Public bug reported: On upgrading to Mitaka, we saw that the user ref in Keystone does not have a tenantId or default_project_id field. This breaks: 1) The Detailed view in Horizon in the Identity pane where ProjectID is shown as "None" 2) any services project based RBAC policies that we have in place.
Noticed a new local_user DB table for all the services users (no project/tenantId field in here): keystone=# select * from local_user; id | user_id | domain_id | name ----+----------------------------------+-----------+------------ 1 | 3c1bd8c0f6324dcc938900d8eb801aa5 | default | admin 2 | d1c4f7a244f74892b612b9b2ded6d602 | default | neutron 3 | a481a1f43ec0463083b7a30d20493d38 | default | nova 4 | 951068b3372f47ac827ade8f67cc19b4 | default | glance 6 | 4b76763e375946998445b65b11c8db73 | default | ceilometer 7 | 15c8e1e463cc4370ad369eaf8504b727 | default | cinder 8 | 5c3ea23eb8e14070bc562951bb266073 | default | sysinv 9 | 2b62ced877244e74ba90b546225740d0 | default | heat 10 | 5a506282b45c4064b262f3f414f1f699 | default | kam (9 rows) Note that an admin role is assigned for these services users in the services project. It is just not present within the user reference or keystone user-get: $ keystone user-role-list +----------------------------------+-------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+-------+----------------------------------+----------------------------------+ | f9985117736b4684904b4eb55476f30a | admin | a481a1f43ec0463083b7a30d20493d38 | c211dda10c9a4b2db16f239dccf65acd | +----------------------------------+-------+----------------------------------+----------------------------------+ $ keystone user-get +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | nova@localhost | | enabled | True | | id | a481a1f43ec0463083b7a30d20493d38 | | name | nova | | username | nova | +----------+----------------------------------+ Contrast this to Kilo/Liberty where tenantId is visible within user reference: $ keystone user-get b7a3bcd588b5482ab9741efcf3f9bb33 +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | nova@localhost | | enabled | True | | id | b7a3bcd588b5482ab9741efcf3f9bb33 | | name | nova | | tenantId | 2e4a21e1a37840879321320107c74f86 | <<<<<<<<<<<<<<<<<<<<<<<<<< | username | nova | +----------+----------------------------------+ ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1604479 Title: tenantId/default_project_id missing on Keystone service user in Mitaka Status in OpenStack Identity (keystone): New Bug description: On upgrading to Mitaka, we saw that the user ref in Keystone does not have a tenantId or default_project_id field. This breaks: 1) The Detailed view in Horizon in the Identity pane where ProjectID is shown as "None" 2) any services project based RBAC policies that we have in place. Noticed a new local_user DB table for all the services users (no project/tenantId field in here): keystone=# select * from local_user; id | user_id | domain_id | name ----+----------------------------------+-----------+------------ 1 | 3c1bd8c0f6324dcc938900d8eb801aa5 | default | admin 2 | d1c4f7a244f74892b612b9b2ded6d602 | default | neutron 3 | a481a1f43ec0463083b7a30d20493d38 | default | nova 4 | 951068b3372f47ac827ade8f67cc19b4 | default | glance 6 | 4b76763e375946998445b65b11c8db73 | default | ceilometer 7 | 15c8e1e463cc4370ad369eaf8504b727 | default | cinder 8 | 5c3ea23eb8e14070bc562951bb266073 | default | sysinv 9 | 2b62ced877244e74ba90b546225740d0 | default | heat 10 | 5a506282b45c4064b262f3f414f1f699 | default | kam (9 rows) Note that an admin role is assigned for these services users in the services project. It is just not present within the user reference or keystone user-get: $ keystone user-role-list +----------------------------------+-------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+-------+----------------------------------+----------------------------------+ | f9985117736b4684904b4eb55476f30a | admin | a481a1f43ec0463083b7a30d20493d38 | c211dda10c9a4b2db16f239dccf65acd | +----------------------------------+-------+----------------------------------+----------------------------------+ $ keystone user-get +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | nova@localhost | | enabled | True | | id | a481a1f43ec0463083b7a30d20493d38 | | name | nova | | username | nova | +----------+----------------------------------+ Contrast this to Kilo/Liberty where tenantId is visible within user reference: $ keystone user-get b7a3bcd588b5482ab9741efcf3f9bb33 +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | nova@localhost | | enabled | True | | id | b7a3bcd588b5482ab9741efcf3f9bb33 | | name | nova | | tenantId | 2e4a21e1a37840879321320107c74f86 | <<<<<<<<<<<<<<<<<<<<<<<<<< | username | nova | +----------+----------------------------------+ To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1604479/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp