Public bug reported: When retrieving role assignments via the openstack client, passing the --name flag will cause Keystone to not return the value of inherited, so openstack client always reports false.
My test environment is an OSA AIO using OSA 13.1.3, which is using Keystone commit 87d67946e75db2ec2a6af72447211ca1ee291940. Steps to reproduce: * assign a role to a user on a domain and pass --inherited, so the role will be inherited to the domain's projects * run "openstack role assignment list --user <user> --name" Example output with debug request response without --name: :~# openstack --debug role assignment list --user 14bc7c6869374b33bd5125f6c61d44b9 ... REQ: curl -g -i -X GET http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9 -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}65c4fb6823ecccbf9441b041c2764e9eb2424fca" "GET /v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9 HTTP/1.1" 200 586 RESP: [200] Content-Length: 586 Vary: X-Auth-Token Server: Apache Date: Mon, 19 Sep 2016 15:07:23 GMT Content-Type: application/json x-openstack-request-id: req-0ace9479-bb24-423c-8269-83da8a57ff6f RESP BODY: {"role_assignments": [{"scope": {"domain": {"id": "c000bbc3b52f41fe99e9f560666b36f1"}, "OS-INHERIT:inherited_to": "projects"}, "role": {"id": "9fe2ff9ee4384b1894a90878d3e92bab"}, "user": {"id": "14bc7c6869374b33bd5125f6c61d44b9"}, "links": {"assignment": "http://172.29.236.100:35357/v3/OS-INHERIT/domains/c000bbc3b52f41fe99e9f560666b36f1/users/14bc7c6869374b33bd5125f6c61d44b9/roles/9fe2ff9ee4384b1894a90878d3e92bab/inherited_to_projects"}}], "links": {"self": "http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9";, "previous": null, "next": null}} +----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+ | Role | User | Group | Project | Domain | Inherited | +----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+ | 9fe2ff9ee4384b1894a90878d3e92bab | 14bc7c6869374b33bd5125f6c61d44b9 | | | c000bbc3b52f41fe99e9f560666b36f1 | True | +----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+ Example output with debug request response with --name: :~# openstack --debug role assignment list --user 14bc7c6869374b33bd5125f6c61d44b9 --name ... REQ: curl -g -i -X GET http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9&include_names=True -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}1ee295769134d215d26474bfc59704338ddbfb52" "GET /v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9&include_names=True HTTP/1.1" 200 681 RESP: [200] Content-Length: 681 Vary: X-Auth-Token Server: Apache Date: Mon, 19 Sep 2016 15:08:52 GMT Content-Type: application/json x-openstack-request-id: req-70f3eb92-0cdd-4a02-866c-e8d1b2cbd113 RESP BODY: {"role_assignments": [{"scope": {"domain": {"id": "c000bbc3b52f41fe99e9f560666b36f1", "name": "mytestdomain"}}, "role": {"id": "9fe2ff9ee4384b1894a90878d3e92bab", "name": "_member_"}, "user": {"domain": {"id": "c000bbc3b52f41fe99e9f560666b36f1", "name": "mytestdomain"}, "id": "14bc7c6869374b33bd5125f6c61d44b9", "name": "testdomainuser"}, "links": {"assignment": "http://172.29.236.100:35357/v3/domains/c000bbc3b52f41fe99e9f560666b36f1/users/14bc7c6869374b33bd5125f6c61d44b9/roles/9fe2ff9ee4384b1894a90878d3e92bab"}}], "links": {"self": "http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9&include_names=True";, "previous": null, "next": null}} +----------+-----------------------------+-------+---------+--------------+-----------+ | Role | User | Group | Project | Domain | Inherited | +----------+-----------------------------+-------+---------+--------------+-----------+ | _member_ | testdomainuser@mytestdomain | | | mytestdomain | False | +----------+-----------------------------+-------+---------+--------------+-----------+ Thanks, Sean ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1625230 Title: Role Assignment Incorrectly Reports Inheritance when --name is Used Status in OpenStack Identity (keystone): New Bug description: When retrieving role assignments via the openstack client, passing the --name flag will cause Keystone to not return the value of inherited, so openstack client always reports false. My test environment is an OSA AIO using OSA 13.1.3, which is using Keystone commit 87d67946e75db2ec2a6af72447211ca1ee291940. Steps to reproduce: * assign a role to a user on a domain and pass --inherited, so the role will be inherited to the domain's projects * run "openstack role assignment list --user <user> --name" Example output with debug request response without --name: :~# openstack --debug role assignment list --user 14bc7c6869374b33bd5125f6c61d44b9 ... REQ: curl -g -i -X GET http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9 -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}65c4fb6823ecccbf9441b041c2764e9eb2424fca" "GET /v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9 HTTP/1.1" 200 586 RESP: [200] Content-Length: 586 Vary: X-Auth-Token Server: Apache Date: Mon, 19 Sep 2016 15:07:23 GMT Content-Type: application/json x-openstack-request-id: req-0ace9479-bb24-423c-8269-83da8a57ff6f RESP BODY: {"role_assignments": [{"scope": {"domain": {"id": "c000bbc3b52f41fe99e9f560666b36f1"}, "OS-INHERIT:inherited_to": "projects"}, "role": {"id": "9fe2ff9ee4384b1894a90878d3e92bab"}, "user": {"id": "14bc7c6869374b33bd5125f6c61d44b9"}, "links": {"assignment": "http://172.29.236.100:35357/v3/OS-INHERIT/domains/c000bbc3b52f41fe99e9f560666b36f1/users/14bc7c6869374b33bd5125f6c61d44b9/roles/9fe2ff9ee4384b1894a90878d3e92bab/inherited_to_projects"}}], "links": {"self": "http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9";, "previous": null, "next": null}} +----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+ | Role | User | Group | Project | Domain | Inherited | +----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+ | 9fe2ff9ee4384b1894a90878d3e92bab | 14bc7c6869374b33bd5125f6c61d44b9 | | | c000bbc3b52f41fe99e9f560666b36f1 | True | +----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+ Example output with debug request response with --name: :~# openstack --debug role assignment list --user 14bc7c6869374b33bd5125f6c61d44b9 --name ... REQ: curl -g -i -X GET http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9&include_names=True -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}1ee295769134d215d26474bfc59704338ddbfb52" "GET /v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9&include_names=True HTTP/1.1" 200 681 RESP: [200] Content-Length: 681 Vary: X-Auth-Token Server: Apache Date: Mon, 19 Sep 2016 15:08:52 GMT Content-Type: application/json x-openstack-request-id: req-70f3eb92-0cdd-4a02-866c-e8d1b2cbd113 RESP BODY: {"role_assignments": [{"scope": {"domain": {"id": "c000bbc3b52f41fe99e9f560666b36f1", "name": "mytestdomain"}}, "role": {"id": "9fe2ff9ee4384b1894a90878d3e92bab", "name": "_member_"}, "user": {"domain": {"id": "c000bbc3b52f41fe99e9f560666b36f1", "name": "mytestdomain"}, "id": "14bc7c6869374b33bd5125f6c61d44b9", "name": "testdomainuser"}, "links": {"assignment": "http://172.29.236.100:35357/v3/domains/c000bbc3b52f41fe99e9f560666b36f1/users/14bc7c6869374b33bd5125f6c61d44b9/roles/9fe2ff9ee4384b1894a90878d3e92bab"}}], "links": {"self": "http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9&include_names=True";, "previous": null, "next": null}} +----------+-----------------------------+-------+---------+--------------+-----------+ | Role | User | Group | Project | Domain | Inherited | +----------+-----------------------------+-------+---------+--------------+-----------+ | _member_ | testdomainuser@mytestdomain | | | mytestdomain | False | +----------+-----------------------------+-------+---------+--------------+-----------+ Thanks, Sean To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1625230/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
