[Yahoo-eng-team] [Bug 1780159] Re: Some inherited projects missing when listing user's projects
Reviewed: https://review.openstack.org/581346
Committed:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=83e72d74431526b27b8a2f4ac362582a73edea44
Submitter: Zuul
Branch:master
commit 83e72d74431526b27b8a2f4ac362582a73edea44
Author: Sami MAKKI
Date: Tue Jul 10 14:21:28 2018 +0200
Invalidate 'computed assignments' cache when creating a project.
Without it, listing projects results were missing project on which the
user had an inherited role.
Change-Id: If8edb3d1d1d3a0dab691ab6c81dd4b42e3b10ab3
Closes-Bug: #1780159
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1780159
Title:
Some inherited projects missing when listing user's projects
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
When a project is added as a child to another project and a user has
an inherited role as well as an explicit role on that parent project,
the child project may not appear when the user lists their projects.
It appears that the order in which the inherited and effective role
assignments are made makes a difference.
What actually happens:
# The parent
$ openstack project show parent --children
+-++
| Field | Value |
+-++
| description ||
| domain_id | default|
| enabled | True |
| id | da2265680b3844eaa241a14ac9ee07f1 |
| is_domain | False |
| name| parent |
| parent_id | default|
| subtree | {'3e5e4084c9984d55935198eed49f7164': None} |
| tags| [] |
+-++
# A first child
$ openstack project show 3e5e4084c9984d55935198eed49f7164
+-+--+
| Field | Value|
+-+--+
| description | |
| domain_id | default |
| enabled | True |
| id | 3e5e4084c9984d55935198eed49f7164 |
| is_domain | False|
| name| child|
| parent_id | da2265680b3844eaa241a14ac9ee07f1 |
| tags| [] |
+-+--+
# Next, we give user mradmin the project_admin role on the parent project
explicitly.
$ openstack role add --project parent --user mradmin project_admin
# We give user mradmin the project_admin role on the parent project's subtree
via inheritance.
$ openstack role add --project parent --user mradmin --inherited
project_admin
# When we list the projects as user mradmin, everything is fine for now.
$ openstack project list
+--++
| ID | Name |
+--++
| 3e5e4084c9984d55935198eed49f7164 | child |
| da2265680b3844eaa241a14ac9ee07f1 | parent |
+--++
* Important note: the first child project exists before we do the role
assignments. The second child project is added after the role
assignments.
# Add a second child project to the parent project:
$ openstack project create --parent parent child2
+-+--+
| Field | Value|
+-+--+
| description | |
| domain_id | default |
| enabled | True |
| id | c781f589110c4d07a96c40b50bc6bd19 |
| is_domain | False|
| name| child2 |
| parent_id | da2265680b3844eaa241a14ac9ee07f1 |
| tags| [] |
+-+--+
# The second child does not appear when we list the projects as user mradmin
$ openstack project list
+--++
| ID | Name |
+--++
| 3e5e4084c9984d55935198eed49f7164 | child |
| da2265680b3844eaa241a14ac9ee07f1 | parent |
+--++
If we repeat the above except we
[Yahoo-eng-team] [Bug 1780159] Re: Some inherited projects missing when listing user's projects
** Changed in: keystone
Status: Invalid => New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1780159
Title:
Some inherited projects missing when listing user's projects
Status in OpenStack Identity (keystone):
New
Bug description:
When a project is added as a child to another project and a user has
an inherited role as well as an explicit role on that parent project,
the child project may not appear when the user lists their projects.
It appears that the order in which the inherited and effective role
assignments are made makes a difference.
What actually happens:
# The parent
$ openstack project show parent --children
+-++
| Field | Value |
+-++
| description ||
| domain_id | default|
| enabled | True |
| id | da2265680b3844eaa241a14ac9ee07f1 |
| is_domain | False |
| name| parent |
| parent_id | default|
| subtree | {'3e5e4084c9984d55935198eed49f7164': None} |
| tags| [] |
+-++
# A first child
$ openstack project show 3e5e4084c9984d55935198eed49f7164
+-+--+
| Field | Value|
+-+--+
| description | |
| domain_id | default |
| enabled | True |
| id | 3e5e4084c9984d55935198eed49f7164 |
| is_domain | False|
| name| child|
| parent_id | da2265680b3844eaa241a14ac9ee07f1 |
| tags| [] |
+-+--+
# Next, we give user mradmin the project_admin role on the parent project
explicitly.
$ openstack role add --project parent --user mradmin project_admin
# We give user mradmin the project_admin role on the parent project's subtree
via inheritance.
