OS-INHERIT does not seem to work for users but works for groups
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Triaged
|
Medium
|
Henry Nash |
Bug Description
Using Kilo, I'm following thehttp:
I'm having some problem getting OS-INHERIT to work when the target of the assignment is a user. It works if the target is a group.
I'm able to PUT a project role inheritance record but not get it back:
PUT: /v3/OS-INHERIT/
domains/
users/257cc461f
roles/daa86839b
(side note: I noticed though that it validates domain, roles, but not user. The PUT succeeds if I put an invalid user.)
HEAD on the same path above returns 404.
Also, this:
GET: /v3/OS-INHERIT/
domains/
users/257cc461f
roles/inherited
returns 200, but an empty list of roles.
So somehow, the PUT doesn't stick, I'm not sure why. Consequently, I'm also not able to get a project token with expected roles from the domain etc.
Interestingly, this works with groups. In other words, if I do a:
PUT: /v3/OS-INHERIT/
domains/d
groups/g/
roles/x
then, a user from that group g can get a project scoped token with role x in any project of domain d.
It doesn't seem to be working when using the inherited grant on users directly?
summary: |
- OS-INHERIT does not seem to work for users but work for groups + OS-INHERIT does not seem to work for users but works for groups |
Changed in keystone: | |
importance: | Undecided → Medium |
status: | New → Triaged |
tags: | added: kilo-backport-potential |
Changed in keystone: | |
assignee: | nobody → Henry Nash (henry-nash) |
Thanks for the detailed problem description. With regard to checking for existence of the user, this was by design (in preparation for potentially federated users coming in...although we may now be able to re-add that check since we handle federation a little differently than planned).
I'll investigate the other problem asap.