LDAP group role assignment becomes user assignment
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Brant Knudson |
Bug Description
When I configure Keystone with the LDAP backend, creating a group role assignment winds up being a user role assignment.
Here's steps to recreate:
Start with devstack configured to use LDAP
$ openstack group create blktest1
+------
| Field | Value |
+------
| domain_id | default |
| id | 33888a7d7527449
| links | {u'self': u'http://
| name | blktest1 |
+------
$ GROUP_ID=
$ openstack role list
| 1fbe54e498ad483
$ ROLE_ID=
$ openstack project list
| 111681b688eb446
PROJECT_
# Get a token since I can't find an openstack command to add role assignment...
$ curl ...
$ TOKEN=PKIZ...
# Create the GROUP role assignment
$ curl -i -X PUT -H "X-Auth-Token: $TOKEN" \
http://
HTTP/1.1 204 No Content
# Check the results. Now it's a user role assignment.
$ openstack role assignment list
+------
| Role | User | Group | Project | Domain |
+------
| 9fe2ff9ee4384b1
| 29b0254e79d141d
| 9fe2ff9ee4384b1
| 04b98b07af27430
| 29b0254e79d141d
| 1fbe54e498ad483
| 1fbe54e498ad483
| 04b98b07af27430
+------
# Also check the REST response since maybe it's in openstack command:
$ curl -H "X-Auth-Token: $TOKEN" http://
...
{
"links": {
"assignment": "http://
},
"role": {
"id": "1fbe54e498ad48
},
"scope": {
"project": {
"id": "111681b688eb44
}
},
"user": {
"id": "33888a7d752744
}
},
...
It's got user where it should be group.
Changed in keystone: | |
milestone: | none → juno-rc1 |
Changed in keystone: | |
assignee: | Brant Knudson (blk-u) → Henry Nash (henry-nash) |
Changed in keystone: | |
assignee: | Henry Nash (henry-nash) → Brant Knudson (blk-u) |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | juno-rc1 → 2014.2 |
The role entry looks correct:
dn: cn=1fbe54e498ad 483cb9007357159 26032,cn= 111681b688eb446 0b464745f461ad0 ce,ou dc=openstack, dc=org 421eb8fa22ad01f f806a,ou= Users,dc= openstack, dc=org dc=nonexistent 4497bb1e7a05fc1 7a748,ou= UserGroups, dc=openstack, d cb9007357159260 32
=Projects,
objectClass: organizationalRole
roleOccupant: cn=8fa4aa9d5584
roleOccupant: cn=dumb,
roleOccupant: cn=33888a7d7527
c=org
cn: 1fbe54e498ad483
So it must be the code that's getting role assignments.