yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1583142] [NEW] Roles inheritance for groups is not visible in user's role assignments

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dmitri <1583142@xxxxxxxxxxxxxxxxxx>
Date: Wed, 18 May 2016 12:16:27 -0000
Reply-to: Bug 1583142 <1583142@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

If I applied role inheritance to a group GR-A in scope of project PR-A:

/v3/OS-
INHERIT/projects/PR-A/groups/GR-A/roles/ROLE-A/inherited_to_projects

this role assignment is listed in the result of:

/v3/role_assignments?scope.project.id=PR-A&group.id=GR-A


but is not in the result of:

/v3/role_assignments?scope.project.id=PR-A&user.id=USR-A&effective

whereby USR-A is a member of the group GR-A.

BUT it is part of result of the query:

/v3/role_assignments?scope.project.id=SUB-PR-A&user.id=USR-A&effective

whereby SUB-PR-A is a child of PR-A.

I think the inherited roles assignment should be valid in the project
scope of PR-A for both groups and users.

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: assignment keystone os-inherit role

** Description changed:

  If I applied role inheritance to a group GR-A in scope of project PR-A:
- {code}
- /v3/OS-INHERIT/projects/PR-A/groups/GR-A/roles/ROLE-A/inherited_to_projects 
- {code}
+ 
+ /v3/OS-
+ INHERIT/projects/PR-A/groups/GR-A/roles/ROLE-A/inherited_to_projects
+ 
  this role assignment is listed in the result of:
- {code}
+ 
  /v3/role_assignments?scope.project.id=PR-A&group.id=GR-A
- {code}
+ 
  
  but is not in the result of:
- {code}
+ 
  /v3/role_assignments?scope.project.id=PR-A&user.id=USR-A&effective
- {code}
+ 
  whereby USR-A is a member of the group GR-A.
- {code}
+ 
  BUT it is part of result of the query:
- {code}
+ 
  /v3/role_assignments?scope.project.id=SUB-PR-A&user.id=USR-A&effective
- {code}
+ 
  whereby SUB-PR-A is a child of PR-A.
  
  I think the inherited roles assignment should be valid in the project
  scope of PR-A for both groups and users.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1583142

Title:
  Roles inheritance for groups is not visible in user's role assignments

Status in OpenStack Identity (keystone):
  New

Bug description:
  If I applied role inheritance to a group GR-A in scope of project
  PR-A:

  /v3/OS-
  INHERIT/projects/PR-A/groups/GR-A/roles/ROLE-A/inherited_to_projects

  this role assignment is listed in the result of:

  /v3/role_assignments?scope.project.id=PR-A&group.id=GR-A

  
  but is not in the result of:

  /v3/role_assignments?scope.project.id=PR-A&user.id=USR-A&effective

  whereby USR-A is a member of the group GR-A.

  BUT it is part of result of the query:

  /v3/role_assignments?scope.project.id=SUB-PR-A&user.id=USR-A&effective

  whereby SUB-PR-A is a child of PR-A.

  I think the inherited roles assignment should be valid in the project
  scope of PR-A for both groups and users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1583142/+subscriptions

Follow ups

[Bug 1583142] Re: Roles inheritance for groups is not visible in user's role assignments
From: Henry Nash, 2016-05-31