[Yahoo-eng-team] [Bug 1780159] Re: Some inherited projects missing when listing user's projects
Reviewed: https://review.openstack.org/581346 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=83e72d74431526b27b8a2f4ac362582a73edea44 Submitter: Zuul Branch:master commit 83e72d74431526b27b8a2f4ac362582a73edea44 Author: Sami MAKKI Date: Tue Jul 10 14:21:28 2018 +0200 Invalidate 'computed assignments' cache when creating a project. Without it, listing projects results were missing project on which the user had an inherited role. Change-Id: If8edb3d1d1d3a0dab691ab6c81dd4b42e3b10ab3 Closes-Bug: #1780159 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1780159 Title: Some inherited projects missing when listing user's projects Status in OpenStack Identity (keystone): Fix Released Bug description: When a project is added as a child to another project and a user has an inherited role as well as an explicit role on that parent project, the child project may not appear when the user lists their projects. It appears that the order in which the inherited and effective role assignments are made makes a difference. What actually happens: # The parent $ openstack project show parent --children +-++ | Field | Value | +-++ | description || | domain_id | default| | enabled | True | | id | da2265680b3844eaa241a14ac9ee07f1 | | is_domain | False | | name| parent | | parent_id | default| | subtree | {'3e5e4084c9984d55935198eed49f7164': None} | | tags| [] | +-++ # A first child $ openstack project show 3e5e4084c9984d55935198eed49f7164 +-+--+ | Field | Value| +-+--+ | description | | | domain_id | default | | enabled | True | | id | 3e5e4084c9984d55935198eed49f7164 | | is_domain | False| | name| child| | parent_id | da2265680b3844eaa241a14ac9ee07f1 | | tags| [] | +-+--+ # Next, we give user mradmin the project_admin role on the parent project explicitly. $ openstack role add --project parent --user mradmin project_admin # We give user mradmin the project_admin role on the parent project's subtree via inheritance. $ openstack role add --project parent --user mradmin --inherited project_admin # When we list the projects as user mradmin, everything is fine for now. $ openstack project list +--++ | ID | Name | +--++ | 3e5e4084c9984d55935198eed49f7164 | child | | da2265680b3844eaa241a14ac9ee07f1 | parent | +--++ * Important note: the first child project exists before we do the role assignments. The second child project is added after the role assignments. # Add a second child project to the parent project: $ openstack project create --parent parent child2 +-+--+ | Field | Value| +-+--+ | description | | | domain_id | default | | enabled | True | | id | c781f589110c4d07a96c40b50bc6bd19 | | is_domain | False| | name| child2 | | parent_id | da2265680b3844eaa241a14ac9ee07f1 | | tags| [] | +-+--+ # The second child does not appear when we list the projects as user mradmin $ openstack project list +--++ | ID | Name | +--++ | 3e5e4084c9984d55935198eed49f7164 | child | | da2265680b3844eaa241a14ac9ee07f1 | parent | +--++ If we repeat the above except we
[Yahoo-eng-team] [Bug 1780159] Re: Some inherited projects missing when listing user's projects
** Changed in: keystone Status: Invalid => New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1780159 Title: Some inherited projects missing when listing user's projects Status in OpenStack Identity (keystone): New Bug description: When a project is added as a child to another project and a user has an inherited role as well as an explicit role on that parent project, the child project may not appear when the user lists their projects. It appears that the order in which the inherited and effective role assignments are made makes a difference. What actually happens: # The parent $ openstack project show parent --children +-++ | Field | Value | +-++ | description || | domain_id | default| | enabled | True | | id | da2265680b3844eaa241a14ac9ee07f1 | | is_domain | False | | name| parent | | parent_id | default| | subtree | {'3e5e4084c9984d55935198eed49f7164': None} | | tags| [] | +-++ # A first child $ openstack project show 3e5e4084c9984d55935198eed49f7164 +-+--+ | Field | Value| +-+--+ | description | | | domain_id | default | | enabled | True | | id | 3e5e4084c9984d55935198eed49f7164 | | is_domain | False| | name| child| | parent_id | da2265680b3844eaa241a14ac9ee07f1 | | tags| [] | +-+--+ # Next, we give user mradmin the project_admin role on the parent project explicitly. $ openstack role add --project parent --user mradmin project_admin # We give