$ openstack role add --project parent --user mradmin --inherited
project_admin
# When we list the projects as user mradmin, everything is fine for now.
$ openstack project list
+--++
| ID | Name |
+--++
| 3e5e4084c9984d55935198eed49f7164 | child |
| da2265680b3844eaa241a14ac9ee07f1 | parent |
+--++
* Important note: the first child project exists before we do the role
assignments. The second child project is added after the role
assignments.
# Add a second child project to the parent project:
$ openstack project create --parent parent child2
+-+--+
| Field | Value|
+-+--+
| description | |
| domain_id | default |
| enabled | True |
| id | c781f589110c4d07a96c40b50bc6bd19 |
| is_domain | False|
| name| child2 |
| parent_id | da2265680b3844eaa241a14ac9ee07f1 |
| tags| [] |
+-+--+
# The second child does not appear when we list the projects as user mradmin
$ openstack project list
+--++
| ID | Name |
+--++
| 3e5e4084c9984d55935198eed49f7164 | child |
| da2265680b3844eaa241a14ac9ee07f1 | parent |
+--++
If we repeat the above except we reverse the order when assigning the
project_admin role:
$ openstack role add --project parent --user mradmin --inherited
project_admin
$ openstack role add --project parent --user mradmin project_admin
then we are able to see all projects when we list the projects as user
mradmin:
$ openstack project list
+--++
| ID | Name |
+--++
| 79d5300ac137466a9e2a22931d0a6b52 | child2 |
| e18fa9d21fe94bdcb4965233b65081bd | parent |
|
[Yahoo-eng-team] [Bug 1780159] Re: Some inherited projects missing when listing user's projects
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1780159
Title:
Some inherited projects missing when listing user's projects
Status in OpenStack Identity (keystone):
Invalid
Bug description:
When a project is added as a child to another project and a user has
an inherited role as well as an explicit role on that parent project,
the child project may not appear when the user lists their projects.
It appears that the order in which the inherited and effective role
assignments are made makes a difference.
What actually happens:
# The parent
$ openstack project show parent --children
+-++
| Field | Value |
+-++
| description ||
| domain_id | default|
| enabled | True |
| id | da2265680b3844eaa241a14ac9ee07f1 |
| is_domain | False |
| name| parent |
| parent_id | default|
| subtree | {'3e5e4084c9984d55935198eed49f7164': None} |
| tags| [] |
+-++
# A first child
$ openstack project show 3e5e4084c9984d55935198eed49f7164
+-+--+
| Field | Value|
+-+--+
| description | |
| domain_id | default |
| enabled | True |
| id | 3e5e4084c9984d55935198eed49f7164 |
| is_domain | False|
| name| child|
| parent_id | da2265680b3844eaa241a14ac9ee07f1 |
| tags| [] |
+-+--+
# Next, we give user mradmin the project_admin role on the parent project
explicitly.
$ openstack role add --project parent --user mradmin project_admin
# We give user mradmin the project_admin role on the parent project's subtree
via inheritance.
$ openstack role add --project parent --user mradmin --inherited
project_admin
# When we list the projects as user mradmin, everything is fine for now.
$ openstack project list
+--++
| ID | Name |
+--++
| 3e5e4084c9984d55935198eed49f7164 | child |
| da2265680b3844eaa241a14ac9ee07f1 | parent |
+--++
* Important note: the first child project exists before we do the role
assignments. The second child project is added after the role
assignments.
# Add a second child project to the parent project:
$ openstack project create --parent parent child2
+-+--+
| Field | Value|
+-+--+
| description | |
| domain_id | default |
| enabled | True |
| id | c781f589110c4d07a96c40b50bc6bd19 |
| is_domain | False|
| name| child2 |
| parent_id | da2265680b3844eaa241a14ac9ee07f1 |
| tags| [] |
+-+--+
# The second child does not appear when we list the projects as user mradmin
$ openstack project list
+--++
| ID | Name |
+--++
| 3e5e4084c9984d55935198eed49f7164 | child |
| da2265680b3844eaa241a14ac9ee07f1 | parent |
+--++
If we repeat the above except we reverse the order when assigning the
project_admin role:
$ openstack role add --project parent --user mradmin --inherited
project_admin
$ openstack role add --project parent --user mradmin project_admin
then we are able to see all projects when we list the projects as user
mradmin:
$ openstack project list
+--++
| ID | Name |
+--++
| 79d5300ac137466a9e2a22931d0a6b52 | child2 |
| e18fa9d21fe94bdcb4965233b65081bd | parent |
|
