Ask Your Question
0

Does the keystone v3 in Havana really support assign roles to a group in a project? [closed]

asked 2014-03-18 22:31:01 -0600

9lives gravatar image

updated 2014-03-18 23:37:14 -0600

Hi all,

I am trying to integrate the keystone with ldap, everything went fine except when we need to have keystone to assign roles to a certain group in a certain project. After checked the api reference, I know keystone V3 should support this by checking the source code and found this in the routers.py in assignment package.

...
mapper.connect('/projects/{project_id}/groups/{group_id}/roles/{role_id}',
                   controller=role_controller,
                   action='create_grant',
                   conditions=dict(method=['PUT']))
...

and found the mapping function in the controller.py

...
@controller.protected(callback=_check_grant_protection)
    def create_grant(self, context, role_id, user_id=None,
                     group_id=None, domain_id=None, project_id=None):
        """Grants a role to a user or group on either a domain or project."""
        self._require_domain_xor_project(domain_id, project_id)
        self._require_user_xor_group(user_id, group_id)

        self.assignment_api.create_grant(
            role_id, user_id, group_id, domain_id, project_id,
            self._check_if_inherited(context))
...

however, when i called this api using curl as the following detailed steps shows,the keystone return the 404 error. Does this mean it is a bug or this feature have not been tested yet?

Thanks!

Vic

Detailed steps for trying to assign roles to a group on certain project. 1. install openstack by devstack 2. find the project/tenant id for 'admin' project.

+----------------------------------+--------------------+---------+
|                id                |        name        | enabled |
+----------------------------------+--------------------+---------+
| 8cd150c0ade44c088c690d8299f7f864 |       admin        |   True  |
| 6eae14a888a24a79bb6467606dc1bc85 |        demo        |   True  |
| 79c35615f1364faa994bb2709bc68b9e | invisible_to_admin |   True  |
| d4a567db1e214d8a824e9ffa1166980f |      service       |   True  |
+----------------------------------+--------------------+---------+

3. find the admin role id

+----------------------------------+---------------+
|                id                |      name     |
+----------------------------------+---------------+
| 49ae4086ad9748eaba414cde45d14fe6 |     Member    |
| caaf0dba79694ce885ceee9d2de85bf7 | ResellerAdmin |
| 9fe2ff9ee4384b1894a90878d3e92bab |    _member_   |
| f47d41c1265848aa840bff78b6c89960 |     admin     |
| e0c595a137e44897a25191324368c0ac |  anotherrole  |
| 5c76abac5989429aaca179db0ef2bcdb |    service    |
+----------------------------------+---------------+
  1. create a new group using v3

    curl -X POST -H"X-Auth-Token:admin" -H"Content-Type:application/json" http://192.168.56.110:35357/v3/groups -d @group-create.json | python -mjson.tool

group-create.json content:

{
    "group": {
        "description": "Vic's test group",
        "domain_id": "default",
        "name": "testgroup"
    }
}
  1. try to assign the admin role to the created group in admin project

curl -X POST -H"X-Auth-Token:admin" -H"Content-Type:application/json" http://192.168.56.110:35357/v3/projec... 3549176b496941598607d222d3bcf6e0/roles/f47d41c1265848aa840bff78b6c89960 | python -mjson.tool

404 Error shows:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    93  100    93    0     0   8257      0 --:--:-- --:--:-- --:--:--  9300
{
    "error": {
        "code": 404, 
        "message": "The resource could not be found.", 
        "title": "Not Found"
    }
}
edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by 9lives
close date 2014-03-19 01:40:36.174735

2 answers

Sort by ยป oldest newest most voted
0

answered 2014-03-19 01:22:28 -0600

9lives gravatar image

Oh,my bad. Thanks Haneef to help me out.:)

I corrected the method to PUT and it is works! grant admin role to testgroup in project admin

vagrant@openstack-dev1:/opt/openstack/keystone$ curl -i  -X PUT  -H"X-Auth-Token:admin" -H"Content-Type:application/json" http://192.168.56.110:35357/v3/projects/8cd150c0ade44c088c690d8299f7f864/groups/3549176b496941598607d222d3bcf6e0/roles/f47d41c1265848aa840bff78b6c89960
HTTP/1.1 204 No Content
Vary: X-Auth-Token
Content-Length: 0
Date: Wed, 19 Mar 2014 06:19:32 GMT

list the granted role

vagrant@openstack-dev1:/opt/openstack/keystone$ curl   -X GET  -H"X-Auth-Token:admin" -H"Content-Type:application/json" http://192.168.56.110:35357/v3/projects/8cd150c0ade44c088c690d8299f7f864/groups/3549176b496941598607d222d3bcf6e0/roles | python -mjson.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   335  100   335    0     0  12677      0 --:--:-- --:--:-- --:--:-- 13400
{
    "links": {
        "next": null, 
        "previous": null, 
        "self": "http://192.168.56.110:5000/v3/projects/8cd150c0ade44c088c690d8299f7f864/groups/3549176b496941598607d222d3bcf6e0/roles"
    }, 
    "roles": [
        {
            "id": "f47d41c1265848aa840bff78b6c89960", 
            "links": {
                "self": "http://192.168.56.110:5000/v3/roles/f47d41c1265848aa840bff78b6c89960"
            }, 
            "name": "admin"
        }
    ]
}
edit flag offensive delete link more
0

answered 2014-03-19 00:11:47 -0600

It is PUT not POST. You are using POST in curl

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-03-18 22:31:01 -0600

Seen: 450 times

Last updated: Mar 19 '14