OpenStack Identity (keystone)

Role Assignment Incorrectly Reports Inheritance when --name is Used

Bug #1625230 reported by Sean Carlisle
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Samuel de Medeiros Queiroz
OpenStack Identity (keystone) ocata-2 "o2"

Bug Description

When retrieving role assignments via the openstack client, passing the --name flag will cause Keystone to not return the value of inherited, so openstack client always reports false.

My test environment is an OSA AIO using OSA 13.1.3, which is using Keystone commit 87d67946e75db2ec2a6af72447211ca1ee291940.

Steps to reproduce:
* assign a role to a user on a domain and pass --inherited, so the role will be inherited to the domain's projects
* run "openstack role assignment list --user <user> --name"

Example output with debug request response without --name:

:~# openstack --debug role assignment list --user 14bc7c6869374b33bd5125f6c61d44b9
...
REQ: curl -g -i -X GET http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9 -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}65c4fb6823ecccbf9441b041c2764e9eb2424fca"
"GET /v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9 HTTP/1.1" 200 586
RESP: [200] Content-Length: 586 Vary: X-Auth-Token Server: Apache Date: Mon, 19 Sep 2016 15:07:23 GMT Content-Type: application/json x-openstack-request-id: req-0ace9479-bb24-423c-8269-83da8a57ff6f
RESP BODY: {"role_assignments": [{"scope": {"domain": {"id": "c000bbc3b52f41fe99e9f560666b36f1"}, "OS-INHERIT:inherited_to": "projects"}, "role": {"id": "9fe2ff9ee4384b1894a90878d3e92bab"}, "user": {"id": "14bc7c6869374b33bd5125f6c61d44b9"}, "links": {"assignment": "http://172.29.236.100:35357/v3/OS-INHERIT/domains/c000bbc3b52f41fe99e9f560666b36f1/users/14bc7c6869374b33bd5125f6c61d44b9/roles/9fe2ff9ee4384b1894a90878d3e92bab/inherited_to_projects"}}], "links": {"self": "http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9", "previous": null, "next": null}}

+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | 14bc7c6869374b33bd5125f6c61d44b9 | | | c000bbc3b52f41fe99e9f560666b36f1 | True |
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+

Example output with debug request response with --name:

:~# openstack --debug role assignment list --user 14bc7c6869374b33bd5125f6c61d44b9 --name
...
REQ: curl -g -i -X GET http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9&include_names=True -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}1ee295769134d215d26474bfc59704338ddbfb52"
"GET /v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9&include_names=True HTTP/1.1" 200 681
RESP: [200] Content-Length: 681 Vary: X-Auth-Token Server: Apache Date: Mon, 19 Sep 2016 15:08:52 GMT Content-Type: application/json x-openstack-request-id: req-70f3eb92-0cdd-4a02-866c-e8d1b2cbd113
RESP BODY: {"role_assignments": [{"scope": {"domain": {"id": "c000bbc3b52f41fe99e9f560666b36f1", "name": "mytestdomain"}}, "role": {"id": "9fe2ff9ee4384b1894a90878d3e92bab", "name": "_member_"}, "user": {"domain": {"id": "c000bbc3b52f41fe99e9f560666b36f1", "name": "mytestdomain"}, "id": "14bc7c6869374b33bd5125f6c61d44b9", "name": "testdomainuser"}, "links": {"assignment": "http://172.29.236.100:35357/v3/domains/c000bbc3b52f41fe99e9f560666b36f1/users/14bc7c6869374b33bd5125f6c61d44b9/roles/9fe2ff9ee4384b1894a90878d3e92bab"}}], "links": {"self": "http://172.29.236.100:35357/v3/role_assignments?user.id=14bc7c6869374b33bd5125f6c61d44b9&include_names=True", "previous": null, "next": null}}

+----------+-----------------------------+-------+---------+--------------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+----------+-----------------------------+-------+---------+--------------+-----------+
| _member_ | testdomainuser@mytestdomain | | | mytestdomain | False |
+----------+-----------------------------+-------+---------+--------------+-----------+

Thanks,

Sean

Steve Martinelli (stevemar)
Changed in keystone:
status: New → Confirmed
importance: Undecided → Medium
Kanika Singh (kanikasingh-1490)
Changed in keystone:
assignee: nobody → Kanika Singh (kanikasingh-1490)
OpenStack Infra (hudson-openstack)
Changed in keystone:
status: Confirmed → In Progress
Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → ocata-1
Steve Martinelli (stevemar)
Changed in keystone:
milestone: ocata-1 → ocata-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/407558

Changed in keystone:
assignee: Kanika Singh (kanikasingh-1490) → Samuel de Medeiros Queiroz (samueldmq)
Samuel de Medeiros Queiroz (samueldmq)
Changed in keystone:
assignee: Samuel de Medeiros Queiroz (samueldmq) → Kanika Singh (kanikasingh-1490)
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Kanika Singh (kanikasingh-1490) → Samuel de Medeiros Queiroz (samueldmq)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/407558
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=aa531a001a31b757fa12412bf0eb84e4c8d67bb0
Submitter: Jenkins
Branch: master

commit aa531a001a31b757fa12412bf0eb84e4c8d67bb0
Author: Samuel de Medeiros Queiroz <email address hidden>
Date: Tue Dec 6 11:57:41 2016 -0300

    Add test to expose bug 1625230

    When listing role assignments with ?include_names, the inheritance flag
    was not returned properly.

    Related-Bug: #1625230

    Change-Id: Ibe467246da90d30cb40564667642056da4816139

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/380973
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b9890f81205f461da82c19fd39cf3f50a3aa945d
Submitter: Jenkins
Branch: master

commit b9890f81205f461da82c19fd39cf3f50a3aa945d
Author: Kanika Singh <email address hidden>
Date: Mon Oct 3 13:49:37 2016 +0530

    Get assignments with names honors inheritance flag

    When listing role assignments with the ?include_names option,
    the inheritance flag was not honored.

    This change fixes that behavior and enables the test that was
    submitted in the parent patch.

    Co-Authored-By: Samuel de Medeiros Queiroz <email address hidden>

    Closes-Bug: #1625230

    Change-Id: Ic0d32f3e47ee82015d86cec8b7502a440b66c021

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 11.0.0.0b2

This issue was fixed in the openstack/keystone 11.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.