yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #95026
[Bug 2091317] [NEW] unable to create application credential with inherited role
Public bug reported:
This is similar to #1773967 and #2030061 but I think it's distinctly
different. I'm using 2024.2 of keystone and attempting to create an
application credential.
Here's the error:
❯ openstack application credential create terraform-cred --restricted
BadRequestException: 400: Client Error for url: https://keystone.local./v3/users/b22322eb26e893803f1839640e7de6c9647892c8cffe75b7603f9b168ef1afec/application_credentials, Invalid application credential: Could not find role assignment with role: 4a5321ded95d4c2caa3ebb329fd12dd5, user or group: b22322eb26e893803f1839640e7de6c9647892c8cffe75b7603f9b168ef1afec, project, domain, or system: 9c5848c68f1c41d181365eea45ed804b.
Here's the permission that I believe should be giving me this access:
+----------------------------------+------+----------------------------------+---------+---------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+------+----------------------------------+---------+---------+--------+-----------+
| 4a5321ded95d4c2caa3ebb329fd12dd5 | | 74903141bbe74b148f7aac29b8ac83eb | | default | | True |
+----------------------------------+------+----------------------------------+---------+---------+--------+-----------+
❯ openstack project show 9c5848c68f1c41d181365eea45ed804b
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | 9c5848c68f1c41d181365eea45ed804b |
| is_domain | False |
| name | doug-test |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
You can see the role has access to everything in the default domain via the group. The issue I believe is that my user "b22322eb26e893803f1839640e7de6c9647892c8cffe75b7603f9b168ef1afec" is a federated user that is granted membership to the "74903141bbe74b148f7aac29b8ac83eb" group.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2091317
Title:
unable to create application credential with inherited role
Status in OpenStack Identity (keystone):
New
Bug description:
This is similar to #1773967 and #2030061 but I think it's distinctly
different. I'm using 2024.2 of keystone and attempting to create an
application credential.
Here's the error:
❯ openstack application credential create terraform-cred --restricted
BadRequestException: 400: Client Error for url: https://keystone.local./v3/users/b22322eb26e893803f1839640e7de6c9647892c8cffe75b7603f9b168ef1afec/application_credentials, Invalid application credential: Could not find role assignment with role: 4a5321ded95d4c2caa3ebb329fd12dd5, user or group: b22322eb26e893803f1839640e7de6c9647892c8cffe75b7603f9b168ef1afec, project, domain, or system: 9c5848c68f1c41d181365eea45ed804b.
Here's the permission that I believe should be giving me this access:
+----------------------------------+------+----------------------------------+---------+---------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+------+----------------------------------+---------+---------+--------+-----------+
| 4a5321ded95d4c2caa3ebb329fd12dd5 | | 74903141bbe74b148f7aac29b8ac83eb | | default | | True |
+----------------------------------+------+----------------------------------+---------+---------+--------+-----------+
❯ openstack project show 9c5848c68f1c41d181365eea45ed804b
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | 9c5848c68f1c41d181365eea45ed804b |
| is_domain | False |
| name | doug-test |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
You can see the role has access to everything in the default domain via the group. The issue I believe is that my user "b22322eb26e893803f1839640e7de6c9647892c8cffe75b7603f9b168ef1afec" is a federated user that is granted membership to the "74903141bbe74b148f7aac29b8ac83eb" group.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2091317/+subscriptions
