Effective Roles for Group Membership

asked 2018-10-09 09:19:10 -0600


I have a Keystone installation set up with LDAP acting as an Identity Provider for a domain. I've completed this configuration, and can list users and groups, as well as list the groups a user is a member of, all via the openstack CLI.

I've created projects to represent services that will use Keystone to authenticate/authorize users. I'm creating roles, and would like to join the role, project, and LDAP group, basically mapping the group to a role. I've verified my users/groups are in mydomain via openstack user list --domain mydomain and openstack group list --domain mydomain, respectively, and that the user/group mappings work via openstack group list --domain mydomain --user testuser --user-domain mydomain, and that testuser is a member of mygroup. So I've done the following via the openstack CLI to try and assign a role to a group:

domain create mydomain
project create --domain mydomain myproject
role create --domain mydomain myrole
role add --group mygroup --group-domain mydomain --project myproject --project-domain mydomain --role-domain mydomain myrole

and verified the group is assigned to the role:

openstack role assignment list --project myproject --project-domain mydomain --names

So what I would expect is that if I checked what roles my test user is assigned to via:

openstack role assignment list --project myproject --project-domain mydomain --user testuser --user-domain mydomain --names --effective

I would see that it has the role myrole, but nothing is returned. I don't see any errors in the keystone logs, and see that keystone queries the ldap server for testuser and its group membership.

I created a second role and assigned testuser directly to it:

openstack role add --user testuser --user-domain mydomain --project myproject --role-domain mydomain second_role

and verified the assignement via:

openstack role assignment list --project myproject --project-domain mydomain --names

but adding --effective to the above command returns blank, so I suspect the problem lies somewhere around determining effective role assignment. Any help would be appreciated!



edit retag flag offensive close merge delete