← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1846817] Re: v3/role_assignments filtering exposes unnecessary role assignments

 

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
  I have a deployment that exercises multiple system role assignments:
  
   - An "operator" user has the "admin" role on the system
   - A "system-support" user has the "member" role on the system
   - A "system-admins" group has the "reader" role on the system
  
  If I ask keystone to filter a list of role assignments by --system all
  and --role member, I should only see a list with the "system-support"
  user and the "operator" user. Instead, I get a list with three entries
  that includes the group, which doesn't have the member role at all, it
  only has reader.
  
  Depending on how you classify this, it could leak information to
  clients. Groups don't appear to be filtered from the list since "reader"
  doesn't imply "member" (it's the other way around).
  
  $ openstack role assignment list --names --system all --debug
  START with options: role assignment list --names --system all --debug
  options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', application_credential_id='', application_credential_name='', application_credential_secret='***', auth_methods='', auth_type='', auth_url='', cacert=None, cert='', client_id='', client_secret='***', cloud='devstack-system-admin', code='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='public', key='', log_file=None, openid_scope='', os_beta_command=False, os_compute_api_version='', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='', passcode='', password='***', profile='', project_domain_id='', project_domain_name='', project_id='', project_name='', protocol='', redirect_uri='', region_name='', remote_project_domain_id='', remote_project_domain_name='', remote_project_id='', remote_project_name='', service_provider='', service_provider_endpoint='', service_provider_entity_id='', system_scope='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', username='', verbose_level=3, verify=None)
  Auth plugin password selected
  auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
  defaults: {u'auth_type': 'password', u'status': u'active', u'image_status_code_retries': 5, u'baremetal_introspection_status_code_retries': 5, 'api_timeout': None, 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': u'public', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', u'baremetal_status_code_retries': 5, 'verify': True, 'cert': None, u'secgroup_source': u'neutron', u'object_store_api_version': u'1', u'disable_vendor_agent': {}}
  cloud cfg: {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
  compute API version 2.1, cmd group openstack.compute.v2
  network API version 2, cmd group openstack.network.v2
  image API version 2, cmd group openstack.image.v2
  volume API version 3, cmd group openstack.volume.v3
  identity API version 3, cmd group openstack.identity.v3
  object_store API version 1, cmd group openstack.object_store.v1
  key_manager API version 1, cmd group openstack.key_manager.v1
  Auth plugin password selected
  auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
  Auth plugin password selected
  auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
  command: role assignment list -> openstackclient.identity.v3.role_assignment.ListRoleAssignment (auth=True)
  Auth plugin password selected
  auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'timing': False, 'additional_user_agent': [('osc-lib', '1.13.0')], u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': 'public', 'cacert': None, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'disable_vendor_agent': {}}
  Using auth plugin: password
  Using parameters {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}
  Get auth_ref
  REQ: curl -g -i -X GET http://10.0.3.122/identity -H "Accept: application/json" -H "User-Agent: openstacksdk/0.34.0 keystoneauth1/3.17.0 python-requests/2.22.0 CPython/2.7.15+"
  Starting new HTTP connection (1): 10.0.3.122:80
  http://10.0.3.122:80 "GET /identity HTTP/1.1" 300 269
  RESP: [300] Connection: close Content-Length: 269 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:29 GMT Location: http://10.0.3.122/identity/v3/ Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-f35dcb91-9d9f-4c85-9421-1600e6a6ec27
  RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://10.0.3.122/identity/v3/";, "rel": "self"}]}]}}
  GET call to http://10.0.3.122/identity used request id req-f35dcb91-9d9f-4c85-9421-1600e6a6ec27
  Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
  Resetting dropped connection: 10.0.3.122
  http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
  {"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "system": {"all": true}, "expires_at": "2019-10-04T19:56:29.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image";, "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity";, "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321893d620"}, {"url": "http://10.0.3.122/identity";, "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "keystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["JVQCRxBoTUyzm2CqiCoj6w"], "issued_at": "2019-10-04T18:56:29.000000Z"}}
  run(Namespace(authproject=False, authuser=False, columns=[], domain=None, effective=False, fit_width=False, formatter='table', group=None, group_domain=None, inherited=False, max_width=0, names=True, noindent=False, print_empty=False, project=None, project_domain=None, quote_mode='nonnumeric', role=None, role_domain=None, sort_columns=[], system=u'all', user=None, user_domain=None))
  Instantiating identity client: <class 'keystoneclient.v3.client.Client'>
  Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
  Resetting dropped connection: 10.0.3.122
  http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
  {"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "system": {"all": true}, "expires_at": "2019-10-04T19:56:29.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image";, "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity";, "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321893d620"}, {"url": "http://10.0.3.122/identity";, "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "keystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["U9Z3md9YTP-9-bTLuPDIzg"], "issued_at": "2019-10-04T18:56:29.000000Z"}}
  REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/role_assignments?scope.system=all&include_names=True -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}042443671367aa0183e15fd2692bf4c70d15050bdac46db883fd836440ae1065"
  Resetting dropped connection: 10.0.3.122
  http://10.0.3.122:80 "GET /identity/v3/role_assignments?scope.system=all&include_names=True HTTP/1.1" 200 2401
  RESP: [200] Connection: close Content-Length: 2401 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:29 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-c9bf133b-7ec4-49a5-b9da-3185dc6c55d2
  RESP BODY: {"role_assignments": [{"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, "group": {"domain": {"id": "default", "name": "Default"}, "id": "c814cd4739bd4960ad08ade3814f1560", "name": "system-admins"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/groups/c814cd4739bd4960ad08ade3814f1560/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}, "group": {"domain": {"id": "default", "name": "Default"}, "id": "dd97034049fd46a6bdb33a32f1c7759e", "name": "system-auditors"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/groups/dd97034049fd46a6bdb33a32f1c7759e/roles/7ee093f4ccf345bba963ce765f9b797f"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0ec0eb48c66d4fb79c432a2ff8c5d257", "name": "admin"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/0ec0eb48c66d4fb79c432a2ff8c5d257/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0f75914e63cb46e795cae7e6facd0ecb", "name": "operator"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/0f75914e63cb46e795cae7e6facd0ecb/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "66256692b6b942a8814ffd87d32a3963", "name": "system-support"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/66256692b6b942a8814ffd87d32a3963/roles/a8cd98f2e98d4135b2fa83950d6171ec"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "e8fec49e15984aedb5e1235f279434fe", "name": "auditor"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/e8fec49e15984aedb5e1235f279434fe/roles/7ee093f4ccf345bba963ce765f9b797f"}}], "links": {"self": "http://10.0.3.122/identity/v3/role_assignments?scope.system=all&include_names=True";, "previous": null, "next": null}}
  
  GET call to identity for http://10.0.3.122/identity/v3/role_assignments?scope.system=all&include_names=True used request id req-c9bf133b-7ec4-49a5-b9da-3185dc6c55d2
  +--------+------------------------+-------------------------+---------+--------+--------+-----------+
  | Role   | User                   | Group                   | Project | Domain | System | Inherited |
  +--------+------------------------+-------------------------+---------+--------+--------+-----------+
  | admin  |                        | system-admins@Default   |         |        | all    | False     |
  | reader |                        | system-auditors@Default |         |        | all    | False     |
  | admin  | admin@Default          |                         |         |        | all    | False     |
  | admin  | operator@Default       |                         |         |        | all    | False     |
  | member | system-support@Default |                         |         |        | all    | False     |
  | reader | auditor@Default        |                         |         |        | all    | False     |
  +--------+------------------------+-------------------------+---------+--------+--------+-----------+
  clean_up ListRoleAssignment:
  END return value: 0
  
  The Trace above lists all system role assignments to confirm my setup
  locally. The following trace shows that the group is returned with the
  wrong role assignment based on the filter.
  
  $ openstack role assignment list --names --system all --role member --debug                                                                                                                              [1/880]
  START with options: role assignment list --names --system all --role member --debug
  options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', application_credential_id='', application_credential_name='', application_credential_secret='***', auth_methods='',
   auth_type='', auth_url='', cacert=None, cert='', client_id='', client_secret='***', cloud='devstack-system-admin', code='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domai
  n_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='public', key='', log_file=None, openid_scope='', os_beta_command=F
  alse, os_compute_api_version='', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='',
   passcode='', password='***', profile='', project_domain_id='', project_domain_name='', project_id='', project_name='', protocol='', redirect_uri='', region_name='', remote_project_domain_id='', remote_project_domain_name='', remote_proje
  ct_id='', remote_project_name='', service_provider='', service_provider_endpoint='', service_provider_entity_id='', system_scope='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', usern
  ame='', verbose_level=3, verify=None)
  Auth plugin password selected
  auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-ad
  min', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system
  _scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key
  ': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True,
  u'interface': 'public', u'disable_vendor_agent': {}}
  defaults: {u'auth_type': 'password', u'status': u'active', u'image_status_code_retries': 5, u'baremetal_introspection_status_code_retries': 5, 'api_timeout': None, 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'ne
  utron', 'key': None, u'interface': u'public', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', u'baremetal_status_code_retries': 5, 'verify': True, 'cert': None, u'secgroup_source': u'neutron', u'object_store_api_
  version': u'1', u'disable_vendor_agent': {}}
  cloud cfg: {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 've
  rify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope':
  'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None,
  'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interfa
  ce': 'public', u'disable_vendor_agent': {}}
  compute API version 2.1, cmd group openstack.compute.v2
  network API version 2, cmd group openstack.network.v2
  image API version 2, cmd group openstack.image.v2
  volume API version 3, cmd group openstack.volume.v3
  identity API version 3, cmd group openstack.identity.v3
  object_store API version 1, cmd group openstack.object_store.v1
  key_manager API version 1, cmd group openstack.key_manager.v1
  Auth plugin password selected
  auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-ad
  min', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system
  _scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key
  ': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True,
  u'interface': 'public', u'disable_vendor_agent': {}}
  Auth plugin password selected
  auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-ad
  min', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system
  _scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key
  ': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True,
  u'interface': 'public', u'disable_vendor_agent': {}}
  command: role assignment list -> openstackclient.identity.v3.role_assignment.ListRoleAssignment (auth=True)
  Auth plugin password selected
  auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'timing': False, 'additional_user_agent': [('osc-lib', '1.13.0')], u'network_api_version': u'2', u'message': u'', u'image_format': u'q
  cow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_ti
  meout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tas
  ks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': 'public', 'cacert': None, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_h
  elp': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'disable_vendor_agent': {}}
  Using auth plugin: password
  Using parameters {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}
  Get auth_ref
  REQ: curl -g -i -X GET http://10.0.3.122/identity -H "Accept: application/json" -H "User-Agent: openstacksdk/0.34.0 keystoneauth1/3.17.0 python-requests/2.22.0 CPython/2.7.15+"
  Starting new HTTP connection (1): 10.0.3.122:80
  http://10.0.3.122:80 "GET /identity HTTP/1.1" 300 269
  RESP: [300] Connection: close Content-Length: 269 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:49 GMT Location: http://10.0.3.122/identity/v3/ Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-d5
  784d4c-7b47-4647-b912-65e6a78b835e
  RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://10.
  0.3.122/identity/v3/", "rel": "self"}]}]}}
  GET call to http://10.0.3.122/identity used request id req-d5784d4c-7b47-4647-b912-65e6a78b835e
  Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
  Resetting dropped connection: 10.0.3.122
  http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
  {"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "syste
  m": {"all": true}, "expires_at": "2019-10-04T19:56:49.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image";, "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"
  }], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity";, "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321
  893d620"}, {"url": "http://10.0.3.122/identity";, "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "ke
  ystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["SGRaWT8BTVuzELGwxqjBdg"], "issued_at": "2019-10-04T18:56:49.000000
  Z"}}
  run(Namespace(authproject=False, authuser=False, columns=[], domain=None, effective=False, fit_width=False, formatter='table', group=None, group_domain=None, inherited=False, max_width=0, names=True, noindent=False, print_empty=False, pro
  ject=None, project_domain=None, quote_mode='nonnumeric', role=u'member', role_domain=None, sort_columns=[], system=u'all', user=None, user_domain=None))
  Instantiating identity client: <class 'keystoneclient.v3.client.Client'>
  Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
  Resetting dropped connection: 10.0.3.122
  http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
  {"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "syste
  m": {"all": true}, "expires_at": "2019-10-04T19:56:50.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image";, "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"
  }], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity";, "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321
  893d620"}, {"url": "http://10.0.3.122/identity";, "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "ke
  ystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["2nu0u-1wQRmWA9_uS2hZ-g"], "issued_at": "2019-10-04T18:56:50.000000
  Z"}}
  REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/roles/member -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}cb5bcba8735c5a7ea6f80ea414ee306e1a0b6a9c0c39c4dbf1296a96f6516ab6"
  Resetting dropped connection: 10.0.3.122
  http://10.0.3.122:80 "GET /identity/v3/roles/member HTTP/1.1" 404 84
  RESP: [404] Connection: close Content-Length: 84 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:50 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-88bce424-60f2-4d2a-a6f5-2bd256602789
  RESP BODY: {"error":{"code":404,"message":"Could not find role: member.","title":"Not Found"}}
  
