Public bug reported: When I configure Keystone with the LDAP backend, creating a group role assignment winds up being a user role assignment.
Here's steps to recreate: Start with devstack configured to use LDAP $ openstack group create blktest1 +-----------+--------------------------------------------------------------------------------------+ | Field | Value | +-----------+--------------------------------------------------------------------------------------+ | domain_id | default | | id | 33888a7d75274497bb1e7a05fc17a748 | | links | {u'self': u'http://192.168.122.176:5000/v3/groups/33888a7d75274497bb1e7a05fc17a748'} | | name | blktest1 | +-----------+--------------------------------------------------------------------------------------+ $ GROUP_ID=33888a7d75274497bb1e7a05fc17a748 $ openstack role list | 1fbe54e498ad483cb900735715926032 | anotherrole | $ ROLE_ID=1fbe54e498ad483cb900735715926032 $ openstack project list | 111681b688eb4460b464745f461ad0ce | demo | PROJECT_ID=111681b688eb4460b464745f461ad0ce # Get a token since I can't find an openstack command to add role assignment... $ curl ... $ TOKEN=PKIZ... # Create the GROUP role assignment $ curl -i -X PUT -H "X-Auth-Token: $TOKEN" \ http://localhost:35357/v3/projects/$PROJECT_ID/groups/$GROUP_ID/roles/$ROLE_ID HTTP/1.1 204 No Content # Check the results. Now it's a user role assignment. $ openstack role assignment list +----------------------------------+----------------------------------+-------+----------------------------------+--------+ | Role | User | Group | Project | Domain | +----------------------------------+----------------------------------+-------+----------------------------------+--------+ | 9fe2ff9ee4384b1894a90878d3e92bab | 6e045e61b335473f9806460fcbf06b08 | | 4b78eb4768924d8ba492e53eecddf493 | | | 29b0254e79d141d1a342086fd772e5f4 | 6e045e61b335473f9806460fcbf06b08 | | 4b78eb4768924d8ba492e53eecddf493 | | | 9fe2ff9ee4384b1894a90878d3e92bab | 8fa4aa9d5584421eb8fa22ad01ff806a | | 111681b688eb4460b464745f461ad0ce | | | 04b98b07af274304b19ce3e7d18de881 | 8fa4aa9d5584421eb8fa22ad01ff806a | | 111681b688eb4460b464745f461ad0ce | | | 29b0254e79d141d1a342086fd772e5f4 | 6e045e61b335473f9806460fcbf06b08 | | 111681b688eb4460b464745f461ad0ce | | | 1fbe54e498ad483cb900735715926032 | 8fa4aa9d5584421eb8fa22ad01ff806a | | 111681b688eb4460b464745f461ad0ce | | | 1fbe54e498ad483cb900735715926032 | 33888a7d75274497bb1e7a05fc17a748 | | 111681b688eb4460b464745f461ad0ce | | | 04b98b07af274304b19ce3e7d18de881 | 8fa4aa9d5584421eb8fa22ad01ff806a | | 7dee56223a5d43169ba1c5a2ac8ec412 | | +----------------------------------+----------------------------------+-------+----------------------------------+--------+ # Also check the REST response since maybe it's in openstack command: $ curl -H "X-Auth-Token: $TOKEN" http://localhost:5000/v3/role_assignments | python -mjson.tool ... { "links": { "assignment": "http://192.168.122.176:5000/v3/projects/111681b688eb4460b464745f461ad0ce/users/33888a7d75274497bb1e7a05fc17a748/roles/1fbe54e498ad483cb900735715926032" }, "role": { "id": "1fbe54e498ad483cb900735715926032" }, "scope": { "project": { "id": "111681b688eb4460b464745f461ad0ce" } }, "user": { "id": "33888a7d75274497bb1e7a05fc17a748" } }, ... It's got user where it should be group. