yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #20340
[Bug 1365787] [NEW] LDAP group role assignment becomes user assignment
Public bug reported:
When I configure Keystone with the LDAP backend, creating a group role
assignment winds up being a user role assignment.
Here's steps to recreate:
Start with devstack configured to use LDAP
$ openstack group create blktest1
+-----------+--------------------------------------------------------------------------------------+
| Field | Value |
+-----------+--------------------------------------------------------------------------------------+
| domain_id | default |
| id | 33888a7d75274497bb1e7a05fc17a748 |
| links | {u'self': u'http://192.168.122.176:5000/v3/groups/33888a7d75274497bb1e7a05fc17a748'} |
| name | blktest1 |
+-----------+--------------------------------------------------------------------------------------+
$ GROUP_ID=33888a7d75274497bb1e7a05fc17a748
$ openstack role list
| 1fbe54e498ad483cb900735715926032 | anotherrole |
$ ROLE_ID=1fbe54e498ad483cb900735715926032
$ openstack project list
| 111681b688eb4460b464745f461ad0ce | demo |
PROJECT_ID=111681b688eb4460b464745f461ad0ce
# Get a token since I can't find an openstack command to add role
assignment...
$ curl ...
$ TOKEN=PKIZ...
# Create the GROUP role assignment
$ curl -i -X PUT -H "X-Auth-Token: $TOKEN" \
http://localhost:35357/v3/projects/$PROJECT_ID/groups/$GROUP_ID/roles/$ROLE_ID
HTTP/1.1 204 No Content
# Check the results. Now it's a user role assignment.
$ openstack role assignment list
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
| Role | User | Group | Project | Domain |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
| 9fe2ff9ee4384b1894a90878d3e92bab | 6e045e61b335473f9806460fcbf06b08 | | 4b78eb4768924d8ba492e53eecddf493 | |
| 29b0254e79d141d1a342086fd772e5f4 | 6e045e61b335473f9806460fcbf06b08 | | 4b78eb4768924d8ba492e53eecddf493 | |
| 9fe2ff9ee4384b1894a90878d3e92bab | 8fa4aa9d5584421eb8fa22ad01ff806a | | 111681b688eb4460b464745f461ad0ce | |
| 04b98b07af274304b19ce3e7d18de881 | 8fa4aa9d5584421eb8fa22ad01ff806a | | 111681b688eb4460b464745f461ad0ce | |
| 29b0254e79d141d1a342086fd772e5f4 | 6e045e61b335473f9806460fcbf06b08 | | 111681b688eb4460b464745f461ad0ce | |
| 1fbe54e498ad483cb900735715926032 | 8fa4aa9d5584421eb8fa22ad01ff806a | | 111681b688eb4460b464745f461ad0ce | |
| 1fbe54e498ad483cb900735715926032 | 33888a7d75274497bb1e7a05fc17a748 | | 111681b688eb4460b464745f461ad0ce | |
| 04b98b07af274304b19ce3e7d18de881 | 8fa4aa9d5584421eb8fa22ad01ff806a | | 7dee56223a5d43169ba1c5a2ac8ec412 | |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
# Also check the REST response since maybe it's in openstack command:
$ curl -H "X-Auth-Token: $TOKEN"
http://localhost:5000/v3/role_assignments | python -mjson.tool
...
{
"links": {
"assignment": "http://192.168.122.176:5000/v3/projects/111681b688eb4460b464745f461ad0ce/users/33888a7d75274497bb1e7a05fc17a748/roles/1fbe54e498ad483cb900735715926032";
},
"role": {
"id": "1fbe54e498ad483cb900735715926032"
},
"scope": {
"project": {
"id": "111681b688eb4460b464745f461ad0ce"
}
},
"user": {
"id": "33888a7d75274497bb1e7a05fc17a748"
}
},
...
It's got user where it should be group.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1365787
Title:
LDAP group role assignment becomes user assignment
Status in OpenStack Identity (Keystone):
New
Bug description:
When I configure Keystone with the LDAP backend, creating a group role
assignment winds up being a user role assignment.
Here's steps to recreate:
Start with devstack configured to use LDAP
$ openstack group create blktest1
+-----------+--------------------------------------------------------------------------------------+
| Field | Value |
+-----------+--------------------------------------------------------------------------------------+
| domain_id | default |
| id | 33888a7d75274497bb1e7a05fc17a748 |
| links | {u'self': u'http://192.168.122.176:5000/v3/groups/33888a7d75274497bb1e7a05fc17a748'} |
| name | blktest1 |
+-----------+--------------------------------------------------------------------------------------+
$ GROUP_ID=33888a7d75274497bb1e7a05fc17a748
$ openstack role list
| 1fbe54e498ad483cb900735715926032 | anotherrole |
$ ROLE_ID=1fbe54e498ad483cb900735715926032
$ openstack project list
| 111681b688eb4460b464745f461ad0ce | demo |
PROJECT_ID=111681b688eb4460b464745f461ad0ce
# Get a token since I can't find an openstack command to add role
assignment...
$ curl ...
$ TOKEN=PKIZ...
# Create the GROUP role assignment
$ curl -i -X PUT -H "X-Auth-Token: $TOKEN" \
http://localhost:35357/v3/projects/$PROJECT_ID/groups/$GROUP_ID/roles/$ROLE_ID
HTTP/1.1 204 No Content
# Check the results. Now it's a user role assignment.
$ openstack role assignment list
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
| Role | User | Group | Project | Domain |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
| 9fe2ff9ee4384b1894a90878d3e92bab | 6e045e61b335473f9806460fcbf06b08 | | 4b78eb4768924d8ba492e53eecddf493 | |
| 29b0254e79d141d1a342086fd772e5f4 | 6e045e61b335473f9806460fcbf06b08 | | 4b78eb4768924d8ba492e53eecddf493 | |
| 9fe2ff9ee4384b1894a90878d3e92bab | 8fa4aa9d5584421eb8fa22ad01ff806a | | 111681b688eb4460b464745f461ad0ce | |
| 04b98b07af274304b19ce3e7d18de881 | 8fa4aa9d5584421eb8fa22ad01ff806a | | 111681b688eb4460b464745f461ad0ce | |
| 29b0254e79d141d1a342086fd772e5f4 | 6e045e61b335473f9806460fcbf06b08 | | 111681b688eb4460b464745f461ad0ce | |
| 1fbe54e498ad483cb900735715926032 | 8fa4aa9d5584421eb8fa22ad01ff806a | | 111681b688eb4460b464745f461ad0ce | |
| 1fbe54e498ad483cb900735715926032 | 33888a7d75274497bb1e7a05fc17a748 | | 111681b688eb4460b464745f461ad0ce | |
| 04b98b07af274304b19ce3e7d18de881 | 8fa4aa9d5584421eb8fa22ad01ff806a | | 7dee56223a5d43169ba1c5a2ac8ec412 | |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
# Also check the REST response since maybe it's in openstack command:
$ curl -H "X-Auth-Token: $TOKEN"
http://localhost:5000/v3/role_assignments | python -mjson.tool
...
{
"links": {
"assignment": "http://192.168.122.176:5000/v3/projects/111681b688eb4460b464745f461ad0ce/users/33888a7d75274497bb1e7a05fc17a748/roles/1fbe54e498ad483cb900735715926032";
},
"role": {
"id": "1fbe54e498ad483cb900735715926032"
},
"scope": {
"project": {
"id": "111681b688eb4460b464745f461ad0ce"
}
},
"user": {
"id": "33888a7d75274497bb1e7a05fc17a748"
}
},
...
It's got user where it should be group.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1365787/+subscriptions
Follow ups
References
