OpenStack Identity (keystone)

roles within domains do not show in auth_ref details

Bug #2035006 reported by Dmitry Veber
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
New
Undecided
Unassigned

Bug Description

I have the following setup:

$ openstack domain list
+----------------------------------+-------------+---------+---------------------------------------------+
| ID | Name | Enabled | Description |
+----------------------------------+-------------+---------+---------------------------------------------+
| 3eda6a0074144f32b0d6b255f821cc4f | magnum | True | Owns users and projects created by magnum |
| bb2f7b1a50524d24960207af313faae7 | heat | True | Stack projects and users |
| default | Default | True | The default domain |
| e69aa4c1e76b4de1a7c3886aa458717d | example.com | True | |
+----------------------------------+-------------+---------+---------------------------------------------+
$ openstack project list --domain example.com
+----------------------------------+------------+
| ID | Name |
+----------------------------------+------------+
| f81d9cf81bd744649277f37ab32eba62 | operations |
+----------------------------------+------------+
$ openstack role list
+----------------------------------+------------------+
| ID | Name |
+----------------------------------+------------------+
| 14783cf48be54977be5372c086823377 | heat_stack_owner |
| 5140d865c479415fa4652ca06cbfe06e | operator |
| 7d737800fbb7481da8bebfba22f06bc0 | heat_stack_user |
| 8de3b2be221148f89007787419fc765d | admin |
| 8eaed8e42e454b9db8df7e74e32a4086 | reader |
| fa51b8f09b5347a49d7f04ac4d382188 | member |
+----------------------------------+------------------+
$ openstack role list --domain example.com
+----------------------------------+---------+-------------+
| ID | Name | Domain |
+----------------------------------+---------+-------------+
| 6e5430e8b875473f82fdba3a87ad8434 | general | example.com |
| c29ebdcf38034153b06bb85e8f024a2f | admin | example.com |
+----------------------------------+---------+-------------+
openstack role assignment list --user tstark --project operations
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| 5140d865c479415fa4652ca06cbfe06e | 54b0e8dd049d4fd993bfb78e69d5a8cf | | f81d9cf81bd744649277f37ab32eba62 | | | False |. operator
| 6e5430e8b875473f82fdba3a87ad8434 | 54b0e8dd049d4fd993bfb78e69d5a8cf | | f81d9cf81bd744649277f37ab32eba62 | | | False |. general (example.com)
| 8de3b2be221148f89007787419fc765d | 54b0e8dd049d4fd993bfb78e69d5a8cf | | f81d9cf81bd744649277f37ab32eba62 | | | False |. admin
| c29ebdcf38034153b06bb85e8f024a2f | 54b0e8dd049d4fd993bfb78e69d5a8cf | | f81d9cf81bd744649277f37ab32eba62 | | | False |. admin (example.com)
| fa51b8f09b5347a49d7f04ac4d382188 | 54b0e8dd049d4fd993bfb78e69d5a8cf | | f81d9cf81bd744649277f37ab32eba62 | | | False |. member
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+

When I use the python api to scope into the project operations (which resides in the example.com domain), I get these contents for the output of ... sess.auth.get_access(sess)

    "roles": [
      {
        "id": "5140d865c479415fa4652ca06cbfe06e",
        "name": "operator"
      },
      {
        "id": "8eaed8e42e454b9db8df7e74e32a4086",
        "name": "reader"
      },
      {
        "id": "8de3b2be221148f89007787419fc765d",
        "name": "admin"
      },
      {
        "id": "fa51b8f09b5347a49d7f04ac4d382188",
        "name": "member"
      }
    ],

Note, the above roles array is constructed like so:
        auth_params = {...}
        sess = ks_session.Session(auth=v3.Password(username="tstark", password=password, **auth_params))
        auth_ref = sess.auth.get_access(sess)
        roles = [{
            "id": auth_ref.role_ids[i],
            "name": auth_ref.role_names[i]
        } for i in range(len(auth_ref.role_names))]

For reference, the contents of auth_ref.[project_id, project_name, project_domain_id, project_domain_name] are being reported as below, so I know for sure that my auth params are correct in my app. In fact, I am able to do whatever I want inside the operations project using the token that is a part of this

    "scope": {
      "project": {
        "domain": {
          "id": "e69aa4c1e76b4de1a7c3886aa458717d",
          "name": "example.com"
        },
        "id": "f81d9cf81bd744649277f37ab32eba62",
        "name": "operations"
      }
    },

THE ISSUE
- note the reported roles from auth_ref are missing general (example.com) and admin (example.com), but they include all the roles that are not associated with a domain.
- this is despite the fact that the role assignments are clearly defined for these example.com roles

I realize that the auth system is in the middle of a re-work as discussed in https://bugs.launchpad.net/bugs/2017056, so this may be a regression

What i want to know is ... is this a bug, or am I missing something?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.