Retrieving either a project's parents or subtree as_list does not work

I seem to be able to recreate. I used the following:

I created the following projects:

22ca44c4f9174cf68b221b260c446a8d great-great-grandparent
21265233cbbd4fe68ad32adcd7162cea great-grandparent
33123935a6e343029ea24feedc5916b2 grandparent
34590cda7de2440188017ddc845fe2e5 parent
89254075048c4300a105da1b39284d10 child

Where each project is the child of the project listed above. In this case, great-great-grandparent is the top level project. So following Tim's case, I did all my calls against the grandparent project.

parents_as_list: http://cdn.pasteraw.com/ajjc1owd5efcr6xwtsdbj7nqcq6cw6e
  returns no parents - fail
parents_as_ids: http://cdn.pasteraw.com/abdd3la2924agvsl1ihbqmn6yxhhw6v
  returns the ids of great-grandparent and great-great-grandparent - success
subtree_as_list: http://cdn.pasteraw.com/egb84jk3yky1s3f2rsoh7p9ofvjq2kq
  returns no subtree - fail
subtree_as_ids: http://cdn.pasteraw.com/828b49094kldix1cldefywemuap4kf2
  returns the ids of parent and child - success

I did the same calls with parent as the project and the following was returned:
parents_as_list: http://cdn.pasteraw.com/epzss1vm0x2gz5bna4f8aehtt4mhk9y
  returns no parents - fail
parents_as_ids: http://cdn.pasteraw.com/sh2z02t9roq9cis6zqfs9eenrtz0n2u
  returns grandparent, great-grandparent, and great-great-grandparent - success
subtree_as_list: http://cdn.pasteraw.com/1ssjr51weuj4zii2k689nf9kc3cnhrw
  returns no subtree - fail
subtree_as_ids: http://cdn.pasteraw.com/aq0vjpkk9jaz26rzplptqxcse4nv3ni
  returns the child id in subtree - success

It appears the behavior is consistent regardless of the depth of the project.

Hi Tim,

I was able to bring this to htruta and raildo, who implemented this functionality. It turns out there is a fundamental difference in subtree_as_ids and subtree_as_list. Being able to get the subtree_as_ids doesn't require any role assignments on the subtree. With that in mind, an admin would be able to list all the subtree ids of a project. Since subtree_as_list returns *more* information about each project in the subtree, this query string only returns subtrees that the user has role assignments on. So, if an admin doesn't have any role assignments on any of the projects in the tree, the call won't return any information in the subtree.

The same applies directly to parents_as_list and parents_as_ids.

Essentially, it boils down to the fact that listing by ids doesn't require additional role assignments, but requesting information by list does.

There is some documentation around the query strings [0], but it doesn't include any information around the role assignments and that behavioral difference. The call is working as expected but I believe the docs could be improved.

[0] https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#get-project

Actually, I have a few free cycles right now... Working on a patch to improve the documentation around these query strings.

Related fix proposed to branch: master
Review: https://review.openstack.org/235971

Reviewed: https://review.openstack.org/235971
Committed: https://git.openstack.org/cgit/openstack/keystone-specs/commit/?id=17129323aefaf969091d02f371092864ec7404ae
Submitter: Jenkins
Branch: master

commit 17129323aefaf969091d02f371092864ec7404ae
Author: Lance Bragstad <email address hidden>
Date: Fri Oct 16 15:10:37 2015 +0000

    Improve get project query strings

    This commit improves the documentation describing the parents_as_list,
    parents_as_ids, subtree_as_list, and subtree_as_ids query strings.

    Change-Id: I21b4dcf1c3e3afe128658cad55222468803e3947
    Related-Bug: 1506653
    Closes-Bug: 1506986

Timothy,

Is this still an issue or can this bug be closed out as a documentation fix?

As far as I'm concerned, the documentation fix provided addresses my original issue very well and this bug can be closed.

Closing with "Fix Released". https://bugs.launchpad.net/keystone/+bug/1506986