yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1780159] Re: Some inherited projects missing when listing user's projects

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Adam Young <1780159@xxxxxxxxxxxxxxxxxx>
Date: Thu, 05 Jul 2018 22:29:21 -0000
Reply-to: Bug 1780159 <1780159@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1780159

Title:
  Some inherited projects missing when listing user's projects

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  When a project is added as a child to another project and a user has
  an inherited role as well as an explicit role on that parent project,
  the child project may not appear when the user lists their projects.

  It appears that the order in which the inherited and effective role
  assignments are made makes a difference.

  What actually happens:

  # The parent
  $ openstack project show parent --children
  +-------------+--------------------------------------------+
  | Field       | Value                                      |
  +-------------+--------------------------------------------+
  | description |                                            |
  | domain_id   | default                                    |
  | enabled     | True                                       |
  | id          | da2265680b3844eaa241a14ac9ee07f1           |
  | is_domain   | False                                      |
  | name        | parent                                     |
  | parent_id   | default                                    |
  | subtree     | {'3e5e4084c9984d55935198eed49f7164': None} |
  | tags        | []                                         |
  +-------------+--------------------------------------------+

  # A first child
  $ openstack project show 3e5e4084c9984d55935198eed49f7164
  +-------------+----------------------------------+
  | Field       | Value                            |
  +-------------+----------------------------------+
  | description |                                  |
  | domain_id   | default                          |
  | enabled     | True                             |
  | id          | 3e5e4084c9984d55935198eed49f7164 |
  | is_domain   | False                            |
  | name        | child                            |
  | parent_id   | da2265680b3844eaa241a14ac9ee07f1 |
  | tags        | []                               |
  +-------------+----------------------------------+

  
  # Next, we give user mradmin the project_admin role on the parent project explicitly.
  $ openstack role add --project parent --user mradmin  project_admin

  # We give user mradmin the project_admin role on the parent project's subtree via inheritance.
  $ openstack role add --project parent --user mradmin  --inherited project_admin

  
  # When we list the projects as user mradmin, everything is fine for now.
  $ openstack project list
  +----------------------------------+--------+
  | ID                               | Name   |
  +----------------------------------+--------+
  | 3e5e4084c9984d55935198eed49f7164 | child  |
  | da2265680b3844eaa241a14ac9ee07f1 | parent |
  +----------------------------------+--------+

  * Important note: the first child project exists before we do the role
  assignments. The second child project is added after the role
  assignments.


  # Add a second child project to the parent project:
  $ openstack project create --parent parent child2
  +-------------+----------------------------------+
  | Field       | Value                            |
  +-------------+----------------------------------+
  | description |                                  |
  | domain_id   | default                          |
  | enabled     | True                             |
  | id          | c781f589110c4d07a96c40b50bc6bd19 |
  | is_domain   | False                            |
  | name        | child2                           |
  | parent_id   | da2265680b3844eaa241a14ac9ee07f1 |
  | tags        | []                               |
  +-------------+----------------------------------+

  
  # The second child does not appear when we list the projects as user mradmin
  $ openstack project list
  +----------------------------------+--------+
  | ID                               | Name   |
  +----------------------------------+--------+
  | 3e5e4084c9984d55935198eed49f7164 | child  |
  | da2265680b3844eaa241a14ac9ee07f1 | parent |
  +----------------------------------+--------+


  
  If we repeat the above except we reverse the order when assigning the project_admin role:
  $ openstack role add --project parent --user mradmin  --inherited project_admin
  $ openstack role add --project parent --user mradmin  project_admin

  then we are able to see all projects when we list the projects as user mradmin:
  $ openstack project list
  +----------------------------------+--------+
  | ID                               | Name   |
  +----------------------------------+--------+
  | 79d5300ac137466a9e2a22931d0a6b52 | child2 |
  | e18fa9d21fe94bdcb4965233b65081bd | parent |
  | e334dcc334804e2888c7146d3a092050 | child  |
  +----------------------------------+--------+

  Expected behavior:
  See all child projects regardless of the order of role assignment.

  
  I was able to reproduce this in Queens and Pike.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1780159/+subscriptions
References

[Bug 1780159] [NEW] Some inherited projects missing when listing user's projects
From: Martin Chlumsky, 2018-07-04