yahoo-eng-team team mailing list archive

[Christophe Balczunas <pentatonic@xxxxxxxxx>]

Public bug reported:

Using Kilo, I'm following thehttp://specs.openstack.org/openstack
/keystone-specs/api/v3/identity-api-v3-os-inherit-ext.html#what-s-new-
in-version-1-1 instructions to experiment with role inheritances on
projects of a domain.   (not dealing with subprojects just yet).

I'm having some problem getting OS-INHERIT to work when the target of
the assignment is a user.   It works if the target is a group.

I'm able to PUT a project role inheritance record but not get it back:

PUT: /v3/OS-INHERIT/
domains/288b1c4d3f7b43a4b8708016d9ae3ec5/
users/257cc461fde84f8aac1af1b42a7314f2/
roles/daa86839ba154426ad34a95975d2d188/inherited_to_projects

(side note: I noticed though that it validates domain, roles, but not
user. The PUT succeeds if I put an invalid user.)

HEAD on the same path above returns 404.

Also, this:
GET: /v3/OS-INHERIT/
domains/288b1c4d3f7b43a4b8708016d9ae3ec5/
users/257cc461fde84f8aac1af1b42a7314f2/
roles/inherited_to_projects

returns 200, but an empty list of roles.

So somehow, the PUT doesn't stick, I'm not sure why. Consequently, I'm
also not able to get a project token with expected roles from the domain
etc.

Interestingly, this works with groups. In other words, if I do a: 
PUT: /v3/OS-INHERIT/
domains/d
groups/g/
roles/x 

then, a user from that group g can get a project scoped token with role
x in any project of domain d.

It doesn't seem to be working when using the inherited grant on users
directly?

** Affects: keystone
     Importance: Undecided
         Status: New

** Summary changed:

- OS-INHERIT does not seem to work for users but work for groups
+ OS-INHERIT does not seem to work for users but works for groups

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1484577

Title:
  OS-INHERIT does not seem to work for users but works for groups

Status in Keystone:
  New

Bug description:
  Using Kilo, I'm following thehttp://specs.openstack.org/openstack
  /keystone-specs/api/v3/identity-api-v3-os-inherit-ext.html#what-s-new-
  in-version-1-1 instructions to experiment with role inheritances on
  projects of a domain.   (not dealing with subprojects just yet).

  I'm having some problem getting OS-INHERIT to work when the target of
  the assignment is a user.   It works if the target is a group.

  I'm able to PUT a project role inheritance record but not get it back:

  PUT: /v3/OS-INHERIT/
  domains/288b1c4d3f7b43a4b8708016d9ae3ec5/
  users/257cc461fde84f8aac1af1b42a7314f2/
  roles/daa86839ba154426ad34a95975d2d188/inherited_to_projects

  (side note: I noticed though that it validates domain, roles, but not
  user. The PUT succeeds if I put an invalid user.)

  HEAD on the same path above returns 404.

  Also, this:
  GET: /v3/OS-INHERIT/
  domains/288b1c4d3f7b43a4b8708016d9ae3ec5/
  users/257cc461fde84f8aac1af1b42a7314f2/
  roles/inherited_to_projects

  returns 200, but an empty list of roles.

  So somehow, the PUT doesn't stick, I'm not sure why. Consequently, I'm
  also not able to get a project token with expected roles from the
  domain etc.

  Interestingly, this works with groups. In other words, if I do a: 
  PUT: /v3/OS-INHERIT/
  domains/d
  groups/g/
  roles/x 

  then, a user from that group g can get a project scoped token with
  role x in any project of domain d.

  It doesn't seem to be working when using the inherited grant on users
  directly?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1484577/+subscriptions