keystone-manage role list tenant not working
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The keystone nova command for listing roles assignments on a tenant does not appear to work
This behavior was observed on natty with keystone version - 2012.1-dev
When performing the following actions with keyston-manage:
# create a tenant
$ keystone-manage tenant add test_tenant
$ keystone-manage tenant list | grep test_tenant
| 50ff971da5a04d4
# create a user
$ keystone-manage user add test_user password test_tenant
SUCCESS: User test_user created.
$ keystone-manage user list | grep test_user
| b830869d9197480
# create a role
$ keystone-manage role add Test_role
SUCCESS: Role Test_role created successfully.
keystone-manage role list | grep Test
| 8 | Test_role | None | None |
# grant that role
$ keystone-manage role grant Test_role test_user test_tenant
SUCCESS: Granted test_user the Test_role role on test_tenant.
The granted row does not show up in test_tenant using role list:
$ keystone-manage role list test_tenant
---------------
| Role assignments for tenant: test_tenant|
---------------
| User | Role |
---------------
---------------
Changed in keystone: | |
status: | New → Confirmed |
Changed in keystone: | |
milestone: | none → essex-4 |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | essex-4 → 2012.1 |
I had a chance to dive a little deeper into the code:
in the following file: keystone /keystone/ backends/ sqlalchemy/ api/tenant. py from get_role_assignment lines 355 - 359
for result in results:
result. user_id = api.USER. id_to_uid( result. user_id)
result. tenant_ id = api.TENANT. id_to_uid( result. tenant_ id)
if hasattr(api.USER, 'uid_to_id'):
if hasattr(api.TENANT, 'uid_to_id'):
This iterates through all of the matching rows and actually *modifies* those rows in a way that breaks them (it replaces the ids with the uids)
It seems inappropriate for a method called get_role_assignment to be updating the role table
All of this code was added as a single commit:
d1d3df0465f6ef1 b14ed71eeed84d9 2c9fe6f256 which is by Ziad Sawalha
It looks like this code was added as a part of some migration from ids to uids as keys
As of keystone-manage 2012.1-dev, it looks like the schema of user_roles has not been updated to use uids instead of ids as the foreign keys
sqlite> .schema user_roles
CREATE TABLE user_roles (
id INTEGER NOT NULL,
user_id INTEGER,
role_id INTEGER,
tenant_id INTEGER,
PRIMARY KEY (id),
UNIQUE (user_id, role_id, tenant_id),
FOREIGN KEY(role_id) REFERENCES roles (id),
FOREIGN KEY(tenant_id) REFERENCES tenants (id),
FOREIGN KEY(user_id) REFERENCES users (id)
doing a quick scan of the migration versions (from master), I can see that user_role has not been updated since the initial migration, so I doubt this has been fixed.
# /keystone/ backends/ sqlalchemy/ migrate_ repo/versions
grep user_role *