Unable to remove an assignment from domain and project

Bug #1754677 reported by Lance Bragstad on 2018-03-09
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Raildo Mascena de Sousa Filho

Bug Description

When you setup a user with a role assignment on a domain and then a role assignment on a project "acting as a domain", you can't actually remove them. The following pastes sets up the environment:

http://paste.openstack.org/show/695978/

Which results in the following when a user tries to remove either of those assignments:

http://paste.openstack.org/show/696013/

And the resulting trace:

http://paste.openstack.org/show/695994/

It appears the issue is because somewhere in the assignment code we're only expecting a single assignment to be returned for us to delete, which isn't the case here and causes ambiguity.

Changed in keystone:
status: New → Triaged
importance: Undecided → High
Changed in keystone:
assignee: nobody → Raildo Mascena de Sousa Filho (raildo)
Adrian Turjak (adriant-y) wrote :

I have a feeling the reason for this in keystone is that the query in question isn't looking at the type when doing a query: https://github.com/openstack/keystone/blob/master/keystone/assignment/backends/sql.py#L358

just the other fields:
https://github.com/openstack/keystone/blob/master/keystone/assignment/backends/sql.py#L363-L366

Chances are the same error would occur if you assign to a group a project and a domain scope.

This is most likely legacy code that needed to deal with multiple types of assignments between projects and domains when the two were actually two different types. Now that a domain is a project, the type field is almost pointless in the actual internals, unless there is somewhere that actually makes a distinction between domain vs project scope on an assignment.

Adrian Turjak (adriant-y) wrote :

yep, looking back in the git history, the type definition comes from before domains became projects.

tags: added: office-hours
Changed in keystone:
status: Triaged → In Progress
description: updated

Reviewed: https://review.openstack.org/570438
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9cefb4dfc9f3497fd4c123ad9b1aadc65b2974d0
Submitter: Zuul
Branch: master

commit 9cefb4dfc9f3497fd4c123ad9b1aadc65b2974d0
Author: Raildo Mascena <email address hidden>
Date: Thu May 24 17:13:05 2018 -0300

    Exposing ambiguity bug when querying role assignments

    Test case exposing the issue described in that bug
    also, adding the expected result commented, to be
    removed the commented tags, after the bug be fixed.

    Change-Id: I0e7b181977a1850a9a93472892407817561bfa0a
    Partial-Bug: 1754677

Changed in keystone:
milestone: none → rocky-rc1
Changed in keystone:
status: In Progress → Fix Committed
Colleen Murphy (krinkle) wrote :

I don't see a fix committed for this, the @wip marker on the test that Raildo added is still there so I don't think this is fixed yet.

Changed in keystone:
status: Fix Committed → In Progress
milestone: rocky-rc1 → stein-1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers