Creation of Member role is no longer required

Bug #1330132 reported by Stephen Gordon on 2014-06-14
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Low
Dolph Mathews
devstack
Undecided
Unassigned
tempest
Undecided
Unassigned

Bug Description

Since Grizzly the Keystone service's SQL creation/migration scripts automatically create a role named _member_ for use as the default member role. Since Icehouse (backported to Havana) Horizon uses this as the default member role.

Devstack still creates a Member role, as was previously required:

318 # The Member role is used by Horizon and Swift so we need to keep it:
319 MEMBER_ROLE=$(openstack role create \
320 Member \
321 | grep " id " | get_field 2)

As noted above, Horizon no longer uses such a role in the default configuration and on investigation the Swift dependency appears to be introduced by the way devstack configures Swift.

As such it should now be possible to stop creating this role (with corresponding changes to the Swift setup in devstack) and use _member_ instead, avoiding the creation (and confusion) of having two member roles with different names.

Stephen Gordon (sgordon) on 2014-06-14
Changed in devstack:
assignee: nobody → Stephen Gordon (sgordon)

Fix proposed to branch: master
Review: https://review.openstack.org/100101

Changed in devstack:
status: New → In Progress
Stephen Gordon (sgordon) wrote :

Ommitted in the description the minor detail that there are a number of tempest tests that appear to rely on Member being present...

Stephen Gordon (sgordon) wrote :

In all cases the tempest failutres come back to _assign_member_role failing because the role in tempest/config.py, which is set to Member, is no longer being created by devstack (well, if you also include the patch I'm proposing for devstack). Updating the configuration first will fix this.

Changed in tempest:
assignee: nobody → Stephen Gordon (sgordon)

Fix proposed to branch: master
Review: https://review.openstack.org/100113

Changed in tempest:
status: New → In Progress
Andrey Pavlov (apavlov-e) wrote :

Could you update description in keystone.conf about this role?

Stephen Gordon (sgordon) wrote :

Did you mean the member_role_name value (which seems to have an up to date comment) or the LDAP strings?

Andrey Pavlov (apavlov-e) wrote :

I mean member_role_name/member_role_id.
It has comment -

# During a SQL upgrade member_role_name will be used to create
# a new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, member_role_name will be ignored. (string
# value)
#member_role_name=_member_

It a bit confuse me.
Such comment doesn't describe that this is default role for user in tenant.

Dolph Mathews (dolph) on 2014-07-30
Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
importance: Undecided → Low
status: New → Triaged
tags: added: documentation user-experience

Fix proposed to branch: master
Review: https://review.openstack.org/110803

Changed in keystone:
status: Triaged → In Progress
Changed in keystone:
assignee: Dolph Mathews (dolph) → Marek Denis (marek-denis)
Changed in keystone:
assignee: Marek Denis (marek-denis) → Dolph Mathews (dolph)

Reviewed: https://review.openstack.org/110803
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d7b52931aeef06eda6ec774f6cc3497836b14899
Submitter: Jenkins
Branch: master

commit d7b52931aeef06eda6ec774f6cc3497836b14899
Author: Dolph Mathews <email address hidden>
Date: Wed Oct 1 21:18:25 2014 +0000

    revise docs on default _member_ role

    Closes-Bug: 1330132
    Change-Id: I3d9647ee6e537b304191dfa5e34e56122c11cd68

Changed in keystone:
status: In Progress → Fix Committed
Download full text (8.3 KiB)

Reviewed: https://review.openstack.org/129376
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6f806bdc9b58206ecccf29f79df1257e737e9f5b
Submitter: Jenkins
Branch: feature/hierarchical-multitenancy

commit fdbad9f530ea4478d96437b021c9b5cc6d338901
Author: Nathan Kinder <email address hidden>
Date: Wed Oct 15 16:21:01 2014 -0700

    Restrict certain APIs to cloud admin in domain-aware policy

    Some of the APIs in the domain-aware policy file are currently
    allowed by any "admin" user, when they should really be locked
    down to the cloud admin. Without this, users who are a project
    admin will be allowed to do things like manage regions, IdPs,
    and other objects that they should not be allowed to touch.

