keystone-manage role list tenant not working
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
The keystone nova command for listing roles assignments on a tenant does not appear to work
This behavior was observed on natty with keystone version - 2012.1-dev
When performing the following actions with keyston-manage:
# create a tenant
$ keystone-manage tenant add test_tenant
$ keystone-manage tenant list | grep test_tenant
| 50ff971da5a04d4
# create a user
$ keystone-manage user add test_user password test_tenant
SUCCESS: User test_user created.
$ keystone-manage user list | grep test_user
| b830869d9197480
# create a role
$ keystone-manage role add Test_role
SUCCESS: Role Test_role created successfully.
keystone-manage role list | grep Test
| 8 | Test_role | None | None |
# grant that role
$ keystone-manage role grant Test_role test_user test_tenant
SUCCESS: Granted test_user the Test_role role on test_tenant.
The granted row does not show up in test_tenant using role list:
$ keystone-manage role list test_tenant
---------------
| Role assignments for tenant: test_tenant|
---------------
| User | Role |
---------------
---------------
| Changed in keystone: | |
| status: | New → Confirmed |
| Dan Bode (bodepd) wrote | #1 |
| Dan Bode (bodepd) wrote | #2 |
| Jay Pipes (jaypipes) wrote | #3 |
| Dolph Mathews (dolph) wrote | #4 |
| Changed in keystone: | |
| status: | Confirmed → Fix Committed |
| Changed in keystone: | |
| milestone: | none → essex-4 |
| Changed in keystone: | |
| status: | Fix Committed → Fix Released |
| Changed in keystone: | |
| milestone: | essex-4 → 2012.1 |
I had a chance to dive a little deeper into the code:
in the following file: keystone /keystone/
for result in results:
if hasattr(api.USER, 'uid_to_id'):
if hasattr(api.TENANT, 'uid_to_id'):
This iterates through all of the matching rows and actually *modifies* those rows in a way that breaks them (it replaces the ids with the uids)
It seems inappropriate for a method called get_role_assignment to be updating the role table
All of this code was added as a single commit:
d1d3df0465f6ef1
It looks like this code was added as a part of some migration from ids to uids as keys
As of keystone-manage 2012.1-dev, it looks like the schema of user_roles has not been updated to use uids instead of ids as the foreign keys
sqlite> .schema user_roles
CREATE TABLE user_roles (
id INTEGER NOT NULL,
user_id INTEGER,
role_id INTEGER,
tenant_id INTEGER,
PRIMARY KEY (id),
UNIQUE (user_id, role_id, tenant_id),
FOREIGN KEY(role_id) REFERENCES roles (id),
FOREIGN KEY(tenant_id) REFERENCES tenants (id),
FOREIGN KEY(user_id) REFERENCES users (id)
doing a quick scan of the migration versions (from master), I can see that user_role has not been updated since the initial migration, so I doubt this has been fixed.
# /keystone/
grep user_role *