- Expected to not include the role that was just removed!
5) Remove the role again:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
- No errors, which I guess is expected since list just said they had the role...
6) List roles, and now it's gone:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 1c39fab0fa9a4a68b307e7ce1535c62b | admin | 3b71182dc36e45c6be4733d508201694 | 5b0af1d5013746b286b0d650da73be57 |
+----------------------------------+-------+----------------------------------+----------------------------------+
7) Remove role again:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
Could not find user, 3b71182dc36e45c6be4733d508201694. (HTTP 404)
- Strangely says user not found rather than role not assigned.
Using the LDAP assignment backend, if remove a role from a user that the user doesn't have then the user gets the role.
To recreate
0) Start with devstack, configured with LDAP (note especially to set KEYSTONE_ ASSIGNMENT_ BACKEND) :
In localrc, IDENTITY_ BACKEND= ldap ASSIGNMENT_ BACKEND= ldap
enable_service ldap
KEYSTONE_
KEYSTONE_
1) set up environment with OS_USERNAME=admin
export OS_USERNAME=admin
...
2) Create a new user, give admin role, list roles:
$ keystone user-create --name blktest1 --pass blkpwd ----+-- ------- ------- ------- ------- ----+ ----+-- ------- ------- ------- ------- ----+ 6be4733d5082016 94 | ----+-- ------- ------- ------- ------- ----+
+------
| Property | Value |
+------
| email | |
| enabled | True |
| id | 3b71182dc36e45c
| name | blktest1 |
+------
$ keystone user-role-add --user blktest1 --role admin --tenant service
(no output)
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list ------- ------- ------- ------- +------ -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+ ------- ------- ------- ------- +------ -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+ 8b307e7ce1535c6 2b | admin | 3b71182dc36e45c 6be4733d5082016 94 | 5b0af1d5013746b 286b0d650da73be 57 | ------- ------- ------- ------- +------ -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+
+------
| id | name | user_id | tenant_id |
+------
| 1c39fab0fa9a4a6
+------
3) Remove a role from that user that they don't have (using otherrole here since devstack sets it up):
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
- Expected to fail with 404, but it doesn't!
4) List roles as that user:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list ------- ------- ------- ------- +------ ------- +------ ------- ------- ------- ------- +------ ------- ------- ------- ------- + ------- ------- ------- ------- +------ ------- +------ ------- ------- ------- ------- +------ ------- ------- ------- ------- + 8b307e7ce1535c6 2b | admin | 3b71182dc36e45c 6be4733d5082016 94 | 5b0af1d5013746b 286b0d650da73be 57 | fad803b4a104b28 a7 | anotherrole | 3b71182dc36e45c 6be4733d5082016 94 | 5b0af1d5013746b 286b0d650da73be 57 | ------- ------- ------- ------- +------ ------- +------ ------- ------- ------- ------- +------ ------- ------- ------- ------- +
+------
| id | name | user_id | tenant_id |
+------
| 1c39fab0fa9a4a6
| afe23e7955704cc
+------
- Expected to not include the role that was just removed!
5) Remove the role again:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service
- No errors, which I guess is expected since list just said they had the role...
6) List roles, and now it's gone:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-list ------- ------- ------- ------- +------ -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+ ------- ------- ------- ------- +------ -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+ 8b307e7ce1535c6 2b | admin | 3b71182dc36e45c 6be4733d5082016 94 | 5b0af1d5013746b 286b0d650da73be 57 | ------- ------- ------- ------- +------ -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+
+------
| id | name | user_id | tenant_id |
+------
| 1c39fab0fa9a4a6
+------
7) Remove role again:
$ keystone --os-user=blktest1 --os-pass=blkpwd --os-tenant-name service user-role-remove --user blktest1 --role anotherrole --tenant service 6be4733d5082016 94. (HTTP 404)
Could not find user, 3b71182dc36e45c
- Strangely says user not found rather than role not assigned.