Re: [openstack-dev] [heat][heat-templates] Creating a role with no domain

Thu, 21 Jun 2018 12:18:54 -0700 

On 21/06/18 07:39, Rabi Mishra wrote:
Looks like that's a bug where we create a domain specific role for 'default' domain[1], when domain is not specified. 


[1] 
https://github.com/openstack/heat/blob/master/heat/engine/resources/openstack/keystone/role.py#L54


You can _probably_ pass

  domain: null

in your template. Worth a try, anyway.

- ZB


You're welcome to raise a bug and propose a fix where we should be just 
removing the default.



On Thu, Jun 21, 2018 at 4:14 PM, Tikkanen, Viktor (Nokia - FI/Espoo) 
<[email protected] <mailto:[email protected]>> wrote:


    Hi!
    There was a new ’domain’ property added to OS::Keystone::Role
    (_https://storyboard.openstack.org/#!/story/1684558_
    <https://storyboard.openstack.org/#!/story/1684558>,
    _https://review.openstack.org/#/c/459033/_
    <https://review.openstack.org/#/c/459033/>).
    With “openstack role create” CLI command it is still possible to
    create roles with no associated domains; but it seems that the same
    cannot be done with heat templates.
    An example: if I create two roles, CliRole (with “openstack role
    create CliRole” command)  and SimpleRole with the following heat
    template:
    heat_template_version: 2015-04-30
    description: Creates a role
    resources:
       role_resource:
         type: OS::Keystone::Role
         properties:
           name: SimpleRole
    the result in the keystone database will be:
    MariaDB [keystone]> select * from role;
    +----------------------------------+------------------+-------+-----------+
    | id    | name             | extra | domain_id |
    +----------------------------------+------------------+-------+-----------+
    | 5de0eee4990e4a59b83dae93af9c0951 | SimpleRole       | {}    |
    default   |
    | 79472e6e1bf341208bd88e1c2dcf7f85 | CliRole          | {}    |
    <<null>>  |
    | 7dd5e4ea87e54a13897eb465fdd0e950 | heat_stack_owner | {}    |
    <<null>>  |
    | 80fd61edbe8842a7abb47fd7c91ba9d7 | heat_stack_user  | {}    |
    <<null>>  |
    | 9fe2ff9ee4384b1894a90878d3e92bab | _member_         | {}    |
    <<null>>  |
    | e174c27e79b84ea392d28224eb0af7c9 | admin            | {}    |
    <<null>>  |
    +----------------------------------+------------------+-------+-----------+
    Should it be possible to create a role without associated domain
    with a heat template?
    -V.

    __________________________________________________________________________
    OpenStack Development Mailing List (not for usage questions)
    Unsubscribe:
    [email protected]?subject:unsubscribe
    <http://[email protected]?subject:unsubscribe>
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
    <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>




--
Regards,
Rabi Mishra



__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev






















					Reply via email to