[Yahoo-eng-team] [Bug 1583142] Re: Roles inheritance for groups is not visible in user's role assignments

Tue, 31 May 2016 07:01:23 -0700 

This bug is invalid, since:

1) Inheritance is only applied to children of the node that carries the actual 
inherited assignment
2) Effective assignments only show the result of all group & inherited 
assignments, as well as valid non-inedited direct user assignments - but do not 
include the source assignments that generate these results

The "inherit only on children" comes from the heritage of inheritance,
which was originally designed to only be placed on domains, and all the
projects in the domain would get the assignment. We considered changing
this for project-project inheritance, but decided it would be too
confusing to have two types of inheritance rules.

If in the above example, you also want there user to have a role on
PR-A, then you need to have a second (non-inherited) assignment (either
for the user of the group) on PR-A


** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1583142

Title:
  Roles inheritance for groups is not visible in user's role assignments

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  If I applied role inheritance to a group GR-A in scope of project
  PR-A:

  (PUT) /v3/OS-
  INHERIT/projects/PR-A/groups/GR-A/roles/ROLE-A/inherited_to_projects

  this role assignment is listed in the result of:

  (GET) /v3/role_assignments?scope.project.id=PR-A&group.id=GR-A

  but is not in the result of:

  (GET)
  /v3/role_assignments?scope.project.id=PR-A&user.id=USR-A&effective

  whereby USR-A is a member of the group GR-A.

  BUT it is part of result of the query:

  (GET) /v3/role_assignments?scope.project.id=SUB-
  PR-A&user.id=USR-A&effective

  whereby SUB-PR-A is a child of PR-A.

  I think the inherited roles assignment should be valid in the project
  scope of PR-A for both groups and users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1583142/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to