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1365787 Title: LDAP group role assignment becomes user assignment Status in OpenStack Identity (Keystone): New Bug description: When I configure Keystone with the LDAP backend, creating a group role assignment winds up being a user role assignment. Here's steps to recreate: Start with devstack configured to use LDAP $ openstack group create blktest1 +-----------+--------------------------------------------------------------------------------------+ | Field | Value | +-----------+--------------------------------------------------------------------------------------+ | domain_id | default | | id | 33888a7d75274497bb1e7a05fc17a748 | | links | {u'self': u'http://192.168.122.176:5000/v3/groups/33888a7d75274497bb1e7a05fc17a748'} | | name | blktest1 | +-----------+--------------------------------------------------------------------------------------+ $ GROUP_ID=33888a7d75274497bb1e7a05fc17a748 $ openstack role list | 1fbe54e498ad483cb900735715926032 | anotherrole | $ ROLE_ID=1fbe54e498ad483cb900735715926032 $ openstack project list | 111681b688eb4460b464745f461ad0ce | demo | PROJECT_ID=111681b688eb4460b464745f461ad0ce # Get a token since I can't find an openstack command to add role assignment... $ curl ... $ TOKEN=PKIZ... # Create the GROUP role assignment $ curl -i -X PUT -H "X-Auth-Token: $TOKEN" \ http://localhost:35357/v3/projects/$PROJECT_ID/groups/$GROUP_ID/roles/$ROLE_ID HTTP/1.1 204 No Content # Check the results. Now it's a user role assignment. $ openstack role assignment list +----------------------------------+----------------------------------+-------+----------------------------------+--------+ | Role | User | Group | Project | Domain | +----------------------------------+----------------------------------+-------+----------------------------------+--------+ | 9fe2ff9ee4384b1894a90878d3e92bab | 6e045e61b335473f9806460fcbf06b08 | | 4b78eb4768924d8ba492e53eecddf493 | | | 29b0254e79d141d1a342086fd772e5f4 | 6e045e61b335473f9806460fcbf06b08 | | 4b78eb4768924d8ba492e53eecddf493 | | | 9fe2ff9ee4384b1894a90878d3e92bab | 8fa4aa9d5584421eb8fa22ad01ff806a | | 111681b688eb4460b464745f461ad0ce | | | 04b98b07af274304b19ce3e7d18de881 | 8fa4aa9d5584421eb8fa22ad01ff806a | | 111681b688eb4460b464745f461ad0ce | | | 29b0254e79d141d1a342086fd772e5f4 | 6e045e61b335473f9806460fcbf06b08 | | 111681b688eb4460b464745f461ad0ce | | | 1fbe54e498ad483cb900735715926032 | 8fa4aa9d5584421eb8fa22ad01ff806a | | 111681b688eb4460b464745f461ad0ce | | | 1fbe54e498ad483cb900735715926032 | 33888a7d75274497bb1e7a05fc17a748 | | 111681b688eb4460b464745f461ad0ce | | | 04b98b07af274304b19ce3e7d18de881 | 8fa4aa9d5584421eb8fa22ad01ff806a | | 7dee56223a5d43169ba1c5a2ac8ec412 | | +----------------------------------+----------------------------------+-------+----------------------------------+--------+ # Also check the REST response since maybe it's in openstack command: $ curl -H "X-Auth-Token: $TOKEN" http://localhost:5000/v3/role_assignments | python -mjson.tool ... { "links": { "assignment": "http://192.168.122.176:5000/v3/projects/111681b688eb4460b464745f461ad0ce/users/33888a7d75274497bb1e7a05fc17a748/roles/1fbe54e498ad483cb900735715926032" }, "role": { "id": "1fbe54e498ad483cb900735715926032" }, "scope": { "project": { "id": "111681b688eb4460b464745f461ad0ce" } }, "user": { "id": "33888a7d75274497bb1e7a05fc17a748" } }, ... It's got user where it should be group. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1365787/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp