← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2035006] [NEW] roles within domains do not show in auth_ref details

 

Public bug reported:

I have the following setup:

$ openstack domain list
+----------------------------------+-------------+---------+---------------------------------------------+
| ID                               | Name        | Enabled | Description                                 |
+----------------------------------+-------------+---------+---------------------------------------------+
| 3eda6a0074144f32b0d6b255f821cc4f | magnum      | True    | Owns users and projects   created by magnum |
| bb2f7b1a50524d24960207af313faae7 | heat        | True    | Stack projects and users                    |
| default                          | Default     | True    | The default domain                          |
| e69aa4c1e76b4de1a7c3886aa458717d | example.com | True    |                                             |
+----------------------------------+-------------+---------+---------------------------------------------+
$ openstack project list --domain example.com
+----------------------------------+------------+
| ID                               | Name       |
+----------------------------------+------------+
| f81d9cf81bd744649277f37ab32eba62 | operations |
+----------------------------------+------------+
$ openstack role list
+----------------------------------+------------------+
| ID                               | Name             |
+----------------------------------+------------------+
| 14783cf48be54977be5372c086823377 | heat_stack_owner |
| 5140d865c479415fa4652ca06cbfe06e | operator         |
| 7d737800fbb7481da8bebfba22f06bc0 | heat_stack_user  |
| 8de3b2be221148f89007787419fc765d | admin            |
| 8eaed8e42e454b9db8df7e74e32a4086 | reader           |
| fa51b8f09b5347a49d7f04ac4d382188 | member           |
+----------------------------------+------------------+
$ openstack role list --domain example.com
+----------------------------------+---------+-------------+
| ID                               | Name    | Domain      |
+----------------------------------+---------+-------------+
| 6e5430e8b875473f82fdba3a87ad8434 | general | example.com |
| c29ebdcf38034153b06bb85e8f024a2f | admin   | example.com |
+----------------------------------+---------+-------------+
openstack role assignment list --user tstark --project operations
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role                             | User                             | Group | Project                          | Domain | System | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| 5140d865c479415fa4652ca06cbfe06e | 54b0e8dd049d4fd993bfb78e69d5a8cf |       | f81d9cf81bd744649277f37ab32eba62 |        |        | False     |.   operator
| 6e5430e8b875473f82fdba3a87ad8434 | 54b0e8dd049d4fd993bfb78e69d5a8cf |       | f81d9cf81bd744649277f37ab32eba62 |        |        | False     |.   general (example.com)
| 8de3b2be221148f89007787419fc765d | 54b0e8dd049d4fd993bfb78e69d5a8cf |       | f81d9cf81bd744649277f37ab32eba62 |        |        | False     |.   admin
| c29ebdcf38034153b06bb85e8f024a2f | 54b0e8dd049d4fd993bfb78e69d5a8cf |       | f81d9cf81bd744649277f37ab32eba62 |        |        | False     |.   admin (example.com)
| fa51b8f09b5347a49d7f04ac4d382188 | 54b0e8dd049d4fd993bfb78e69d5a8cf |       | f81d9cf81bd744649277f37ab32eba62 |        |        | False     |.   member
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+

When I use the python api to scope into the project operations (which
resides in the example.com domain), I get these contents for the output
of ... sess.auth.get_access(sess)

    "roles": [
      {
        "id": "5140d865c479415fa4652ca06cbfe06e", 
        "name": "operator"
      }, 
      {
        "id": "8eaed8e42e454b9db8df7e74e32a4086", 
        "name": "reader"
      }, 
      {
        "id": "8de3b2be221148f89007787419fc765d", 
        "name": "admin"
      }, 
      {
        "id": "fa51b8f09b5347a49d7f04ac4d382188", 
        "name": "member"
      }
    ], 

Note, the above roles array is constructed like so:
        auth_params = {...}
        sess = ks_session.Session(auth=v3.Password(username="tstark", password=password, **auth_params))
        auth_ref = sess.auth.get_access(sess)
        roles = [{
            "id": auth_ref.role_ids[i],
            "name": auth_ref.role_names[i]
        } for i in range(len(auth_ref.role_names))]

For reference, the contents of auth_ref.[project_id, project_name,
project_domain_id, project_domain_name] are being reported as below, so
I know for sure that my auth params are correct in my app. In fact, I am
able to do whatever I want inside the operations project using the token
that is a part of this

    "scope": {
      "project": {
        "domain": {
          "id": "e69aa4c1e76b4de1a7c3886aa458717d", 
          "name": "example.com"
        }, 
        "id": "f81d9cf81bd744649277f37ab32eba62", 
        "name": "operations"
      }
    }, 

THE ISSUE
- note the reported roles from auth_ref are missing general (example.com) and admin (example.com), but they include all the roles that are not associated with a domain.
- this is despite the fact that the role assignments are clearly defined for these example.com roles

I realize that the auth system is in the middle of a re-work as
discussed in https://bugs.launchpad.net/bugs/2017056, so this may be a
regression

What i want to know is ... is this a bug, or am I missing something?

