Roles inheritance for groups is not visible in user's role assignments
Bug #1583142 reported by
Dmitri
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
If I applied role inheritance to a group GR-A in scope of project PR-A:
(PUT) /v3/OS-
this role assignment is listed in the result of:
(GET) /v3/role_
but is not in the result of:
(GET) /v3/role_
whereby USR-A is a member of the group GR-A.
BUT it is part of result of the query:
(GET) /v3/role_
whereby SUB-PR-A is a child of PR-A.
I think the inherited roles assignment should be valid in the project scope of PR-A for both groups and users.
| description: | updated |
| description: | updated |
| Changed in keystone: | |
| status: | New → Confirmed |
| status: | Confirmed → New |
| tags: | added: inheritance |
Revision history for this message
| Henry Nash (henry-nash) wrote | #1 |
| Changed in keystone: | |
| status: | New → Invalid |
Revision history for this message
| Dmitri (dmitri-voronov) wrote | #2 |
To post a comment you must log in.
This bug is invalid, since:
1) Inheritance is only applied to children of the node that carries the actual inherited assignment
2) Effective assignments only show the result of all group & inherited assignments, as well as valid non-inedited direct user assignments - but do not include the source assignments that generate these results
The "inherit only on children" comes from the heritage of inheritance, which was originally designed to only be placed on domains, and all the projects in the domain would get the assignment. We considered changing this for project-project inheritance, but decided it would be too confusing to have two types of inheritance rules.
If in the above example, you also want there user to have a role on PR-A, then you need to have a second (non-inherited) assignment (either for the user of the group) on PR-A