Public bug reported:

When retrieving role assignments via the openstack client, passing the
--name flag will cause Keystone to not return the value of inherited, so
openstack client always reports false.

My test environment is an OSA AIO using OSA 13.1.3, which is using Keystone 
commit 87d67946e75db2ec2a6af72447211ca1ee291940.
 
Steps to reproduce:
* assign a role to a user on a domain and pass --inherited, so the role will be 
inherited to the domain's projects
* run "openstack role assignment list --user <user> --name"

Example output with debug request response without --name:

:~# openstack --debug role assignment list --user 
14bc7c6869374b33bd5125f6c61d44b9
...
REQ: curl -g -i -X GET 
http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9
 -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H 
"X-Auth-Token: {SHA1}65c4fb6823ecccbf9441b041c2764e9eb2424fca"
"GET /v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9 HTTP/1.1" 
200 586
RESP: [200] Content-Length: 586 Vary: X-Auth-Token Server: Apache Date: Mon, 19 
Sep 2016 15:07:23 GMT Content-Type: application/json x-openstack-request-id: 
req-0ace9479-bb24-423c-8269-83da8a57ff6f
RESP BODY: {"role_assignments": [{"scope": {"domain": {"id": 
"c000bbc3b52f41fe99e9f560666b36f1"}, "OS-INHERIT:inherited_to": "projects"}, 
"role": {"id": "9fe2ff9ee4384b1894a90878d3e92bab"}, "user": {"id": 
"14bc7c6869374b33bd5125f6c61d44b9"}, "links": {"assignment": 
"http://172.29.236.100:35357/v3/OS-INHERIT/domains/c000bbc3b52f41fe99e9f560666b36f1/users/14bc7c6869374b33bd5125f6c61d44b9/roles/9fe2ff9ee4384b1894a90878d3e92bab/inherited_to_projects"}}],
 "links": {"self": 
"http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9";,
 "previous": null, "next": null}}

+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
| Role                             | User                             | Group | 
Project | Domain                           | Inherited |
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | 14bc7c6869374b33bd5125f6c61d44b9 |       | 
        | c000bbc3b52f41fe99e9f560666b36f1 | True      |
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+

Example output with debug request response with --name:

:~# openstack --debug role assignment list --user 
14bc7c6869374b33bd5125f6c61d44b9 --name
...
REQ: curl -g -i -X GET 
http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9&include_names=True
 -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H 
"X-Auth-Token: {SHA1}1ee295769134d215d26474bfc59704338ddbfb52"
"GET 
/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9&include_names=True
 HTTP/1.1" 200 681
RESP: [200] Content-Length: 681 Vary: X-Auth-Token Server: Apache Date: Mon, 19 
Sep 2016 15:08:52 GMT Content-Type: application/json x-openstack-request-id: 
req-70f3eb92-0cdd-4a02-866c-e8d1b2cbd113
RESP BODY: {"role_assignments": [{"scope": {"domain": {"id": 
"c000bbc3b52f41fe99e9f560666b36f1", "name": "mytestdomain"}}, "role": {"id": 
"9fe2ff9ee4384b1894a90878d3e92bab", "name": "_member_"}, "user": {"domain": 
{"id": "c000bbc3b52f41fe99e9f560666b36f1", "name": "mytestdomain"}, "id": 
"14bc7c6869374b33bd5125f6c61d44b9", "name": "testdomainuser"}, "links": 
{"assignment": 
"http://172.29.236.100:35357/v3/domains/c000bbc3b52f41fe99e9f560666b36f1/users/14bc7c6869374b33bd5125f6c61d44b9/roles/9fe2ff9ee4384b1894a90878d3e92bab"}}],
 "links": {"self": 
"http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9&include_names=True";,
 "previous": null, "next": null}}

+----------+-----------------------------+-------+---------+--------------+-----------+
| Role     | User                        | Group | Project | Domain       | 
Inherited |
+----------+-----------------------------+-------+---------+--------------+-----------+
| _member_ | testdomainuser@mytestdomain |       |         | mytestdomain | 
False     |
+----------+-----------------------------+-------+---------+--------------+-----------+

Thanks,

Sean

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1625230

Title:
  Role Assignment Incorrectly Reports Inheritance when --name is Used

Status in OpenStack Identity (keystone):
  New

Bug description:
  When retrieving role assignments via the openstack client, passing the
  --name flag will cause Keystone to not return the value of inherited,
  so openstack client always reports false.

