yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #58524
[Bug 1640483] [NEW] list of inherited role assignments to a project hierarchy does not contain the assignee/root project for users
Public bug reported:
Hi all,
I have a role R, group G with user U and a project P with a child project CP.
If I call:
(1) PUT /v3/OS-INHERIT/projects/P_id/groups/G_id/roles/R_id/inherited_to_projects
and validate it with:
(2)HEAD /v3/OS-INHERIT/projects/P_id/groups/G_id/roles/R_id/inherited_to_projects
everything seems to be fine.
But if I query the user role assignments in scope of P
(3) GET /v3/role_assignments?scope.project.id=P_id&user.id=U_id&effective
result list is empty.
If I change the scope param to the child project id:
(4) GET GET
/v3/role_assignments?scope.project.id=CP_id&user.id=U_id&effective
I get one role assignment list:
{
"role_assignments": [
{
"scope": {
"project": {
"id": "CP_id"
},
"OS-INHERIT:inherited_to": "projects"
},
"role": {
"id": "R_id"
},
"user": {
"id": "U_id"
},
"links": {
"assignment": ".../v3/OS-INHERIT/projects/P_id/groups/G_id/roles/R_id/inherited_to_projects",
"membership": ".../v3/groups/G_id/users/U_id"
}
My questions:
- did I understand wrong the sentence
"The inherited role assignment is anchored to a project and applied to its subtree in the projects hierarchy (both existing and future projects)." resp. its "anchored to a project"
(http://developer.openstack.org/api-ref/identity/v3/index.html?expanded
=list-effective-role-assignments-detail,list-domains-detail,list-user-s
-inherited-project-roles-on-project-detail,assign-role-to-group-on-
projects-owned-by-a-domain-detail,assign-role-to-group-on-projects-in-a
-subtree-detail#)
- Why there is no role assignment to P created by (1)? Is P not the part
of inheritance?
I think it is a bug.
Regards
** Affects: keystone
Importance: Undecided
Status: New
** Description changed:
Hi all,
I have a role R, group G with user U and a project P with a child project CP.
If I call:
(1) PUT /v3/OS-INHERIT/projects/P_id/groups/G_id/roles/R_id/inherited_to_projects
and validate it with:
(2)HEAD /v3/OS-INHERIT/projects/P_id/groups/G_id/roles/R_id/inherited_to_projects
everything seems to be fine.
But if I query the user role assignments in scope of P
(3) GET /v3/role_assignments?scope.project.id=P_id&user.id=U_id&effective
result list is empty.
If I change the scope param to the child project id:
(4) GET GET
/v3/role_assignments?scope.project.id=CP_id&user.id=U_id&effective
I get one role assignment list:
{
- "role_assignments": [
- {
- "scope": {
- "project": {
- "id": "CP_id"
- },
- "OS-INHERIT:inherited_to": "projects"
- },
- "role": {
- "id": "R_id"
- },
- "user": {
- "id": "U_id"
- },
- "links": {
- "assignment": ".../v3/OS-INHERIT/projects/P_id/groups/G_id/roles/R_id/inherited_to_projects",
- "membership": ".../v3/groups/a8dc44a16a95411bbddbdca3a8454219/users/71c0782426934bdf870e9b25a41e9d1b"
- }
+ "role_assignments": [
+ {
+ "scope": {
+ "project": {
+ "id": "CP_id"
+ },
+ "OS-INHERIT:inherited_to": "projects"
+ },
+ "role": {
+ "id": "R_id"
+ },
+ "user": {
+ "id": "U_id"
+ },
+ "links": {
+ "assignment": ".../v3/OS-INHERIT/projects/P_id/groups/G_id/roles/R_id/inherited_to_projects",
+ "membership": ".../v3/groups/G_id/users/U_id"
+ }
My questions:
- - did I understand wrong the sentence
+ - did I understand wrong the sentence
"The inherited role assignment is anchored to a project and applied to its subtree in the projects hierarchy (both existing and future projects)." resp. its "anchored to a project"
- Why there is no role assignment to P created by (1)? Is P not the part
of inheritance?
I think it is a bug.
Regards
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1640483
Title:
list of inherited role assignments to a project hierarchy does not
contain the assignee/root project for users
Status in OpenStack Identity (keystone):
New
Bug description:
Hi all,
I have a role R, group G with user U and a project P with a child project CP.
If I call:
(1) PUT /v3/OS-INHERIT/projects/P_id/groups/G_id/roles/R_id/inherited_to_projects
and validate it with:
(2)HEAD /v3/OS-INHERIT/projects/P_id/groups/G_id/roles/R_id/inherited_to_projects
everything seems to be fine.
But if I query the user role assignments in scope of P
(3) GET /v3/role_assignments?scope.project.id=P_id&user.id=U_id&effective
result list is empty.
If I change the scope param to the child project id:
(4) GET GET
/v3/role_assignments?scope.project.id=CP_id&user.id=U_id&effective
I get one role assignment list:
{
"role_assignments": [
{
"scope": {
"project": {
"id": "CP_id"
},
"OS-INHERIT:inherited_to": "projects"
},
"role": {
"id": "R_id"
},
"user": {
"id": "U_id"
},
"links": {
"assignment": ".../v3/OS-INHERIT/projects/P_id/groups/G_id/roles/R_id/inherited_to_projects",
"membership": ".../v3/groups/G_id/users/U_id"
}
My questions:
- did I understand wrong the sentence
"The inherited role assignment is anchored to a project and applied to its subtree in the projects hierarchy (both existing and future projects)." resp. its "anchored to a project"
(http://developer.openstack.org/api-
ref/identity/v3/index.html?expanded=list-effective-role-assignments-
detail,list-domains-detail,list-user-s-inherited-project-roles-on-
project-detail,assign-role-to-group-on-projects-owned-by-a-domain-
detail,assign-role-to-group-on-projects-in-a-subtree-detail#)
- Why there is no role assignment to P created by (1)? Is P not the
part of inheritance?
I think it is a bug.
Regards
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1640483/+subscriptions
Follow ups