    Change-Id: Ifca8bc2fffd2d8c1bf02373d1fadd459a77f836c
    Closes-bug: #1381809

commit 062786bc53533edf78a24e35688d7183c0b57175
Author: Brad Topol <email address hidden>
Date: Mon Sep 8 11:28:02 2014 -0500

    Clean up federated identity audit code

    Change-Id: I110eb40c83f1de25bff9215b0490269f5941316a

commit 1056f9abfb283abb083538b7588a006c1b242d1b
Author: wanghong <email address hidden>
Date: Thu Oct 9 15:39:27 2014 +0800

    obsolete deployment docs

    Now we use 'database' section instead, but the doc does not synchronize.

    Change-Id: Ie73ec8225ce1290a4b8fdbb5b9db4c566b5ada22
    Closes-Bug: #1377101

commit 1b2fc1e10469bf5ff97b8a825ba404dd8f602320
Author: David Stanek <email address hidden>
Date: Thu Sep 4 17:59:58 2014 +0000

    Fixes a spelling error in hacking tests

    bp more-code-style-automation

    Change-Id: I9159aba128415d6e3a1f9ee9147c7cba19abeffe

commit 2520502724c549fb7ad846203ed60eb86c21aed3
Author: OpenStack Proposal Bot <email address hidden>
Date: Tue Oct 7 19:12:29 2014 +0000

    Updated from global requirements

    Change-Id: If2d591bba119998e41f109f4099ba4147821171e

commit 8af522af96c4bc0f6d0f7de48f6433fd19115d54
Author: Henry Nash <email address hidden>
Date: Tue Oct 7 10:01:47 2014 +0100

    Remove deprecated KVS trust backend.

    The trust backend is one of the KVS backends that was marked as
    deprecated, for removal in Kilo. This patch removes it.

    Partially implements: bp removed-as-of-kilo

    Change-Id: Ib67cd33419d09e219d90ab8c50d375964a12640c

commit a96b20238919037837156e238e708abff415cade
Author: Steve Martinelli <email address hidden>
Date: Fri Sep 26 14:40:22 2014 -0400

    Add v3 openstackclient CLI examples

    Add some notes about authenticating with v3 keystone and
    openstackclient. Also add some examples that don't exist in v2.0,
    like domains and groups.

    Change-Id: I92f9f9ab3ed4657f0771ad284ee6c4c613eca27c

commit 495b44ae0ed3e69e21022ccfc9e2d67ba4d0a97e
Author: Steve Martinelli <email address hidden>
Date: Thu Sep 25 12:08:15 2014 -0400

    Update the CLI examples to also use openstackclient

    In the CLI example section, use openstackclient examples and
    keystoneclient examples.

    Change-Id: Ia13730fbac5900998993c56d9a792b392a1ba3ac

commit 4f9add8029de5f9463b9bd9ca4f933f1be79c021
Author: Steve Martinelli <stevemar@c...

Read more...

Changed in keystone:
milestone: none → kilo-1
Stephen Gordon (sgordon) on 2014-11-20
Changed in devstack:
status: In Progress → Confirmed
Changed in tempest:
status: In Progress → Confirmed
Changed in devstack:
assignee: Stephen Gordon (sgordon) → nobody
Changed in tempest:
assignee: Stephen Gordon (sgordon) → nobody

Change abandoned by Sean Dague (<email address hidden>) on branch: master
Review: https://review.openstack.org/100101
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Change abandoned by Sean Dague (<email address hidden>) on branch: master
Review: https://review.openstack.org/100113
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Thierry Carrez (ttx) on 2014-12-17
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-04-30
Changed in keystone:
milestone: kilo-1 → 2015.1.0

Fix proposed to branch: master
Review: https://review.openstack.org/229799

Changed in devstack:
assignee: nobody → Rob Cresswell (robcresswell)
status: Confirmed → In Progress

Change abandoned by Rob Cresswell (<email address hidden>) on branch: master
Review: https://review.openstack.org/229799

Changed in devstack:
assignee: Rob Cresswell (robcresswell) → nobody
status: In Progress → Confirmed
Sean Dague (sdague) wrote :

This devstack bug was last updated over 180 days ago, as devstack
is a fast moving project and we'd like to get the tracker down to
currently actionable bugs, this is getting marked as Invalid. If the
issue still exists, please feel free to reopen it.

Changed in devstack:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers