OpenStack Identity (keystone)

CONF.member_role_name isn't used for lookups

Bug #1426184 reported by Jamie Lennox on 2015-02-27

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Invalid	Undecided	Unassigned

Bug Description

The CONF.member_role_name is completely overridden by the CONF.member_role_id parameter. The only time that _name is used is on first request if there is not a role with member_role_id it will be created with _name. However from a deployment perspective I can't set the _id, the id is given to me when i create the role so i would need to:

1. openstack role create _member_
2. take the id and put it into the CONF file
3. restart keystone

to make this work. Worse there is a default member_role_id.

I think member_role_id should default to None, the _id should be generated on first request as per now and saved (somewhere), if member_role_id is needed and not cached then the first step should be to do a role lookup on an existing member_role_name.

Revision history for this message

Attila Fazekas (afazekas) wrote on 2015-02-27:

Keystone should handle this like the default domain. https://github.com/openstack/keystone/blob/master/keystone/common/sql/migrate_repo/versions/034_havana.py#L282 .

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-03-18:

The _member_ role is a handicap for the v2 API to provide an explicit means of expressing default tenancy. The existing behavior satisfies that behavior just fine.

There's really no reason you should be creating the "_member_" role manually as a deployer. Use another role name instead, such as "Member" (the pre-existing role which ayoung opted to not conflict with).

Changed in keystone:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.