yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1696111] Re: Keystone confuses users when creating a trust when there's a roles name conflict

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1696111@xxxxxxxxxxxxxxxxxx>
Date: Thu, 22 Jun 2017 19:53:15 -0000
Reply-to: Bug 1696111 <1696111@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/475068
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=da53c2b33457f4f1e93bdda6c0c16172ea36bc78
Submitter: Jenkins
Branch:    master

commit da53c2b33457f4f1e93bdda6c0c16172ea36bc78
Author: Kristi Nikolla <knikolla@xxxxxx>
Date:   Fri Jun 16 15:33:46 2017 -0400

    When creating a trust, send role_ids instead or role_names
    
    This changes create a trust to use ids instead of names because of
    the possibility of roles sharing a name. Even if the user
    uniquely identified a role by inputting the id, the request sent
    to the identity service would used the name, therefore the command
    would fail in the case that two roles share a name.
    
    This does not change how trusts are displayed during trust list or
    trust show, a name will still be shown instead of an id.
    
    Depends-On: I38e0ac35946ee6e53128babac3ea759a380572e0
    
    Change-Id: I5bdf89f1e288954a7f5c2704231f270bc7d196f5
    Closes-Bug: 1696111


** Changed in: python-openstackclient
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1696111

Title:
  Keystone confuses users when creating a trust when there's a roles
  name conflict

Status in OpenStack Identity (keystone):
  In Progress
Status in python-keystoneclient:
  In Progress
Status in python-openstackclient:
  Fix Released

Bug description:
  Due to code [1] Keystone produces a confusing message when:

  * We're using python-openstackclient
  * We're creating a trust with a role name that exists in more that one domain.

  "role %s is not defined" suggests that there isn't a role like that.
  What actually happens, Keystone cannot decide which role is the user's
  choice.

  python-openstackclient automatically converts role ids to role names
  when sending a POST request, so specifying roles using an id doesn't
  help at all.


  [1]
  https://github.com/openstack/keystone/blob/03319d1/keystone/trust/controllers.py#L90-L94

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1696111/+subscriptions

References

[Bug 1696111] [NEW] Keystone confuses users when creating a trust when there's a roles name conflict
From: Michal Dulko, 2017-06-06