yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #20564
[Bug 1366133] [NEW] User create via v3 API doesn't add _member_ role in default project
Public bug reported:
There is a discrepancy between creating users via the v2 and v3 API's,
which I'm not sure is a bug or by design:
When creating a user via the v2 API, the _member_ role is added in their
default project, but when creating via the v3 API, despite
default_project_id being specified, it is not.
If possible, I'd like the _member_ role to always be present, as we need
a default role to delegate via trust for heat, and I'd like to move away
from using a special heat_stack_owner role as it's confusing for users:
https://review.openstack.org/#/c/119415/
-bash-4.2$ openstack --os-token foobar --os-url=http://127.0.0.1:5000/v3 --os-identity-api-version=3 user create --domain Default --project demo test123456
+--------------------+---------------------------------------------------------------------------------+
| Field | Value |
+--------------------+---------------------------------------------------------------------------------+
| default_project_id | 19d521c102844134b4c141af967d75fd |
| domain_id | default |
| enabled | True |
| id | 479882b84fed407a9bc5a95778aba85e |
| links | {u'self': u'http://192.168.0.4:5000/v3/users/479882b84fed407a9bc5a95778aba85e'} |
| name | test123456 |
+--------------------+---------------------------------------------------------------------------------+
-bash-4.2$ keystone user-create --tenant demo --name v2test123456
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | c8d14d95bec24a56b0414b41b94a9e4e |
| name | v2test123456 |
| tenantId | 19d521c102844134b4c141af967d75fd |
| username | v2test123456 |
+----------+----------------------------------+
-bash-4.2$ keystone user-role-list --tenant demo --user test123456
-bash-4.2$ keystone user-role-list --tenant demo --user v2test123456
+----------------------------------+----------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | c8d14d95bec24a56b0414b41b94a9e4e | 19d521c102844134b4c141af967d75fd |
+----------------------------------+----------+----------------------------------+----------------------------------+
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1366133
Title:
User create via v3 API doesn't add _member_ role in default project
Status in OpenStack Identity (Keystone):
New
Bug description:
There is a discrepancy between creating users via the v2 and v3 API's,
which I'm not sure is a bug or by design:
When creating a user via the v2 API, the _member_ role is added in
their default project, but when creating via the v3 API, despite
default_project_id being specified, it is not.
If possible, I'd like the _member_ role to always be present, as we
need a default role to delegate via trust for heat, and I'd like to
move away from using a special heat_stack_owner role as it's confusing
for users:
https://review.openstack.org/#/c/119415/
-bash-4.2$ openstack --os-token foobar --os-url=http://127.0.0.1:5000/v3 --os-identity-api-version=3 user create --domain Default --project demo test123456
+--------------------+---------------------------------------------------------------------------------+
| Field | Value |
+--------------------+---------------------------------------------------------------------------------+
| default_project_id | 19d521c102844134b4c141af967d75fd |
| domain_id | default |
| enabled | True |
| id | 479882b84fed407a9bc5a95778aba85e |
| links | {u'self': u'http://192.168.0.4:5000/v3/users/479882b84fed407a9bc5a95778aba85e'} |
| name | test123456 |
+--------------------+---------------------------------------------------------------------------------+
-bash-4.2$ keystone user-create --tenant demo --name v2test123456
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | c8d14d95bec24a56b0414b41b94a9e4e |
| name | v2test123456 |
| tenantId | 19d521c102844134b4c141af967d75fd |
| username | v2test123456 |
+----------+----------------------------------+
-bash-4.2$ keystone user-role-list --tenant demo --user test123456
-bash-4.2$ keystone user-role-list --tenant demo --user v2test123456
+----------------------------------+----------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | c8d14d95bec24a56b0414b41b94a9e4e | 19d521c102844134b4c141af967d75fd |
+----------------------------------+----------+----------------------------------+----------------------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1366133/+subscriptions
Follow ups
References