user mradmin the project_admin role on the parent project's subtree via inheritance. $ openstack role add --project parent --user mradmin --inherited project_admin # When we list the projects as user mradmin, everything is fine for now. $ openstack project list +--++ | ID | Name | +--++ | 3e5e4084c9984d55935198eed49f7164 | child | | da2265680b3844eaa241a14ac9ee07f1 | parent | +--++ * Important note: the first child project exists before we do the role assignments. The second child project is added after the role assignments. # Add a second child project to the parent project: $ openstack project create --parent parent child2 +-+--+ | Field | Value| +-+--+ | description | | | domain_id | default | | enabled | True | | id | c781f589110c4d07a96c40b50bc6bd19 | | is_domain | False| | name| child2 | | parent_id | da2265680b3844eaa241a14ac9ee07f1 | | tags| [] | +-+--+ # The second child does not appear when we list the projects as user mradmin $ openstack project list +--++ | ID | Name | +--++ | 3e5e4084c9984d55935198eed49f7164 | child | | da2265680b3844eaa241a14ac9ee07f1 | parent | +--++ If we repeat the above except we reverse the order when assigning the project_admin role: $ openstack role add --project parent --user mradmin --inherited project_admin $ openstack role add --project parent --user mradmin project_admin then we are able to see all projects when we list the projects as user mradmin: $ openstack project list +--++ | ID | Name | +--++ | 79d5300ac137466a9e2a22931d0a6b52 | child2 | | e18fa9d21fe94bdcb4965233b65081bd | parent | |
[Yahoo-eng-team] [Bug 1780159] Re: Some inherited projects missing when listing user's projects
** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1780159 Title: Some inherited projects missing when listing user's projects Status in OpenStack Identity (keystone): Invalid Bug description: When a project is added as a child to another project and a user has an inherited role as well as an explicit role on that parent project, the child project may not appear when the user lists their projects. It appears that the order in which the inherited and effective role assignments are made makes a difference. What actually happens: # The parent $ openstack project show parent --children +-++ | Field | Value | +-++ | description || | domain_id | default| | enabled | True | | id | da2265680b3844eaa241a14ac9ee07f1 | | is_domain | False | | name| parent | | parent_id | default| | subtree | {'3e5e4084c9984d55935198eed49f7164': None} | | tags| [] | +-++ # A first child $ openstack project show 3e5e4084c9984d55935198eed49f7164 +-+--+ | Field | Value| +-+--+ | description | | | domain_id | default | | enabled | True | | id | 3e5e4084c9984d55935198eed49f7164 | | is_domain | False| | name| child| | parent_id | da2265680b3844eaa241a14ac9ee07f1 | | tags| [] | +-+--+ # Next, we give user mradmin the project_admin role on the parent project explicitly. $ openstack role add --project parent --user mradmin project_admin # We give user mradmin the project_admin role on the parent project's subtree via inheritance. $ openstack role add --project parent --user mradmin --inherited project_admin # When we list the projects as user mradmin, everything is fine for now. $ openstack project list +--++ | ID | Name | +--++ | 3e5e4084c9984d55935198eed49f7164 | child | | da2265680b3844eaa241a14ac9ee07f1 | parent | +--++ * Important note: the first child project exists before we do the role assignments. The second child project is added after the role assignments. # Add a second child project to the parent project: $ openstack project create --parent parent child2 +-+--+ | Field | Value| +-+--+ | description | | | domain_id | default | | enabled | True | | id | c781f589110c4d07a96c40b50bc6bd19 | | is_domain | False| | name| child2 | | parent_id | da2265680b3844eaa241a14ac9ee07f1 | | tags| [] | +-+--+ # The second child does not appear when we list the projects as user mradmin $ openstack project list +--++ | ID | Name | +--++ | 3e5e4084c9984d55935198eed49f7164 | child | | da2265680b3844eaa241a14ac9ee07f1 | parent | +--++ If we repeat the above except we reverse the order when assigning the project_admin role: $ openstack role add --project parent --user mradmin --inherited project_admin $ openstack role add --project parent --user mradmin project_admin then we are able to see all projects when we list the projects as user mradmin: $ openstack project list +--++ | ID | Name | +--++ | 79d5300ac137466a9e2a22931d0a6b52 | child2 | | e18fa9d21fe94bdcb4965233b65081bd | parent | |