongoengine import QuerySet
 from spaceone.core.manager import BaseManager
 
+from spaceone.identity.manager.role_binding_manager import RoleBindingManager
 from spaceone.identity.model.workspace_group.database import WorkspaceGroup
 
 _LOGGER = logging.getLogger(__name__)
@@ -13,6 +14,7 @@ class WorkspaceGroupManager(BaseManager):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.workspace_group_model = WorkspaceGroup
+        self.rb_mgr = RoleBindingManager()
 
     def create_workspace_group(self, params: dict) -> WorkspaceGroup:
         def _rollback(vo: WorkspaceGroup):
@@ -39,8 +41,20 @@ def _rollback(old_data):
 
         return workspace_group_vo.update(params)
 
-    @staticmethod
-    def delete_workspace_group_by_vo(workspace_group_vo: WorkspaceGroup) -> None:
+    def delete_workspace_group_by_vo(self, workspace_group_vo: WorkspaceGroup) -> None:
+        user_ids = [user["user_id"] for user in workspace_group_vo.users]
+        rb_vos = self.rb_mgr.filter_role_bindings(
+            user_id=user_ids,
+            workspace_group_id=workspace_group_vo.workspace_group_id,
+            domain_id=workspace_group_vo.domain_id,
+        )
+
+        if rb_vos.count() > 0:
+            _LOGGER.debug(
+                f"[delete_workspace_group_by_vo] Delete role bindings count with {workspace_group_vo.workspaces}: {rb_vos.count()}"
+            )
+            rb_vos.delete()
+
         workspace_group_vo.delete()
 
     # TODO: When add_users and remove_users, are user_id and role_type required?

src/spaceone/identity/service/workspace_group_service.py

@@ -3,7 +3,6 @@
 from typing import Union
 
 from spaceone.core.error import (
-    ERROR_EXIST_RESOURCE,
     ERROR_INVALID_PARAMETER,
     ERROR_NOT_FOUND,
     ERROR_PERMISSION_DENIED,
@@ -147,9 +146,6 @@ def delete(self, params: WorkspaceGroupDeleteRequest) -> None:
             params.workspace_group_id, params.domain_id
         )
 
-        if workspace_group_vo.users:
-            _LOGGER.error("Workspace Group has users. Please remove users first.")
-            raise ERROR_EXIST_RESOURCE(child="users", parent="workspace_group")
         self.workspace_group_mgr.delete_workspace_group_by_vo(workspace_group_vo)
 
     @transaction(
@@ -454,12 +450,17 @@ def remove_users(
                 raise ERROR_NOT_FOUND(key="params_user_id", value=params_user_id)
 
         workspace_group_users = [users for users in workspace_group_vo["users"]]
-        role_binding_vos = self.rb_mgr.filter_role_bindings(
+        rb_vos = self.rb_mgr.filter_role_bindings(
             user_id=params_user_ids,
             workspace_group_id=params.workspace_group_id,
             domain_id=params.domain_id,
         )
-        role_binding_vos.delete()
+
+        if rb_vos.count() > 0:
+            _LOGGER.debug(
+                f"[remove_users] Delete role bindings count with {workspace_group_vo.workspaces}: {rb_vos.count()}"
+            )
+            rb_vos.delete()
 
         params.users = []
         for user in workspace_group_users: