← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1365787] [NEW] LDAP group role assignment becomes user assignment

 

Public bug reported:

When I configure Keystone with the LDAP backend, creating a group role
assignment winds up being a user role assignment.

Here's steps to recreate:

Start with devstack configured to use LDAP

$ openstack group create blktest1
+-----------+--------------------------------------------------------------------------------------+
| Field     | Value                                                                                |
+-----------+--------------------------------------------------------------------------------------+
| domain_id | default                                                                              |
| id        | 33888a7d75274497bb1e7a05fc17a748                                                     |
| links     | {u'self': u'http://192.168.122.176:5000/v3/groups/33888a7d75274497bb1e7a05fc17a748'} |
| name      | blktest1                                                                             |
+-----------+--------------------------------------------------------------------------------------+

$ GROUP_ID=33888a7d75274497bb1e7a05fc17a748

$ openstack role list
| 1fbe54e498ad483cb900735715926032 | anotherrole   |

$ ROLE_ID=1fbe54e498ad483cb900735715926032

$ openstack project list
| 111681b688eb4460b464745f461ad0ce | demo               |

PROJECT_ID=111681b688eb4460b464745f461ad0ce

# Get a token since I can't find an openstack command to add role
assignment...

$ curl ...

$ TOKEN=PKIZ...

# Create the GROUP role assignment

$ curl -i -X PUT  -H "X-Auth-Token: $TOKEN" \
 http://localhost:35357/v3/projects/$PROJECT_ID/groups/$GROUP_ID/roles/$ROLE_ID
HTTP/1.1 204 No Content

# Check the results. Now it's a user role assignment.

$ openstack role assignment list
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
| Role                             | User                             | Group | Project                          | Domain |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
| 9fe2ff9ee4384b1894a90878d3e92bab | 6e045e61b335473f9806460fcbf06b08 |       | 4b78eb4768924d8ba492e53eecddf493 |        |
| 29b0254e79d141d1a342086fd772e5f4 | 6e045e61b335473f9806460fcbf06b08 |       | 4b78eb4768924d8ba492e53eecddf493 |        |
| 9fe2ff9ee4384b1894a90878d3e92bab | 8fa4aa9d5584421eb8fa22ad01ff806a |       | 111681b688eb4460b464745f461ad0ce |        |
| 04b98b07af274304b19ce3e7d18de881 | 8fa4aa9d5584421eb8fa22ad01ff806a |       | 111681b688eb4460b464745f461ad0ce |        |
| 29b0254e79d141d1a342086fd772e5f4 | 6e045e61b335473f9806460fcbf06b08 |       | 111681b688eb4460b464745f461ad0ce |        |
| 1fbe54e498ad483cb900735715926032 | 8fa4aa9d5584421eb8fa22ad01ff806a |       | 111681b688eb4460b464745f461ad0ce |        |
| 1fbe54e498ad483cb900735715926032 | 33888a7d75274497bb1e7a05fc17a748 |       | 111681b688eb4460b464745f461ad0ce |        |
| 04b98b07af274304b19ce3e7d18de881 | 8fa4aa9d5584421eb8fa22ad01ff806a |       | 7dee56223a5d43169ba1c5a2ac8ec412 |        |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+

# Also check the REST response since maybe it's in openstack command:

$ curl -H "X-Auth-Token: $TOKEN"
http://localhost:5000/v3/role_assignments | python -mjson.tool

...
{
"links": {
    "assignment": "http://192.168.122.176:5000/v3/projects/111681b688eb4460b464745f461ad0ce/users/33888a7d75274497bb1e7a05fc17a748/roles/1fbe54e498ad483cb900735715926032";
},
"role": {
    "id": "1fbe54e498ad483cb900735715926032"
},
"scope": {
    "project": {
        "id": "111681b688eb4460b464745f461ad0ce"
    }
},
"user": {
    "id": "33888a7d75274497bb1e7a05fc17a748"
}
},
...

It's got user where it should be group.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1365787

Title:
  LDAP group role assignment becomes user assignment

Status in OpenStack Identity (Keystone):
  New

Bug description:
  When I configure Keystone with the LDAP backend, creating a group role
  assignment winds up being a user role assignment.

  Here's steps to recreate:

  Start with devstack configured to use LDAP

  $ openstack group create blktest1
  +-----------+--------------------------------------------------------------------------------------+
  | Field     | Value                                                                                |
  +-----------+--------------------------------------------------------------------------------------+
  | domain_id | default                                                                              |
  | id        | 33888a7d75274497bb1e7a05fc17a748                                                     |
  | links     | {u'self': u'http://192.168.122.176:5000/v3/groups/33888a7d75274497bb1e7a05fc17a748'} |
  | name      | blktest1                                                                             |
  +-----------+--------------------------------------------------------------------------------------+

  $ GROUP_ID=33888a7d75274497bb1e7a05fc17a748

  $ openstack role list
  | 1fbe54e498ad483cb900735715926032 | anotherrole   |

  $ ROLE_ID=1fbe54e498ad483cb900735715926032

  $ openstack project list
  | 111681b688eb4460b464745f461ad0ce | demo               |

  PROJECT_ID=111681b688eb4460b464745f461ad0ce

  # Get a token since I can't find an openstack command to add role
  assignment...

  $ curl ...

  $ TOKEN=PKIZ...

  # Create the GROUP role assignment

  $ curl -i -X PUT  -H "X-Auth-Token: $TOKEN" \
   http://localhost:35357/v3/projects/$PROJECT_ID/groups/$GROUP_ID/roles/$ROLE_ID
  HTTP/1.1 204 No Content

  # Check the results. Now it's a user role assignment.

  $ openstack role assignment list
  +----------------------------------+----------------------------------+-------+----------------------------------+--------+
  | Role                             | User                             | Group | Project                          | Domain |
  +----------------------------------+----------------------------------+-------+----------------------------------+--------+
  | 9fe2ff9ee4384b1894a90878d3e92bab | 6e045e61b335473f9806460fcbf06b08 |       | 4b78eb4768924d8ba492e53eecddf493 |        |
  | 29b0254e79d141d1a342086fd772e5f4 | 6e045e61b335473f9806460fcbf06b08 |       | 4b78eb4768924d8ba492e53eecddf493 |        |
  | 9fe2ff9ee4384b1894a90878d3e92bab | 8fa4aa9d5584421eb8fa22ad01ff806a |       | 111681b688eb4460b464745f461ad0ce |        |
  | 04b98b07af274304b19ce3e7d18de881 | 8fa4aa9d5584421eb8fa22ad01ff806a |       | 111681b688eb4460b464745f461ad0ce |        |
  | 29b0254e79d141d1a342086fd772e5f4 | 6e045e61b335473f9806460fcbf06b08 |       | 111681b688eb4460b464745f461ad0ce |        |
  | 1fbe54e498ad483cb900735715926032 | 8fa4aa9d5584421eb8fa22ad01ff806a |       | 111681b688eb4460b464745f461ad0ce |        |
  | 1fbe54e498ad483cb900735715926032 | 33888a7d75274497bb1e7a05fc17a748 |       | 111681b688eb4460b464745f461ad0ce |        |
  | 04b98b07af274304b19ce3e7d18de881 | 8fa4aa9d5584421eb8fa22ad01ff806a |       | 7dee56223a5d43169ba1c5a2ac8ec412 |        |
  +----------------------------------+----------------------------------+-------+----------------------------------+--------+

  # Also check the REST response since maybe it's in openstack command:

  $ curl -H "X-Auth-Token: $TOKEN"
  http://localhost:5000/v3/role_assignments | python -mjson.tool

  ...
  {
  "links": {
      "assignment": "http://192.168.122.176:5000/v3/projects/111681b688eb4460b464745f461ad0ce/users/33888a7d75274497bb1e7a05fc17a748/roles/1fbe54e498ad483cb900735715926032";
  },
  "role": {
      "id": "1fbe54e498ad483cb900735715926032"
  },
  "scope": {
      "project": {
          "id": "111681b688eb4460b464745f461ad0ce"
      }
  },
  "user": {
      "id": "33888a7d75274497bb1e7a05fc17a748"
  }
  },
  ...

  It's got user where it should be group.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1365787/+subscriptions


Follow ups

References