Unable to remove an assignment from domain and project
Bug #1754677 reported by
Lance Bragstad
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Vishakha Agarwal |
Bug Description
When you setup a user with a role assignment on a domain and then a role assignment on a project "acting as a domain", you can't actually remove them. The following pastes sets up the environment:
http://
Which results in the following when a user tries to remove either of those assignments:
http://
And the resulting trace:
http://
It appears the issue is because somewhere in the assignment code we're only expecting a single assignment to be returned for us to delete, which isn't the case here and causes ambiguity.
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in keystone: | |
assignee: | nobody → Raildo Mascena de Sousa Filho (raildo) |
tags: | added: office-hours |
Changed in keystone: | |
status: | Triaged → In Progress |
description: | updated |
Changed in keystone: | |
milestone: | none → rocky-rc1 |
Changed in keystone: | |
status: | In Progress → Fix Committed |
Changed in keystone: | |
assignee: | Raildo Mascena de Sousa Filho (raildo) → Vishakha Agarwal (vishakha.agarwal) |
Changed in keystone: | |
milestone: | none → victoria-2 |
To post a comment you must log in.
I have a feeling the reason for this in keystone is that the query in question isn't looking at the type when doing a query: https:/ /github. com/openstack/ keystone/ blob/master/ keystone/ assignment/ backends/ sql.py# L358
just the other fields: /github. com/openstack/ keystone/ blob/master/ keystone/ assignment/ backends/ sql.py# L363-L366
https:/
Chances are the same error would occur if you assign to a group a project and a domain scope.
This is most likely legacy code that needed to deal with multiple types of assignments between projects and domains when the two were actually two different types. Now that a domain is a project, the type field is almost pointless in the actual internals, unless there is somewhere that actually makes a distinction between domain vs project scope on an assignment.