The metadata table was recreated as user_project_metadata, and only implicit roles due to project membership were migrated, not explicit roles from the metadata table itself.
There's also the additional problem that existing deployments will generally already have a "Member" role, so once the above migration is done properly you will have a mess of _member_ and Member roles. Ideally I'd be able to set member_role_name and member_role_id in the conf to point to the existing member role and the migration would (1) add that role only if it didn't exist already and (2) add any missing Member role grants iff they don't already exist. Having "_member_" show up in the cli/dashboard is also really ugly...
It's not. Basically the problem is here:
https:/ /github. com/openstack/ keystone/ commit/ b20302aa3e08421 295140576d0aeea 2fa9e34188# L6L117
and here:
https:/ /github. com/openstack/ keystone/ commit/ b20302aa3e08421 295140576d0aeea 2fa9e34188# L2R22
The metadata table was recreated as user_project_ metadata, and only implicit roles due to project membership were migrated, not explicit roles from the metadata table itself.
There's also the additional problem that existing deployments will generally already have a "Member" role, so once the above migration is done properly you will have a mess of _member_ and Member roles. Ideally I'd be able to set member_role_name and member_role_id in the conf to point to the existing member role and the migration would (1) add that role only if it didn't exist already and (2) add any missing Member role grants iff they don't already exist. Having "_member_" show up in the cli/dashboard is also really ugly...