Ask Your Question

Revision history [back]

role assignment inheritance bug?

I am playing with nested projects and role inheritance and am somewhat confused by unexpected behaviour. This is on DevStack, stable Mitaka. Am I doing something wrong or is this a bug?

 ‌ $ openstack role add --user-domain HPE --project sales --user demo anotherrole --inherited
  $ openstack role assignment list --project 209241cf64404193bd9cd93f208ff357
  +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
  | Role                             | User                             | Group | Project                          | Domain | Inherited |
  +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
  | d36f9533cf7d44f9a432a52c39783def | 980393753dd8416996ae2e1497e0ae09 |       | 209241cf64404193bd9cd93f208ff357 |        | True      |
  +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
  $ openstack role assignment list --project 209241cf64404193bd9cd93f208ff357 --names
  +-------------+----------+-------+-----------+--------+-----------+
  | Role        | User     | Group | Project   | Domain | Inherited |
  +-------------+----------+-------+-----------+--------+-----------+
  | anotherrole | demo@HPE |       | sales@HPE |        | False     |
  +-------------+----------+-------+-----------+--------+-----------+

In case you didn't catch it, when printing IDs the command says that the role is inherited, as expected. When printing names it is not. To add insult to injury, if I try the API directly, the role list for this project is empty. What is going on?

curl -s -H 'x-auth-token: 01a5823b118e4a7793830156a982a1ce' http://192.168.5.10:5000/v3/projects/209241cf64404193bd9cd93f208ff357/users/980393753dd8416996ae2e1497e0ae09/roles | python -m json.tool
{
    "links": {
        "next": null,
        "previous": null,
        "self": "http://192.168.5.10:5000/v3/projects/209241cf64404193bd9cd93f208ff357/users/980393753dd8416996ae2e1497e0ae09/roles"
    },
    "roles": []
}

A final grief: Although I specified this role as inherited, the subprojects don't seem to have any role assignments.