yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #92781
[Bug 2035006] [NEW] roles within domains do not show in auth_ref details
Public bug reported:
I have the following setup:
$ openstack domain list
+----------------------------------+-------------+---------+---------------------------------------------+
| ID | Name | Enabled | Description |
+----------------------------------+-------------+---------+---------------------------------------------+
| 3eda6a0074144f32b0d6b255f821cc4f | magnum | True | Owns users and projects created by magnum |
| bb2f7b1a50524d24960207af313faae7 | heat | True | Stack projects and users |
| default | Default | True | The default domain |
| e69aa4c1e76b4de1a7c3886aa458717d | example.com | True | |
+----------------------------------+-------------+---------+---------------------------------------------+
$ openstack project list --domain example.com
+----------------------------------+------------+
| ID | Name |
+----------------------------------+------------+
| f81d9cf81bd744649277f37ab32eba62 | operations |
+----------------------------------+------------+
$ openstack role list
+----------------------------------+------------------+
| ID | Name |
+----------------------------------+------------------+
| 14783cf48be54977be5372c086823377 | heat_stack_owner |
| 5140d865c479415fa4652ca06cbfe06e | operator |
| 7d737800fbb7481da8bebfba22f06bc0 | heat_stack_user |
| 8de3b2be221148f89007787419fc765d | admin |
| 8eaed8e42e454b9db8df7e74e32a4086 | reader |
| fa51b8f09b5347a49d7f04ac4d382188 | member |
+----------------------------------+------------------+
$ openstack role list --domain example.com
+----------------------------------+---------+-------------+
| ID | Name | Domain |
+----------------------------------+---------+-------------+
| 6e5430e8b875473f82fdba3a87ad8434 | general | example.com |
| c29ebdcf38034153b06bb85e8f024a2f | admin | example.com |
+----------------------------------+---------+-------------+
openstack role assignment list --user tstark --project operations
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| 5140d865c479415fa4652ca06cbfe06e | 54b0e8dd049d4fd993bfb78e69d5a8cf | | f81d9cf81bd744649277f37ab32eba62 | | | False |. operator
| 6e5430e8b875473f82fdba3a87ad8434 | 54b0e8dd049d4fd993bfb78e69d5a8cf | | f81d9cf81bd744649277f37ab32eba62 | | | False |. general (example.com)
| 8de3b2be221148f89007787419fc765d | 54b0e8dd049d4fd993bfb78e69d5a8cf | | f81d9cf81bd744649277f37ab32eba62 | | | False |. admin
| c29ebdcf38034153b06bb85e8f024a2f | 54b0e8dd049d4fd993bfb78e69d5a8cf | | f81d9cf81bd744649277f37ab32eba62 | | | False |. admin (example.com)
| fa51b8f09b5347a49d7f04ac4d382188 | 54b0e8dd049d4fd993bfb78e69d5a8cf | | f81d9cf81bd744649277f37ab32eba62 | | | False |. member
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
When I use the python api to scope into the project operations (which
resides in the example.com domain), I get these contents for the output
of ... sess.auth.get_access(sess)
"roles": [
{
"id": "5140d865c479415fa4652ca06cbfe06e",
"name": "operator"
},
{
"id": "8eaed8e42e454b9db8df7e74e32a4086",
"name": "reader"
},
{
"id": "8de3b2be221148f89007787419fc765d",
"name": "admin"
},
{
"id": "fa51b8f09b5347a49d7f04ac4d382188",
"name": "member"
}
],
Note, the above roles array is constructed like so:
auth_params = {...}
sess = ks_session.Session(auth=v3.Password(username="tstark", password=password, **auth_params))
auth_ref = sess.auth.get_access(sess)
roles = [{
"id": auth_ref.role_ids[i],
"name": auth_ref.role_names[i]
} for i in range(len(auth_ref.role_names))]
For reference, the contents of auth_ref.[project_id, project_name,
project_domain_id, project_domain_name] are being reported as below, so
I know for sure that my auth params are correct in my app. In fact, I am
able to do whatever I want inside the operations project using the token
that is a part of this
"scope": {
"project": {
"domain": {
"id": "e69aa4c1e76b4de1a7c3886aa458717d",
"name": "example.com"
},
"id": "f81d9cf81bd744649277f37ab32eba62",
"name": "operations"
}
},
THE ISSUE
- note the reported roles from auth_ref are missing general (example.com) and admin (example.com), but they include all the roles that are not associated with a domain.
- this is despite the fact that the role assignments are clearly defined for these example.com roles
I realize that the auth system is in the middle of a re-work as
discussed in https://bugs.launchpad.net/bugs/2017056, so this may be a
regression
What i want to know is ... is this a bug, or am I missing something?
