How to use OS-INHERIT in keystone

asked 2015-08-10 10:57:14 -0500

pentatonic gravatar image

updated 2015-08-10 14:05:27 -0500

smaffulli gravatar image

Using Kilo, I'm looking for a way to automatically have all roles assigned in all domains inherited to all users and groups in the respective projects. In other words, I'd like to have to have full inheritance work without having to assign role inheritance for individual users and groups, per domain. I'm looking at and following this spec page, which seems to give me what I'm looking for:

I'm having some problem getting OS-INHERIT to work. I enabled the os_inherit extension in the keystone.conf file.

I'm able to PUT a project role inheritance record but not get it back.

PUT: https://{{host}}:{{port}}/v3/OS-INHERIT/domains/288b1c4d3f7b43a4b8708016d9ae3ec5/users/257cc461fde84f8aac1af1b42a7314f2/roles/daa86839ba154426ad34a95975d2d188/inherited_to_projects

(I noticed though that it validates domain, roles, but not user. The PUT succeeds if I put an invalid user.)

HEAD on the same path above returns 404. Also, this

 GET: https://{{host}}:{{port}}/v3/OS-INHERIT/domains/288b1c4d3f7b43a4b8708016d9ae3ec5/users/257cc461fde84f8aac1af1b42a7314f2/roles/inherited_to_projects

returns 200, but an empty list of roles.

So somehow, the PUT doesn't stick, I'm not sure why. Consequently, I'm also not able to get a project token with expected roles from the domain etc.

edit retag flag offensive close merge delete


Interestingly, this works with groups. In other words, if I do a PUT /v3/OS-INHERIT/domains/d/groups/g/roles/x then, a user from that group g can get a project scoped token with role x in any project of domain d.

It doesn't seem to be working when using the inherited grant on users directly

pentatonic gravatar imagepentatonic ( 2015-08-12 16:01:38 -0500 )edit