** Changed in: keystone Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1201487
Title: listing projects for a user omits those that only have group related roles Status in OpenStack Identity (Keystone): Fix Released Bug description: The backend drivers currently support two (very similar) functions: list_user_projects() and get_projects_for_user(). Both claim to return the list of projects for which a user has a role on. Neither take into account roles by virtue of group membership. They are used in the following ways: uses list_user_projects() is used by: - The API GET /users/{user_id}/projects users get_projects_for_user() is used by - The diablo GET /users/{user_id}/roleRefs (should we still need to support this?) - The API GET/tenants, where you get all projects referenced the user in the token (weird) - An unused function the v2 controller (which we should delete) We should rationalize the above to use a single function in the driver manager (similar to the way we do get_roles_for_user_and_project() ), that correctly accounts for any projects for a which a user also has roles by virtue of group membership. If the os-inherit extension is installed, the above function should also take into account roles inherited from the domain. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1201487/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp