yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #81387
[Bug 1860478] [NEW] fetching role assignments should handle domain IDs in addition to project IDs
Public bug reported:
Description of problem:
Note: This affects releases in Queens+ (could be further back but I have
only verified in Queens and Stein so far)
It is possible to pass through a domain ID as a project name while
assigning a role to a user e.g.:
$ openstack domain show test-domain
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| enabled | True |
| id | 8de8ce3beda54ff6a2c897aaad71847b |
| name | test-domain |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
$ openstack role add --user test-user --user-domain --project 8de8ce3beda54ff6a2c897aaad71847b --project-domain test-domain --inherited ResellerAdmin
However, this breaks the ability to pull a role assignment list e.g.:
$ openstack role assignment list --user-domain test-domain --user test-
user --names
---
Actual results:
Returns a list of role assignments for test-user
Expected results:
object of type 'NoneType' has no len() (HTTP 400) (Request-ID: req-
636e0da4-4562-4aa3-a3f5-64ea1317e940)
---
How to reproduce:
$ openstack domain list
+----------------------------------+------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+------------+---------+--------------------+
| 9f2174693c6b4daea53384329b53bda7 | heat_stack | True | |
| default | Default | True | The default domain |
+----------------------------------+------------+---------+--------------------+
$ openstack domain create test-domain
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| enabled | True |
| id | 8de8ce3beda54ff6a2c897aaad71847b |
| name | test-domain |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
$ openstack user create test-user --domain test-domain --password-prompt
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 8de8ce3beda54ff6a2c897aaad71847b |
| enabled | True |
| id | 0cccd870c9a24cd09032ce489f5c1962 |
| name | test-user |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
$ openstack project create test-parent-project --domain test-domain
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | 8de8ce3beda54ff6a2c897aaad71847b |
| enabled | True |
| id | dab81d58b96e4105b7fd68235ff0eacb |
| is_domain | False |
| name | test-parent-project |
| options | {} |
| parent_id | 8de8ce3beda54ff6a2c897aaad71847b |
| tags | [] |
+-------------+----------------------------------+
$ openstack project create test-sub-project --parent test-parent-project --domain test-domain
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | 8de8ce3beda54ff6a2c897aaad71847b |
| enabled | True |
| id | 841bc53fff6d47788b85309e08ec39d8 |
| is_domain | False |
| name | test-sub-project |
| options | {} |
| parent_id | dab81d58b96e4105b7fd68235ff0eacb |
| tags | [] |
+-------------+----------------------------------+
$ openstack role add --user test-user --user-domain test-domain --project
8de8ce3beda54ff6a2c897aaad71847b --project-domain test-domain --inherited ResellerAdmin
$ openstack role assignment list --user-domain test-domain --user test-
user --names
object of type 'NoneType' has no len() (HTTP 400) (Request-ID: req-
636e0da4-4562-4aa3-a3f5-64ea1317e940)
** Affects: keystone
Importance: Low
Status: Triaged
** Changed in: keystone
Status: New => Triaged
** Changed in: keystone
Importance: Undecided => Low
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1860478
Title:
fetching role assignments should handle domain IDs in addition to
project IDs
Status in OpenStack Identity (keystone):
Triaged
Bug description:
Description of problem:
Note: This affects releases in Queens+ (could be further back but I
have only verified in Queens and Stein so far)
It is possible to pass through a domain ID as a project name while
assigning a role to a user e.g.:
$ openstack domain show test-domain
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| enabled | True |
| id | 8de8ce3beda54ff6a2c897aaad71847b |
| name | test-domain |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
$ openstack role add --user test-user --user-domain --project 8de8ce3beda54ff6a2c897aaad71847b --project-domain test-domain --inherited ResellerAdmin
However, this breaks the ability to pull a role assignment list e.g.:
$ openstack role assignment list --user-domain test-domain --user
test-user --names
---
Actual results:
Returns a list of role assignments for test-user
Expected results:
object of type 'NoneType' has no len() (HTTP 400) (Request-ID: req-
636e0da4-4562-4aa3-a3f5-64ea1317e940)
---
How to reproduce:
$ openstack domain list
+----------------------------------+------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+------------+---------+--------------------+
| 9f2174693c6b4daea53384329b53bda7 | heat_stack | True | |
| default | Default | True | The default domain |
+----------------------------------+------------+---------+--------------------+
$ openstack domain create test-domain
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| enabled | True |
| id | 8de8ce3beda54ff6a2c897aaad71847b |
| name | test-domain |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
$ openstack user create test-user --domain test-domain --password-
prompt
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 8de8ce3beda54ff6a2c897aaad71847b |
| enabled | True |
| id | 0cccd870c9a24cd09032ce489f5c1962 |
| name | test-user |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
$ openstack project create test-parent-project --domain test-domain
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | 8de8ce3beda54ff6a2c897aaad71847b |
| enabled | True |
| id | dab81d58b96e4105b7fd68235ff0eacb |
| is_domain | False |
| name | test-parent-project |
| options | {} |
| parent_id | 8de8ce3beda54ff6a2c897aaad71847b |
| tags | [] |
+-------------+----------------------------------+
$ openstack project create test-sub-project --parent test-parent-project --domain test-domain
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | 8de8ce3beda54ff6a2c897aaad71847b |
| enabled | True |
| id | 841bc53fff6d47788b85309e08ec39d8 |
| is_domain | False |
| name | test-sub-project |
| options | {} |
| parent_id | dab81d58b96e4105b7fd68235ff0eacb |
| tags | [] |
+-------------+----------------------------------+
$ openstack role add --user test-user --user-domain test-domain --project
8de8ce3beda54ff6a2c897aaad71847b --project-domain test-domain --inherited ResellerAdmin
$ openstack role assignment list --user-domain test-domain --user
test-user --names
object of type 'NoneType' has no len() (HTTP 400) (Request-ID: req-
636e0da4-4562-4aa3-a3f5-64ea1317e940)
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1860478/+subscriptions
