"keystone::roles::admin" class can't assign a role to admin user when project is specified.

Bug #1589933 reported by Max Yatsenko
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-keystone
Fix Released
Wishlist
Sofer Athlan-Guyot

Bug Description

"keystone::roles::admin" class can't assign 'admin' role to 'admin' user when project is specified.
https://github.com/openstack/puppet-keystone/blob/master/manifests/roles/admin.pp#L127

It occurs because "keystone_user_role" provider that is called in the class can add role
  or for specified project
  or for specified domain
https://github.com/openstack/puppet-keystone/blob/master/lib/puppet/provider/keystone_user_role/openstack.rb#L88-L91

Changed in puppet-keystone:
assignee: nobody → Sofer Athlan-Guyot (sofer-athlan-guyot)
Revision history for this message
Sofer Athlan-Guyot (sofer-athlan-guyot) wrote :

Hi,

The provider's behaviour seems correct to me. You can assign a user role either to a domain or a project, not both at the same time. For this you need two resources. The cli would complain if you do both at the same time.

So, I may be missing something here. Could you post an excerpt of a failing manifest, with the current behaviour versus the expected one ?

Regards,

Revision history for this message
Max Yatsenko (myatsenko) wrote :

Hi,
yes, you are right - if try to assign a role for project and domain simultaneously we get an error.
But what do you think -can we update "keystone::roles::admin" class to be able pass domain, project to the class, and call provider for assigning role for project and call it again if domain is specified?

Revision history for this message
Sofer Athlan-Guyot (sofer-athlan-guyot) wrote :

Hi,

oki, now I see what you want: add a domain option to keystone::roles::admin and if there create another keystone_user_role resource with the domain associated to the user.

Let's try.

Changed in puppet-keystone:
importance: Undecided → Wishlist
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/329807

Changed in puppet-keystone:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (master)

Reviewed: https://review.openstack.org/329807
Committed: https://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=beab6cecff2cea5c2ca07085827066cbeef6a15b
Submitter: Jenkins
Branch: master

commit beab6cecff2cea5c2ca07085827066cbeef6a15b
Author: Sofer Athlan-Guyot <email address hidden>
Date: Wed Jun 15 09:52:01 2016 +0200

    Add association of the admin user to a domain.

    If the user specify target_admin_domain then the admin user will be
    admin in this domain.

    Change-Id: Ia0661f9ab8807a96d3c7de22de4e4624db9e7f28
    Closes-bug: 1589933

Changed in puppet-keystone:
status: In Progress → Fix Released
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/puppet-keystone 9.1.0

This issue was fixed in the openstack/puppet-keystone 9.1.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.