User create via v3 API doesn't add _member_ role in default project
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
There is a discrepancy between creating users via the v2 and v3 API's, which I'm not sure is a bug or by design:
When creating a user via the v2 API, the _member_ role is added in their default project, but when creating via the v3 API, despite default_project_id being specified, it is not.
If possible, I'd like the _member_ role to always be present, as we need a default role to delegate via trust for heat, and I'd like to move away from using a special heat_stack_owner role as it's confusing for users:
https:/
-bash-4.2$ openstack --os-token foobar --os-url=http://
+------
| Field | Value |
+------
| default_project_id | 19d521c10284413
| domain_id | default |
| enabled | True |
| id | 479882b84fed407
| links | {u'self': u'http://
| name | test123456 |
+------
-bash-4.2$ keystone user-create --tenant demo --name v2test123456
+------
| Property | Value |
+------
| email | |
| enabled | True |
| id | c8d14d95bec24a5
| name | v2test123456 |
| tenantId | 19d521c10284413
| username | v2test123456 |
+------
-bash-4.2$ keystone user-role-list --tenant demo --user test123456
-bash-4.2$ keystone user-role-list --tenant demo --user v2test123456
+------
| id | name | user_id | tenant_id |
+------
| 9fe2ff9ee4384b1
+------
According to the Identity V3 API specification, the default_project_id attribute of the user object is simply there for reference to the user.
https:/ /github. com/openstack/ identity- api/blob/ master/ v3/src/ markdown/ identity- api-v3. md#users- v3users
It also says that setting default_project_id does not actually grant authorization on the project, in which case I don't think the user would need a role assigned for that project by default on create user operations.
Thoughts?