  GET call to identity for http://10.0.3.122/identity/v3/roles/member used request id req-88bce424-60f2-4d2a-a6f5-2bd256602789
  Request returned failure status: 404
  REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/roles?name=member -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}cb5bcba8735c5a7ea6f80ea414ee306e1a0b6a9c0c39c4dbf1296a96f6516ab6"
  Resetting dropped connection: 10.0.3.122
  http://10.0.3.122:80 "GET /identity/v3/roles?name=member HTTP/1.1" 200 322
  RESP: [200] Connection: close Content-Length: 322 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:50 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-ce429b68-b53d-4c49-9080-ed3da3bce55b
  RESP BODY: {"links": {"self": "http://10.0.3.122/identity/v3/roles?name=member";, "previous": null, "next": null}, "roles": [{"description": null, "links": {"self": "http://10.0.3.122/identity/v3/roles/a8cd98f2e98d4135b2fa83950d6171ec"}, "
  options": {}, "id": "a8cd98f2e98d4135b2fa83950d6171ec", "domain_id": null, "name": "member"}]}
  
  GET call to identity for http://10.0.3.122/identity/v3/roles?name=member used request id req-ce429b68-b53d-4c49-9080-ed3da3bce55b
  REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA
  256}cb5bcba8735c5a7ea6f80ea414ee306e1a0b6a9c0c39c4dbf1296a96f6516ab6"
  Resetting dropped connection: 10.0.3.122
  http://10.0.3.122:80 "GET /identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True HTTP/1.1" 200 1328
  RESP: [200] Connection: close Content-Length: 1328 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:50 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-08f9bdb9-149d-4905-96cc-99b87c8b6339
  RESP BODY: {"role_assignments": [{"scope": {"system": {"all": true}}, "role": {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}, "group": {"domain": {"id": "default", "name": "Default"}, "id": "dd97034049fd46a6bdb33a32f1c7759e"
  , "name": "system-auditors"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/groups/dd97034049fd46a6bdb33a32f1c7759e/roles/7ee093f4ccf345bba963ce765f9b797f"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba74
  7046d7936fbb8f97dc5cb1", "name": "admin"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0f75914e63cb46e795cae7e6facd0ecb", "name": "operator"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/0f75914
  e63cb46e795cae7e6facd0ecb/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, "user": {"domain": {"id": "default", "name": "Default"}, "id":
   "66256692b6b942a8814ffd87d32a3963", "name": "system-support"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/66256692b6b942a8814ffd87d32a3963/roles/a8cd98f2e98d4135b2fa83950d6171ec"}}], "links": {"self": "http://10.
  0.3.122/identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True", "previous": null, "next": null}}
  
  GET call to identity for http://10.0.3.122/identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True used request id req-08f9bdb9-149d-4905-96cc-99b87c8b6339
  +--------+------------------------+-------------------------+---------+--------+--------+-----------+
  | Role   | User                   | Group                   | Project | Domain | System | Inherited |
  +--------+------------------------+-------------------------+---------+--------+--------+-----------+
  | reader |                        | system-auditors@Default |         |        | all    | False     |
  | admin  | operator@Default       |                         |         |        | all    | False     |
  | member | system-support@Default |                         |         |        | all    | False     |
  +--------+------------------------+-------------------------+---------+--------+--------+-----------+
  clean_up ListRoleAssignment:
  END return value: 0

** Tags added: security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1846817

Title:
  v3/role_assignments filtering exposes unnecessary role assignments

Status in OpenStack Identity (keystone):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  I have a deployment that exercises multiple system role assignments:

   - An "operator" user has the "admin" role on the system
   - A "system-support" user has the "member" role on the system
   - A "system-admins" group has the "reader" role on the system

  If I ask keystone to filter a list of role assignments by --system all
  and --role member, I should only see a list with the "system-support"
  user and the "operator" user. Instead, I get a list with three entries
  that includes the group, which doesn't have the member role at all, it
  only has reader.

  Depending on how you classify this, it could leak information to
  clients. Groups don't appear to be filtered from the list since
  "reader" doesn't imply "member" (it's the other way around).

  $ openstack role assignment list --names --system all --debug
  START with options: role assignment list --names --system all --debug
  options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', application_credential_id='', application_credential_name='', application_credential_secret='***', auth_methods='', auth_type='', auth_url='', cacert=None, cert='', client_id='', client_secret='***', cloud='devstack-system-admin', code='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='public', key='', log_file=None, openid_scope='', os_beta_command=False, os_compute_api_version='', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='', passcode='', password='***', profile='', project_domain_id='', project_domain_name='', project_id='', project_name='', protocol='', redirect_uri='', region_name='', remote_project_domain_id='', remote_project_domain_name='', remote_project_id='', remote_project_name='', service_provider='', service_provider_endpoint='', service_provider_entity_id='', system_scope='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', username='', verbose_level=3, verify=None)
  Auth plugin password selected
  auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
  defaults: {u'auth_type': 'password', u'status': u'active', u'image_status_code_retries': 5, u'baremetal_introspection_status_code_retries': 5, 'api_timeout': None, 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': u'public', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', u'baremetal_status_code_retries': 5, 'verify': True, 'cert': None, u'secgroup_source': u'neutron', u'object_store_api_version': u'1', u'disable_vendor_agent': {}}
  cloud cfg: {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
  compute API version 2.1, cmd group openstack.compute.v2
  network API version 2, cmd group openstack.network.v2
  image API version 2, cmd group openstack.image.v2
  volume API version 3, cmd group openstack.volume.v3
  identity API version 3, cmd group openstack.identity.v3
  object_store API version 1, cmd group openstack.object_store.v1
  key_manager API version 1, cmd group openstack.key_manager.v1
  Auth plugin password selected
  auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
  Auth plugin password selected
  auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
  command: role assignment list -> openstackclient.identity.v3.role_assignment.ListRoleAssignment (auth=True)
  Auth plugin password selected
  auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'timing': False, 'additional_user_agent': [('osc-lib', '1.13.0')], u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': 'public', 'cacert': None, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'disable_vendor_agent': {}}
  Using auth plugin: password
  Using parameters {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}
  Get auth_ref
  REQ: curl -g -i -X GET http://10.0.3.122/identity -H "Accept: application/json" -H "User-Agent: openstacksdk/0.34.0 keystoneauth1/3.17.0 python-requests/2.22.0 CPython/2.7.15+"
  Starting new HTTP connection (1): 10.0.3.122:80
  http://10.0.3.122:80 "GET /identity HTTP/1.1" 300 269
  RESP: [300] Connection: close Content-Length: 269 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:29 GMT Location: http://10.0.3.122/identity/v3/ Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-f35dcb91-9d9f-4c85-9421-1600e6a6ec27
  RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://10.0.3.122/identity/v3/";, "rel": "self"}]}]}}
  GET call to http://10.0.3.122/identity used request id req-f35dcb91-9d9f-4c85-9421-1600e6a6ec27
  Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
  Resetting dropped connection: 10.0.3.122
  http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
  {"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "system": {"all": true}, "expires_at": "2019-10-04T19:56:29.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image";, "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity";, "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321893d620"}, {"url": "http://10.0.3.122/identity";, "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "keystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["JVQCRxBoTUyzm2CqiCoj6w"], "issued_at": "2019-10-04T18:56:29.000000Z"}}
  run(Namespace(authproject=False, authuser=False, columns=[], domain=None, effective=False, fit_width=False, formatter='table', group=None, group_domain=None, inherited=False, max_width=0, names=True, noindent=False, print_empty=False, project=None, project_domain=None, quote_mode='nonnumeric', role=None, role_domain=None, sort_columns=[], system=u'all', user=None, user_domain=None))
  Instantiating identity client: <class 'keystoneclient.v3.client.Client'>
  Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
  Resetting dropped connection: 10.0.3.122
  http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
  {"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "system": {"all": true}, "expires_at": "2019-10-04T19:56:29.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image";, "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity";, "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321893d620"}, {"url": "http://10.0.3.122/identity";, "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "keystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["U9Z3md9YTP-9-bTLuPDIzg"], "issued_at": "2019-10-04T18:56:29.000000Z"}}
  REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/role_assignments?scope.system=all&include_names=True -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}042443671367aa0183e15fd2692bf4c70d15050bdac46db883fd836440ae1065"
  Resetting dropped connection: 10.0.3.122
  http://10.0.3.122:80 "GET /identity/v3/role_assignments?scope.system=all&include_names=True HTTP/1.1" 200 2401
  RESP: [200] Connection: close Content-Length: 2401 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:29 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-c9bf133b-7ec4-49a5-b9da-3185dc6c55d2
  RESP BODY: {"role_assignments": [{"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, "group": {"domain": {"id": "default", "name": "Default"}, "id": "c814cd4739bd4960ad08ade3814f1560", "name": "system-admins"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/groups/c814cd4739bd4960ad08ade3814f1560/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}, "group": {"domain": {"id": "default", "name": "Default"}, "id": "dd97034049fd46a6bdb33a32f1c7759e", "name": "system-auditors"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/groups/dd97034049fd46a6bdb33a32f1c7759e/roles/7ee093f4ccf345bba963ce765f9b797f"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0ec0eb48c66d4fb79c432a2ff8c5d257", "name": "admin"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/0ec0eb48c66d4fb79c432a2ff8c5d257/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0f75914e63cb46e795cae7e6facd0ecb", "name": "operator"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/0f75914e63cb46e795cae7e6facd0ecb/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "66256692b6b942a8814ffd87d32a3963", "name": "system-support"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/66256692b6b942a8814ffd87d32a3963/roles/a8cd98f2e98d4135b2fa83950d6171ec"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "e8fec49e15984aedb5e1235f279434fe", "name": "auditor"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/e8fec49e15984aedb5e1235f279434fe/roles/7ee093f4ccf345bba963ce765f9b797f"}}], "links": {"self": "http://10.0.3.122/identity/v3/role_assignments?scope.system=all&include_names=True";, "previous": null, "next": null}}