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2035006
Title:
roles within domains do not show in auth_ref details
Status in OpenStack Identity (keystone):
New
Bug description:
I have the following setup:
$ openstack domain list
+----------------------------------+-------------+---------+---------------------------------------------+
| ID | Name | Enabled | Description |
+----------------------------------+-------------+---------+---------------------------------------------+
| 3eda6a0074144f32b0d6b255f821cc4f | magnum | True | Owns users and projects created by magnum |
| bb2f7b1a50524d24960207af313faae7 | heat | True | Stack projects and users |
| default | Default | True | The default domain |
| e69aa4c1e76b4de1a7c3886aa458717d | example.com | True | |
+----------------------------------+-------------+---------+---------------------------------------------+
$ openstack project list --domain example.com
+----------------------------------+------------+
| ID | Name |
+----------------------------------+------------+
| f81d9cf81bd744649277f37ab32eba62 | operations |
+----------------------------------+------------+
$ openstack role list
+----------------------------------+------------------+
| ID | Name |
+----------------------------------+------------------+
| 14783cf48be54977be5372c086823377 | heat_stack_owner |
| 5140d865c479415fa4652ca06cbfe06e | operator |
| 7d737800fbb7481da8bebfba22f06bc0 | heat_stack_user |
| 8de3b2be221148f89007787419fc765d | admin |
| 8eaed8e42e454b9db8df7e74e32a4086 | reader |
| fa51b8f09b5347a49d7f04ac4d382188 | member |
+----------------------------------+------------------+
$ openstack role list --domain example.com
+----------------------------------+---------+-------------+
| ID | Name | Domain |
+----------------------------------+---------+-------------+
| 6e5430e8b875473f82fdba3a87ad8434 | general | example.com |
| c29ebdcf38034153b06bb85e8f024a2f | admin | example.com |
+----------------------------------+---------+-------------+
openstack role assignment list --user tstark --project operations
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| 5140d865c479415fa4652ca06cbfe06e | 54b0e8dd049d4fd993bfb78e69d5a8cf | | f81d9cf81bd744649277f37ab32eba62 | | | False |. operator
| 6e5430e8b875473f82fdba3a87ad8434 | 54b0e8dd049d4fd993bfb78e69d5a8cf | | f81d9cf81bd744649277f37ab32eba62 | | | False |. general (example.com)
| 8de3b2be221148f89007787419fc765d | 54b0e8dd049d4fd993bfb78e69d5a8cf | | f81d9cf81bd744649277f37ab32eba62 | | | False |. admin
| c29ebdcf38034153b06bb85e8f024a2f | 54b0e8dd049d4fd993bfb78e69d5a8cf | | f81d9cf81bd744649277f37ab32eba62 | | | False |. admin (example.com)
| fa51b8f09b5347a49d7f04ac4d382188 | 54b0e8dd049d4fd993bfb78e69d5a8cf | | f81d9cf81bd744649277f37ab32eba62 | | | False |. member
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
When I use the python api to scope into the project operations (which
resides in the example.com domain), I get these contents for the
output of ... sess.auth.get_access(sess)
"roles": [
{
"id": "5140d865c479415fa4652ca06cbfe06e",
"name": "operator"
},
{
"id": "8eaed8e42e454b9db8df7e74e32a4086",
"name": "reader"
},
{
"id": "8de3b2be221148f89007787419fc765d",
"name": "admin"
},
{
"id": "fa51b8f09b5347a49d7f04ac4d382188",
"name": "member"
}
],
Note, the above roles array is constructed like so:
auth_params = {...}
sess = ks_session.Session(auth=v3.Password(username="tstark", password=password, **auth_params))
auth_ref = sess.auth.get_access(sess)
roles = [{
"id": auth_ref.role_ids[i],
"name": auth_ref.role_names[i]
} for i in range(len(auth_ref.role_names))]
For reference, the contents of auth_ref.[project_id, project_name,
project_domain_id, project_domain_name] are being reported as below,
so I know for sure that my auth params are correct in my app. In fact,
I am able to do whatever I want inside the operations project using
the token that is a part of this
"scope": {
"project": {
"domain": {
"id": "e69aa4c1e76b4de1a7c3886aa458717d",
"name": "example.com"
},
"id": "f81d9cf81bd744649277f37ab32eba62",
"name": "operations"
}
},
THE ISSUE
- note the reported roles from auth_ref are missing general (example.com) and admin (example.com), but they include all the roles that are not associated with a domain.
- this is despite the fact that the role assignments are clearly defined for these example.com roles
I realize that the auth system is in the middle of a re-work as
discussed in https://bugs.launchpad.net/bugs/2017056, so this may be a
regression
What i want to know is ... is this a bug, or am I missing something?
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2035006/+subscriptions