Some inherited projects missing when listing user's projects
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Sami Makki |
Bug Description
When a project is added as a child to another project and a user has an inherited role as well as an explicit role on that parent project, the child project may not appear when the user lists their projects.
It appears that the order in which the inherited and effective role assignments are made makes a difference.
What actually happens:
# The parent
$ openstack project show parent --children
+------
| Field | Value |
+------
| description | |
| domain_id | default |
| enabled | True |
| id | da2265680b3844e
| is_domain | False |
| name | parent |
| parent_id | default |
| subtree | {'3e5e4084c9984
| tags | [] |
+------
# A first child
$ openstack project show 3e5e4084c9984d5
+------
| Field | Value |
+------
| description | |
| domain_id | default |
| enabled | True |
| id | 3e5e4084c9984d5
| is_domain | False |
| name | child |
| parent_id | da2265680b3844e
| tags | [] |
+------
# Next, we give user mradmin the project_admin role on the parent project explicitly.
$ openstack role add --project parent --user mradmin project_admin
# We give user mradmin the project_admin role on the parent project's subtree via inheritance.
$ openstack role add --project parent --user mradmin --inherited project_admin
# When we list the projects as user mradmin, everything is fine for now.
$ openstack project list
+------
| ID | Name |
+------
| 3e5e4084c9984d5
| da2265680b3844e
+------
* Important note: the first child project exists before we do the role assignments. The second child project is added after the role assignments.
# Add a second child project to the parent project:
$ openstack project create --parent parent child2
+------
| Field | Value |
+------
| description | |
| domain_id | default |
| enabled | True |
| id | c781f589110c4d0
| is_domain | False |
| name | child2 |
| parent_id | da2265680b3844e
| tags | [] |
+------
# The second child does not appear when we list the projects as user mradmin
$ openstack project list
+------
| ID | Name |
+------
| 3e5e4084c9984d5
| da2265680b3844e
+------
If we repeat the above except we reverse the order when assigning the project_admin role:
$ openstack role add --project parent --user mradmin --inherited project_admin
$ openstack role add --project parent --user mradmin project_admin
then we are able to see all projects when we list the projects as user mradmin:
$ openstack project list
+------
| ID | Name |
+------
| 79d5300ac137466
| e18fa9d21fe94bd
| e334dcc334804e2
+------
Expected behavior:
See all child projects regardless of the order of role assignment.
I was able to reproduce this in Queens and Pike.
Changed in keystone: | |
status: | New → Invalid |
Changed in keystone: | |
status: | Invalid → New |
Changed in keystone: | |
milestone: | none → rocky-3 |
Quite possibly the best bug report I've seen. Thank you.
It sounds like the code to avoid traversing the same path twice needs to be smart enough to identify the differences in the source of the role assignment.