OpenStack SDK

Adding a User in a Project is not Possible

Bug #1680446 reported by Dave Halter
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack SDK
Confirmed
Critical
Brian Curtin

Bug Description

https://developer.openstack.org/api-ref/identity/v3/?expanded=assign-role-to-user-on-project-detail#assign-role-to-user-on-project

Assigning a user to project is currently not possible with the openstacksdk (identity v3). I think this should be a priority, because not being able to add users to a project seems to restrict the client in a lot of use cases. The API might should either be restrictive and project only or allow all the different use cases (projects, groups, domains and users).

IMO a Python 3 api that looks like:

def create_role_assignment(self, role, *, project=None, user=None, group=None, domain=None):
    ...

would do the job. Obviously this is a bit more complicated than the usual create_* methods. You need to use different urls (depending on the objects you have) and you also need to throw errors if a combination is not possible (which is true for a lot of the combos). You can also add different methods for all these use cases, but you will end up with a lot of combinations and that is not likely to decrease, rather the opposite.

Note that it's also not possible with the keystoneclient:

https://github.com/openstack/python-keystoneclient/blob/bca112c8ba5636becd6951fbfb8cb8f2474279fe/keystoneclient/v3/role_assignments.py#L107

~ Dave

Revision history for this message
Brian Curtin (brian.curtin) wrote :

Yeah we just went through a change to be able to list existing role assignments and it was quite involved. I'll try to take a look at this soon.

Changed in python-openstacksdk:
status: New → Confirmed
importance: Undecided → Critical
assignee: nobody → Brian Curtin (brian.curtin)
Revision history for this message
Dave Halter (davidhalter) wrote :

I have just also realized that some of the code already exists. In identity/v3/projects.py you can find methods like `Project.assign_role_to_user` which probably does the job but is not available in _proxy.py. I would maybe use/refactor these functions to implement what I wrote about above.

I think using those methods the problem gets rather trivial.

BTW: The same functions exist on `identity.v3.domains.Domain`.

Revision history for this message
feyman (feyman) wrote :

Hi, @Dave, I have met the same issue as you, and the Project.assign_role_to_user method need also a `session` parameter ,did you solve this by using this function or refactoring ?

Revision history for this message
Dave Halter (davidhalter) wrote :

@feyman I actually ended up using the keystone client instead for this example. In general my approach at the moment is mixing the client (which is only the case because I'm missing certain functionality from the openstacksdk).

Revision history for this message
feyman (feyman) wrote :

@Dave , do you mean that you use the RESTful API for the missing functions? As far as I can see, it actually the only way if using python. Now maybe I should consider to use the java client openstack4j~

Revision history for this message
Dave Halter (davidhalter) wrote :

No, I'm using the keystone client. It's deprecated, but still functional https://pypi.python.org/pypi/python-keystoneclient/3.6.0

Revision history for this message
feyman (feyman) wrote :

Thanks,@Dave ,I'm gonna give it a shot, :)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.