  GET call to identity for http://10.0.3.122/identity/v3/role_assignments?scope.system=all&include_names=True used request id req-c9bf133b-7ec4-49a5-b9da-3185dc6c55d2
  +--------+------------------------+-------------------------+---------+--------+--------+-----------+
  | Role   | User                   | Group                   | Project | Domain | System | Inherited |
  +--------+------------------------+-------------------------+---------+--------+--------+-----------+
  | admin  |                        | system-admins@Default   |         |        | all    | False     |
  | reader |                        | system-auditors@Default |         |        | all    | False     |
  | admin  | admin@Default          |                         |         |        | all    | False     |
  | admin  | operator@Default       |                         |         |        | all    | False     |
  | member | system-support@Default |                         |         |        | all    | False     |
  | reader | auditor@Default        |                         |         |        | all    | False     |
  +--------+------------------------+-------------------------+---------+--------+--------+-----------+
  clean_up ListRoleAssignment:
  END return value: 0

  The Trace above lists all system role assignments to confirm my setup
  locally. The following trace shows that the group is returned with the
  wrong role assignment based on the filter.

  $ openstack role assignment list --names --system all --role member --debug                                                                                                                              [1/880]
  START with options: role assignment list --names --system all --role member --debug
  options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', application_credential_id='', application_credential_name='', application_credential_secret='***', auth_methods='',
   auth_type='', auth_url='', cacert=None, cert='', client_id='', client_secret='***', cloud='devstack-system-admin', code='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domai
  n_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='public', key='', log_file=None, openid_scope='', os_beta_command=F
  alse, os_compute_api_version='', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='',
   passcode='', password='***', profile='', project_domain_id='', project_domain_name='', project_id='', project_name='', protocol='', redirect_uri='', region_name='', remote_project_domain_id='', remote_project_domain_name='', remote_proje
  ct_id='', remote_project_name='', service_provider='', service_provider_endpoint='', service_provider_entity_id='', system_scope='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', usern
  ame='', verbose_level=3, verify=None)
  Auth plugin password selected
  auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-ad
  min', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system
  _scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key
  ': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True,
  u'interface': 'public', u'disable_vendor_agent': {}}
  defaults: {u'auth_type': 'password', u'status': u'active', u'image_status_code_retries': 5, u'baremetal_introspection_status_code_retries': 5, 'api_timeout': None, 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'ne
  utron', 'key': None, u'interface': u'public', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', u'baremetal_status_code_retries': 5, 'verify': True, 'cert': None, u'secgroup_source': u'neutron', u'object_store_api_
  version': u'1', u'disable_vendor_agent': {}}
  cloud cfg: {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 've
  rify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope':
  'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None,
  'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interfa
  ce': 'public', u'disable_vendor_agent': {}}
  compute API version 2.1, cmd group openstack.compute.v2
  network API version 2, cmd group openstack.network.v2
  image API version 2, cmd group openstack.image.v2
  volume API version 3, cmd group openstack.volume.v3
  identity API version 3, cmd group openstack.identity.v3
  object_store API version 1, cmd group openstack.object_store.v1
  key_manager API version 1, cmd group openstack.key_manager.v1
  Auth plugin password selected
  auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-ad
  min', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system
  _scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key
  ': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True,
  u'interface': 'public', u'disable_vendor_agent': {}}
  Auth plugin password selected
  auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-ad
  min', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system
  _scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key
  ': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True,
  u'interface': 'public', u'disable_vendor_agent': {}}
  command: role assignment list -> openstackclient.identity.v3.role_assignment.ListRoleAssignment (auth=True)
  Auth plugin password selected
  auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'timing': False, 'additional_user_agent': [('osc-lib', '1.13.0')], u'network_api_version': u'2', u'message': u'', u'image_format': u'q
  cow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_ti
  meout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tas
  ks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': 'public', 'cacert': None, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_h
  elp': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'disable_vendor_agent': {}}
  Using auth plugin: password
  Using parameters {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}
  Get auth_ref
  REQ: curl -g -i -X GET http://10.0.3.122/identity -H "Accept: application/json" -H "User-Agent: openstacksdk/0.34.0 keystoneauth1/3.17.0 python-requests/2.22.0 CPython/2.7.15+"
  Starting new HTTP connection (1): 10.0.3.122:80
  http://10.0.3.122:80 "GET /identity HTTP/1.1" 300 269
  RESP: [300] Connection: close Content-Length: 269 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:49 GMT Location: http://10.0.3.122/identity/v3/ Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-d5
  784d4c-7b47-4647-b912-65e6a78b835e
  RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://10.
  0.3.122/identity/v3/", "rel": "self"}]}]}}
  GET call to http://10.0.3.122/identity used request id req-d5784d4c-7b47-4647-b912-65e6a78b835e
  Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
  Resetting dropped connection: 10.0.3.122
  http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
  {"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "syste
  m": {"all": true}, "expires_at": "2019-10-04T19:56:49.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image";, "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"
  }], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity";, "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321
  893d620"}, {"url": "http://10.0.3.122/identity";, "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "ke
  ystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["SGRaWT8BTVuzELGwxqjBdg"], "issued_at": "2019-10-04T18:56:49.000000
  Z"}}
  run(Namespace(authproject=False, authuser=False, columns=[], domain=None, effective=False, fit_width=False, formatter='table', group=None, group_domain=None, inherited=False, max_width=0, names=True, noindent=False, print_empty=False, pro
  ject=None, project_domain=None, quote_mode='nonnumeric', role=u'member', role_domain=None, sort_columns=[], system=u'all', user=None, user_domain=None))
  Instantiating identity client: <class 'keystoneclient.v3.client.Client'>
  Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
  Resetting dropped connection: 10.0.3.122
  http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
  {"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "syste
  m": {"all": true}, "expires_at": "2019-10-04T19:56:50.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image";, "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"
  }], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity";, "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321
  893d620"}, {"url": "http://10.0.3.122/identity";, "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "ke
  ystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["2nu0u-1wQRmWA9_uS2hZ-g"], "issued_at": "2019-10-04T18:56:50.000000
  Z"}}
  REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/roles/member -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}cb5bcba8735c5a7ea6f80ea414ee306e1a0b6a9c0c39c4dbf1296a96f6516ab6"
  Resetting dropped connection: 10.0.3.122
  http://10.0.3.122:80 "GET /identity/v3/roles/member HTTP/1.1" 404 84
  RESP: [404] Connection: close Content-Length: 84 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:50 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-88bce424-60f2-4d2a-a6f5-2bd256602789
  RESP BODY: {"error":{"code":404,"message":"Could not find role: member.","title":"Not Found"}}

