puppet-keystone

  1. Bug #1604479
  2. Comment #11

Comment 11 for bug 1604479

Revision history for this message
Kam Nasim (knasim-wrs) wrote :

 See inline with [Kam]:

1. Are we saying existing users with default_project_id field set to some project prior to upgrading to Mitaka are now seeing default_project_id set to None after upgraded to Mitaka?

[Kam]: Yes, as part of our general Openstack upgrade, we also updated the puppet modules. In Kilo's puppet-keystone, a project Id was provided when creating the services users. Whereas in puppet-keystone for Mitaka, the services users are created in two stages, 1) create user (without specifying project Id), 2) grant a member/admin role for these users to the services project.

However I would like to add that puppet just exposed the problem and is not specific to Puppet. This issue can be reproduced with openstack client.

2. Is this impacting ALL users or just the service users? Comments in #8 seem to suggest this is only impacting the service users.

[Kam]: Impacts all users that do not have projectId specified during creation and subsequently have a role granted to them on said project.

3. Why would assigning the 'admin' role to the services users for the service project automatically set the 'default_project_id' field? I don't remember we ever support that.

[Kam]: This has nothing to do with the 'admin' role in general and can be seen for any role/any user.

4. Horizon behavior is expected if user have no default project.

[Kam]: If a user does NOT have a default project(none specified during creation), shouldn't granting the first role on this user to a project set that as default project? Otherwise you end up with a scenario where Horizon indicates that user is projectless whereas it has a role on a project

5. Not sure if I understand this statement, "RBAC policies pertaining to the services project do not work since it cannot correlate the services users to the services project". If the given token is scoped to a project, RBAC policies should work accordingly. Are we saying we have policies that act on the 'default_project_id'?

[Kam]: Yes, this is specific to our deployment as we have modified the RBAC policies. I was mentioning it for posterity, it should not affect Upstream. Horizon not showing ProjectID, as well as logic that expects default_project_id to be within the user reference breaks because of this issue