[Yahoo-eng-team] [Bug 1640483] Re: list of inherited role assignments to a project hierarchy does not contain the assignee/root project for users

Wed, 09 Nov 2016 06:42:02 -0800 

This appears to be working as designed. Inherited assignments are only
applied to the children of the anchor point. Hence there are no
effective assignments on P.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1640483

Title:
  list of inherited role assignments to a project hierarchy does not
  contain the assignee/root project for users

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  Hi all,

  I have a role R, group G with user U and a project P with a child project CP.
  If I call:
  (1) PUT 
/v3/OS-INHERIT/projects/P_id/groups/G_id/roles/R_id/inherited_to_projects
  and validate it with:
  (2)HEAD 
/v3/OS-INHERIT/projects/P_id/groups/G_id/roles/R_id/inherited_to_projects

  everything seems to be fine.

  But if I query the user role assignments in scope of P
  (3) GET /v3/role_assignments?scope.project.id=P_id&user.id=U_id&effective

  result list is empty.

  If I change the scope param to the child project id:

  (4) GET GET
  /v3/role_assignments?scope.project.id=CP_id&user.id=U_id&effective

  I get one role assignment list:
  {
      "role_assignments": [
          {
              "scope": {
                  "project": {
                      "id": "CP_id"
                  },
                  "OS-INHERIT:inherited_to": "projects"
              },
              "role": {
                  "id": "R_id"
              },
              "user": {
                  "id": "U_id"
              },
              "links": {
                  "assignment": 
".../v3/OS-INHERIT/projects/P_id/groups/G_id/roles/R_id/inherited_to_projects",
                  "membership": ".../v3/groups/G_id/users/U_id"
              }
  My questions:
  - did I understand wrong the sentence
  "The inherited role assignment is anchored to a project and applied to its 
subtree in the projects hierarchy (both existing and future projects)." resp. 
its "anchored to a project" 

  (http://developer.openstack.org/api-
  ref/identity/v3/index.html?expanded=list-effective-role-assignments-
  detail,list-domains-detail,list-user-s-inherited-project-roles-on-
  project-detail,assign-role-to-group-on-projects-owned-by-a-domain-
  detail,assign-role-to-group-on-projects-in-a-subtree-detail#)

  - Why there is no role assignment to P created by (1)? Is P not the
  part of inheritance?

  I think it is a bug.

  Regards

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1640483/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to