yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1201487] Re: listing projects for a user omits those that only have group related roles

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 02 Oct 2013 11:29:22 -0000
Reply-to: Bug 1201487 <1201487@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1201487

Title:
  listing projects for a user omits those that only have group related
  roles

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  The backend drivers currently support two (very similar) functions:

  list_user_projects() and get_projects_for_user().  Both claim to
  return the list of projects for which a user has a role on.  Neither
  take into account roles by virtue of group membership.  They are used
  in the following ways:

  uses list_user_projects() is used by:

  - The API GET /users/{user_id}/projects

  users get_projects_for_user() is used by

  - The diablo GET /users/{user_id}/roleRefs (should we still need to support this?)
  - The API GET/tenants, where you get all projects referenced the user in the token (weird)
  - An unused function the v2 controller (which we should delete)

  We should rationalize the above to use a single function in the driver
  manager (similar to the way we do get_roles_for_user_and_project() ),
  that correctly accounts for any projects for a which a user also has
  roles by virtue of group membership.

  If the os-inherit extension is installed, the above function should
  also take into account roles inherited from the domain.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1201487/+subscriptions