Hi!
There was a new 'domain' property added to OS::Keystone::Role
(https://storyboard.openstack.org/#!/story/1684558,
https://review.openstack.org/#/c/459033/).
With "openstack role create" CLI command it is still possible to create roles
with no associated domains; but it seems that the same cannot be done with heat
templates.
An example: if I create two roles, CliRole (with "openstack role create
CliRole" command) and SimpleRole with the following heat template:
heat_template_version: 2015-04-30
description: Creates a role
resources:
role_resource:
type: OS::Keystone::Role
properties:
name: SimpleRole
the result in the keystone database will be:
MariaDB [keystone]> select * from role;
+----------------------------------+------------------+-------+-----------+
| id | name | extra | domain_id |
+----------------------------------+------------------+-------+-----------+
| 5de0eee4990e4a59b83dae93af9c0951 | SimpleRole | {} | default |
| 79472e6e1bf341208bd88e1c2dcf7f85 | CliRole | {} | <<null>> |
| 7dd5e4ea87e54a13897eb465fdd0e950 | heat_stack_owner | {} | <<null>> |
| 80fd61edbe8842a7abb47fd7c91ba9d7 | heat_stack_user | {} | <<null>> |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | {} | <<null>> |
| e174c27e79b84ea392d28224eb0af7c9 | admin | {} | <<null>> |
+----------------------------------+------------------+-------+-----------+
Should it be possible to create a role without associated domain with a heat
template?
-V.
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
