yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1640483] Re: list of inherited role assignments to a project hierarchy does not contain the assignee/root project for users

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Henry Nash <henry.nash@xxxxxxxxxx>
Date: Wed, 09 Nov 2016 14:25:47 -0000
Reply-to: Bug 1640483 <1640483@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This appears to be working as designed. Inherited assignments are only
applied to the children of the anchor point. Hence there are no
effective assignments on P.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1640483

Title:
  list of inherited role assignments to a project hierarchy does not
  contain the assignee/root project for users

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  Hi all,

  I have a role R, group G with user U and a project P with a child project CP.
  If I call:
  (1) PUT /v3/OS-INHERIT/projects/P_id/groups/G_id/roles/R_id/inherited_to_projects
  and validate it with:
  (2)HEAD /v3/OS-INHERIT/projects/P_id/groups/G_id/roles/R_id/inherited_to_projects

  everything seems to be fine.

  But if I query the user role assignments in scope of P
  (3) GET /v3/role_assignments?scope.project.id=P_id&user.id=U_id&effective

  result list is empty.

  If I change the scope param to the child project id:

  (4) GET GET
  /v3/role_assignments?scope.project.id=CP_id&user.id=U_id&effective

  I get one role assignment list:
  {
      "role_assignments": [
          {
              "scope": {
                  "project": {
                      "id": "CP_id"
                  },
                  "OS-INHERIT:inherited_to": "projects"
              },
              "role": {
                  "id": "R_id"
              },
              "user": {
                  "id": "U_id"
              },
              "links": {
                  "assignment": ".../v3/OS-INHERIT/projects/P_id/groups/G_id/roles/R_id/inherited_to_projects",
                  "membership": ".../v3/groups/G_id/users/U_id"
              }
  My questions:
  - did I understand wrong the sentence
  "The inherited role assignment is anchored to a project and applied to its subtree in the projects hierarchy (both existing and future projects)." resp. its "anchored to a project" 

  (http://developer.openstack.org/api-
  ref/identity/v3/index.html?expanded=list-effective-role-assignments-
  detail,list-domains-detail,list-user-s-inherited-project-roles-on-
  project-detail,assign-role-to-group-on-projects-owned-by-a-domain-
  detail,assign-role-to-group-on-projects-in-a-subtree-detail#)

  - Why there is no role assignment to P created by (1)? Is P not the
  part of inheritance?

  I think it is a bug.

  Regards

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1640483/+subscriptions

References

[Bug 1640483] [NEW] list of inherited role assignments to a project hierarchy does not contain the assignee/root project for users
From: Dmitri, 2016-11-09