  GET call to identity for http://10.0.3.122/identity/v3/roles/member used request id req-88bce424-60f2-4d2a-a6f5-2bd256602789
  Request returned failure status: 404
  REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/roles?name=member -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA256}cb5bcba8735c5a7ea6f80ea414ee306e1a0b6a9c0c39c4dbf1296a96f6516ab6"
  Resetting dropped connection: 10.0.3.122
  http://10.0.3.122:80 "GET /identity/v3/roles?name=member HTTP/1.1" 200 322
  RESP: [200] Connection: close Content-Length: 322 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:50 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-ce429b68-b53d-4c49-9080-ed3da3bce55b
  RESP BODY: {"links": {"self": "http://10.0.3.122/identity/v3/roles?name=member";, "previous": null, "next": null}, "roles": [{"description": null, "links": {"self": "http://10.0.3.122/identity/v3/roles/a8cd98f2e98d4135b2fa83950d6171ec"}, "
  options": {}, "id": "a8cd98f2e98d4135b2fa83950d6171ec", "domain_id": null, "name": "member"}]}

  GET call to identity for http://10.0.3.122/identity/v3/roles?name=member used request id req-ce429b68-b53d-4c49-9080-ed3da3bce55b
  REQ: curl -g -i -X GET http://10.0.3.122/identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: {SHA
  256}cb5bcba8735c5a7ea6f80ea414ee306e1a0b6a9c0c39c4dbf1296a96f6516ab6"
  Resetting dropped connection: 10.0.3.122
  http://10.0.3.122:80 "GET /identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True HTTP/1.1" 200 1328
  RESP: [200] Connection: close Content-Length: 1328 Content-Type: application/json Date: Fri, 04 Oct 2019 18:56:50 GMT Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-08f9bdb9-149d-4905-96cc-99b87c8b6339
  RESP BODY: {"role_assignments": [{"scope": {"system": {"all": true}}, "role": {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}, "group": {"domain": {"id": "default", "name": "Default"}, "id": "dd97034049fd46a6bdb33a32f1c7759e"
  , "name": "system-auditors"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/groups/dd97034049fd46a6bdb33a32f1c7759e/roles/7ee093f4ccf345bba963ce765f9b797f"}}, {"scope": {"system": {"all": true}}, "role": {"id": "7a11d0ba74
  7046d7936fbb8f97dc5cb1", "name": "admin"}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0f75914e63cb46e795cae7e6facd0ecb", "name": "operator"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/0f75914
  e63cb46e795cae7e6facd0ecb/roles/7a11d0ba747046d7936fbb8f97dc5cb1"}}, {"scope": {"system": {"all": true}}, "role": {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, "user": {"domain": {"id": "default", "name": "Default"}, "id":
   "66256692b6b942a8814ffd87d32a3963", "name": "system-support"}, "links": {"assignment": "http://10.0.3.122/identity/v3/system/users/66256692b6b942a8814ffd87d32a3963/roles/a8cd98f2e98d4135b2fa83950d6171ec"}}], "links": {"self": "http://10.
  0.3.122/identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True", "previous": null, "next": null}}

  GET call to identity for http://10.0.3.122/identity/v3/role_assignments?scope.system=all&role.id=a8cd98f2e98d4135b2fa83950d6171ec&include_names=True used request id req-08f9bdb9-149d-4905-96cc-99b87c8b6339
  +--------+------------------------+-------------------------+---------+--------+--------+-----------+
  | Role   | User                   | Group                   | Project | Domain | System | Inherited |
  +--------+------------------------+-------------------------+---------+--------+--------+-----------+
  | reader |                        | system-auditors@Default |         |        | all    | False     |
  | admin  | operator@Default       |                         |         |        | all    | False     |
  | member | system-support@Default |                         |         |        | all    | False     |
  +--------+------------------------+-------------------------+---------+--------+--------+-----------+
  clean_up ListRoleAssignment:
  END return value: 0

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1846817/+subscriptions