  My test environment is an OSA AIO using OSA 13.1.3, which is using Keystone 
commit 87d67946e75db2ec2a6af72447211ca1ee291940.
   
  Steps to reproduce:
  * assign a role to a user on a domain and pass --inherited, so the role will 
be inherited to the domain's projects
  * run "openstack role assignment list --user <user> --name"

  Example output with debug request response without --name:

  :~# openstack --debug role assignment list --user 
14bc7c6869374b33bd5125f6c61d44b9
  ...
  REQ: curl -g -i -X GET 
http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9
 -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H 
"X-Auth-Token: {SHA1}65c4fb6823ecccbf9441b041c2764e9eb2424fca"
  "GET /v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9 HTTP/1.1" 
200 586
  RESP: [200] Content-Length: 586 Vary: X-Auth-Token Server: Apache Date: Mon, 
19 Sep 2016 15:07:23 GMT Content-Type: application/json x-openstack-request-id: 
req-0ace9479-bb24-423c-8269-83da8a57ff6f
  RESP BODY: {"role_assignments": [{"scope": {"domain": {"id": 
"c000bbc3b52f41fe99e9f560666b36f1"}, "OS-INHERIT:inherited_to": "projects"}, 
"role": {"id": "9fe2ff9ee4384b1894a90878d3e92bab"}, "user": {"id": 
"14bc7c6869374b33bd5125f6c61d44b9"}, "links": {"assignment": 
"http://172.29.236.100:35357/v3/OS-INHERIT/domains/c000bbc3b52f41fe99e9f560666b36f1/users/14bc7c6869374b33bd5125f6c61d44b9/roles/9fe2ff9ee4384b1894a90878d3e92bab/inherited_to_projects"}}],
 "links": {"self": 
"http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9";,
 "previous": null, "next": null}}

  
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
  | Role                             | User                             | Group 
| Project | Domain                           | Inherited |
  
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
  | 9fe2ff9ee4384b1894a90878d3e92bab | 14bc7c6869374b33bd5125f6c61d44b9 |       
|         | c000bbc3b52f41fe99e9f560666b36f1 | True      |
  
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+

  Example output with debug request response with --name:

  :~# openstack --debug role assignment list --user 
14bc7c6869374b33bd5125f6c61d44b9 --name
  ...
  REQ: curl -g -i -X GET 
http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9&include_names=True
 -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H 
"X-Auth-Token: {SHA1}1ee295769134d215d26474bfc59704338ddbfb52"
  "GET 
/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9&include_names=True
 HTTP/1.1" 200 681
  RESP: [200] Content-Length: 681 Vary: X-Auth-Token Server: Apache Date: Mon, 
19 Sep 2016 15:08:52 GMT Content-Type: application/json x-openstack-request-id: 
req-70f3eb92-0cdd-4a02-866c-e8d1b2cbd113
  RESP BODY: {"role_assignments": [{"scope": {"domain": {"id": 
"c000bbc3b52f41fe99e9f560666b36f1", "name": "mytestdomain"}}, "role": {"id": 
"9fe2ff9ee4384b1894a90878d3e92bab", "name": "_member_"}, "user": {"domain": 
{"id": "c000bbc3b52f41fe99e9f560666b36f1", "name": "mytestdomain"}, "id": 
"14bc7c6869374b33bd5125f6c61d44b9", "name": "testdomainuser"}, "links": 
{"assignment": 
"http://172.29.236.100:35357/v3/domains/c000bbc3b52f41fe99e9f560666b36f1/users/14bc7c6869374b33bd5125f6c61d44b9/roles/9fe2ff9ee4384b1894a90878d3e92bab"}}],
 "links": {"self": 
"http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9&include_names=True";,
 "previous": null, "next": null}}

  
+----------+-----------------------------+-------+---------+--------------+-----------+
  | Role     | User                        | Group | Project | Domain       | 
Inherited |
  
+----------+-----------------------------+-------+---------+--------------+-----------+
  | _member_ | testdomainuser@mytestdomain |       |         | mytestdomain | 
False     |
  
+----------+-----------------------------+-------+---------+--------------+-----------+

  Thanks,

  Sean

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1625230/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to