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2035006

Title:
  roles within domains do not show in auth_ref details

Status in OpenStack Identity (keystone):
  New

Bug description:
  I have the following setup:

  $ openstack domain list
  +----------------------------------+-------------+---------+---------------------------------------------+
  | ID                               | Name        | Enabled | Description                                 |
  +----------------------------------+-------------+---------+---------------------------------------------+
  | 3eda6a0074144f32b0d6b255f821cc4f | magnum      | True    | Owns users and projects   created by magnum |
  | bb2f7b1a50524d24960207af313faae7 | heat        | True    | Stack projects and users                    |
  | default                          | Default     | True    | The default domain                          |
  | e69aa4c1e76b4de1a7c3886aa458717d | example.com | True    |                                             |
  +----------------------------------+-------------+---------+---------------------------------------------+
  $ openstack project list --domain example.com
  +----------------------------------+------------+
  | ID                               | Name       |
  +----------------------------------+------------+
  | f81d9cf81bd744649277f37ab32eba62 | operations |
  +----------------------------------+------------+
  $ openstack role list
  +----------------------------------+------------------+
  | ID                               | Name             |
  +----------------------------------+------------------+
  | 14783cf48be54977be5372c086823377 | heat_stack_owner |
  | 5140d865c479415fa4652ca06cbfe06e | operator         |
  | 7d737800fbb7481da8bebfba22f06bc0 | heat_stack_user  |
  | 8de3b2be221148f89007787419fc765d | admin            |
  | 8eaed8e42e454b9db8df7e74e32a4086 | reader           |
  | fa51b8f09b5347a49d7f04ac4d382188 | member           |
  +----------------------------------+------------------+
  $ openstack role list --domain example.com
  +----------------------------------+---------+-------------+
  | ID                               | Name    | Domain      |
  +----------------------------------+---------+-------------+
  | 6e5430e8b875473f82fdba3a87ad8434 | general | example.com |
  | c29ebdcf38034153b06bb85e8f024a2f | admin   | example.com |
  +----------------------------------+---------+-------------+
  openstack role assignment list --user tstark --project operations
  +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
  | Role                             | User                             | Group | Project                          | Domain | System | Inherited |
  +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
  | 5140d865c479415fa4652ca06cbfe06e | 54b0e8dd049d4fd993bfb78e69d5a8cf |       | f81d9cf81bd744649277f37ab32eba62 |        |        | False     |.   operator
  | 6e5430e8b875473f82fdba3a87ad8434 | 54b0e8dd049d4fd993bfb78e69d5a8cf |       | f81d9cf81bd744649277f37ab32eba62 |        |        | False     |.   general (example.com)
  | 8de3b2be221148f89007787419fc765d | 54b0e8dd049d4fd993bfb78e69d5a8cf |       | f81d9cf81bd744649277f37ab32eba62 |        |        | False     |.   admin
  | c29ebdcf38034153b06bb85e8f024a2f | 54b0e8dd049d4fd993bfb78e69d5a8cf |       | f81d9cf81bd744649277f37ab32eba62 |        |        | False     |.   admin (example.com)
  | fa51b8f09b5347a49d7f04ac4d382188 | 54b0e8dd049d4fd993bfb78e69d5a8cf |       | f81d9cf81bd744649277f37ab32eba62 |        |        | False     |.   member
  +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+

  When I use the python api to scope into the project operations (which
  resides in the example.com domain), I get these contents for the
  output of ... sess.auth.get_access(sess)

      "roles": [
        {
          "id": "5140d865c479415fa4652ca06cbfe06e", 
          "name": "operator"
        }, 
        {
          "id": "8eaed8e42e454b9db8df7e74e32a4086", 
          "name": "reader"
        }, 
        {
          "id": "8de3b2be221148f89007787419fc765d", 
          "name": "admin"
        }, 
        {
          "id": "fa51b8f09b5347a49d7f04ac4d382188", 
          "name": "member"
        }
      ], 

  Note, the above roles array is constructed like so:
          auth_params = {...}
          sess = ks_session.Session(auth=v3.Password(username="tstark", password=password, **auth_params))
          auth_ref = sess.auth.get_access(sess)
          roles = [{
              "id": auth_ref.role_ids[i],
              "name": auth_ref.role_names[i]
          } for i in range(len(auth_ref.role_names))]

  For reference, the contents of auth_ref.[project_id, project_name,
  project_domain_id, project_domain_name] are being reported as below,
  so I know for sure that my auth params are correct in my app. In fact,
  I am able to do whatever I want inside the operations project using
  the token that is a part of this

      "scope": {
        "project": {
          "domain": {
            "id": "e69aa4c1e76b4de1a7c3886aa458717d", 
            "name": "example.com"
          }, 
          "id": "f81d9cf81bd744649277f37ab32eba62", 
          "name": "operations"
        }
      }, 

  THE ISSUE
  - note the reported roles from auth_ref are missing general (example.com) and admin (example.com), but they include all the roles that are not associated with a domain.
  - this is despite the fact that the role assignments are clearly defined for these example.com roles

  I realize that the auth system is in the middle of a re-work as
  discussed in https://bugs.launchpad.net/bugs/2017056, so this may be a
  regression

  What i want to know is ... is this a bug, or am I missing something?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2035006/+subscriptions