← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #40478

[Bug 1484577] Re: OS-INHERIT does not seem to work for users but works for groups

  Thread PreviousDate PreviousThread Next 
*** This bug is a duplicate of bug 1403539 ***
    https://bugs.launchpad.net/bugs/1403539

I'm closing this defect, since it is essentially a duplicate of
https://bugs.launchpad.net/keystone/+bug/1403539.  Please re-open if you
think there is a distinct defect here.

** This bug has been marked a duplicate of bug 1403539
   Can't create both inherited and direct role assignment on same entities

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1484577

Title:
  OS-INHERIT does not seem to work for users but works for groups

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  Using Kilo, I'm following thehttp://specs.openstack.org/openstack
  /keystone-specs/api/v3/identity-api-v3-os-inherit-ext.html#what-s-new-
  in-version-1-1 instructions to experiment with role inheritances on
  projects of a domain.   (not dealing with subprojects just yet).

  I'm having some problem getting OS-INHERIT to work when the target of
  the assignment is a user.   It works if the target is a group.

  I'm able to PUT a project role inheritance record but not get it back:

  PUT: /v3/OS-INHERIT/
  domains/288b1c4d3f7b43a4b8708016d9ae3ec5/
  users/257cc461fde84f8aac1af1b42a7314f2/
  roles/daa86839ba154426ad34a95975d2d188/inherited_to_projects

  (side note: I noticed though that it validates domain, roles, but not
  user. The PUT succeeds if I put an invalid user.)

  HEAD on the same path above returns 404.

  Also, this:
  GET: /v3/OS-INHERIT/
  domains/288b1c4d3f7b43a4b8708016d9ae3ec5/
  users/257cc461fde84f8aac1af1b42a7314f2/
  roles/inherited_to_projects

  returns 200, but an empty list of roles.

  So somehow, the PUT doesn't stick, I'm not sure why. Consequently, I'm
  also not able to get a project token with expected roles from the
  domain etc.

  Interestingly, this works with groups. In other words, if I do a: 
  PUT: /v3/OS-INHERIT/
  domains/d
  groups/g/
  roles/x 

  then, a user from that group g can get a project scoped token with
  role x in any project of domain d.

  It doesn't seem to be working when using the inherited grant on users
  directly?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1484577/+subscriptions

References

  Thread PreviousDate PreviousThread Next