OpenStack Identity (keystone)

fetching role assignments should handle domain IDs in addition to project IDs

Bug #1860478 reported by Harry Rybacki on 2020-01-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Triaged	Low	Unassigned

Bug Description

Description of problem:

Note: This affects releases in Queens+ (could be further back but I have only verified in Queens and Stein so far)

It is possible to pass through a domain ID as a project name while assigning a role to a user e.g.:

$ openstack domain show test-domain

+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| enabled | True |
| id | 8de8ce3beda54ff6a2c897aaad71847b |
| name | test-domain |
| options | {} |
| tags | [] |
+-------------+----------------------------------+

$ openstack role add --user test-user --user-domain --project 8de8ce3beda54ff6a2c897aaad71847b --project-domain test-domain --inherited ResellerAdmin

However, this breaks the ability to pull a role assignment list e.g.:

$ openstack role assignment list --user-domain test-domain --user test-user --names

---

Actual results:

Returns a list of role assignments for test-user

Expected results:

object of type 'NoneType' has no len() (HTTP 400) (Request-ID: req-636e0da4-4562-4aa3-a3f5-64ea1317e940)

---

How to reproduce:

$ openstack domain list

$ openstack domain create test-domain

$ openstack user create test-user --domain test-domain --password-prompt

User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 8de8ce3beda54ff6a2c897aaad71847b |
| enabled | True |
| id | 0cccd870c9a24cd09032ce489f5c1962 |
| name | test-user |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+

$ openstack project create test-parent-project --domain test-domain

+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | 8de8ce3beda54ff6a2c897aaad71847b |
| enabled | True |
| id | dab81d58b96e4105b7fd68235ff0eacb |
| is_domain | False |
| name | test-parent-project |
| options | {} |
| parent_id | 8de8ce3beda54ff6a2c897aaad71847b |
| tags | [] |
+-------------+----------------------------------+

$ openstack project create test-sub-project --parent test-parent-project --domain test-domain

+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | 8de8ce3beda54ff6a2c897aaad71847b |
| enabled | True |
| id | 841bc53fff6d47788b85309e08ec39d8 |
| is_domain | False |
| name | test-sub-project |
| options | {} |
| parent_id | dab81d58b96e4105b7fd68235ff0eacb |
| tags | [] |
+-------------+----------------------------------+

$ openstack role add --user test-user --user-domain test-domain --project
8de8ce3beda54ff6a2c897aaad71847b --project-domain test-domain --inherited ResellerAdmin

$ openstack role assignment list --user-domain test-domain --user test-user --names

object of type 'NoneType' has no len() (HTTP 400) (Request-ID: req-636e0da4-4562-4aa3-a3f5-64ea1317e940)

Harry Rybacki (hrybacki-h) on 2020-01-21

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Low

Revision history for this message

Harry Rybacki (hrybacki-h) wrote on 2020-01-21:

I've created a story against OSC[1] to resolve the issue of how we are handling `domain IDs` being handed in as arguments for --project

[1] - https://storyboard.openstack.org/#!/story/2007194

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.