Looks like that's a bug where we create a domain specific role for
'default' domain[1], when domain is not specified.

[1]
https://github.com/openstack/heat/blob/master/heat/engine/resources/openstack/keystone/role.py#L54

You're welcome to raise a bug and propose a fix where we should be just
removing the default.

On Thu, Jun 21, 2018 at 4:14 PM, Tikkanen, Viktor (Nokia - FI/Espoo) <
viktor.tikka...@nokia.com> wrote:

> Hi!
>
> There was a new ’domain’ property added to OS::Keystone::Role (
> *https://storyboard.openstack.org/#!/story/1684558*
> <https://storyboard.openstack.org/#!/story/1684558>,
> *https://review.openstack.org/#/c/459033/*
> <https://review.openstack.org/#/c/459033/>).
>
> With “openstack role create” CLI command it is still possible to create
> roles with no associated domains; but it seems that the same cannot be done
> with heat templates.
>
> An example: if I create two roles, CliRole (with “openstack role create
> CliRole” command)  and SimpleRole with the following heat template:
>
> heat_template_version: 2015-04-30
> description: Creates a role
> resources:
>   role_resource:
>     type: OS::Keystone::Role
>     properties:
>       name: SimpleRole
>
> the result in the keystone database will be:
>
> MariaDB [keystone]> select * from role;
> +----------------------------------+------------------+-----
> --+-----------+
> | id                               | name             | extra | domain_id
> |
> +----------------------------------+------------------+-----
> --+-----------+
> | 5de0eee4990e4a59b83dae93af9c0951 | SimpleRole       | {}    | default
> |
> | 79472e6e1bf341208bd88e1c2dcf7f85 | CliRole          | {}    | <<null>>
> |
> | 7dd5e4ea87e54a13897eb465fdd0e950 | heat_stack_owner | {}    | <<null>>
> |
> | 80fd61edbe8842a7abb47fd7c91ba9d7 | heat_stack_user  | {}    | <<null>>
> |
> | 9fe2ff9ee4384b1894a90878d3e92bab | _member_         | {}    | <<null>>
> |
> | e174c27e79b84ea392d28224eb0af7c9 | admin            | {}    | <<null>>
> |
> +----------------------------------+------------------+-----
> --+-----------+
>
> Should it be possible to create a role without associated domain with a
> heat template?
>
> -V.
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Regards,
Rabi Mishra
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to