[openstack-dev] [Keystone] [devstack] About _member_ role

Pasquale Porreca pasquale.porreca at dektech.com.au
Wed Feb 18 16:24:03 UTC 2015


Analyzing Horizon code I can confirm that the existence of _member_ role
is required, so the commit https://review.openstack.org/#/c/150667/
introduced the bug in devstack. More details and a fix proposal in my
change submission: https://review.openstack.org/#/c/156527/

On 02/18/15 10:04, Pasquale Porreca wrote:
> I saw 2 different bug report that Devstack dashboard gives an error when
> trying to manage projects
> https://bugs.launchpad.net/devstack/+bug/1421616 and
> https://bugs.launchpad.net/horizon/+bug/1421999
> In my devstack environment projects were working just fine, so I tried a
> fresh installation to see if I could reproduce the bug and I could
> confirm that actually the bug is present in current devstack deployment.
> Both reports point to the lack of _member_ role this error, so I just
> tried to manually (i.e. via CLI) add a _member_ role and I verified that
> just having it - even if not assigned to any user - fix the project
> management in Horizon.
>
> I didn't deeply analyze yet the root cause of this, but this behaviour
> seemed quite weird, this is the reason I sent this mail to dev list.
> Your explanation somewhat confirmed my doubts: I presume that adding a
> _member_ role is merely a workaround and the real bug is somewhere else
> - in Horizon code with highest chance.
>
> On 02/17/15 21:01, Jamie Lennox wrote:
>> ----- Original Message -----
>>> From: "Pasquale Porreca" <pasquale.porreca at dektech.com.au>
>>> To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org>
>>> Sent: Tuesday, 17 February, 2015 9:07:14 PM
>>> Subject: [openstack-dev]  [Keystone] [devstack] About _member_ role
>>>
>>> I proposed a fix for a bug in devstack
>>> https://review.openstack.org/#/c/156527/ caused by the fact the role
>>> _member_ was not anymore created due to a recent change.
>>>
>>> But why is the existence of _member_ role necessary, even if it is not
>>> necessary to be used? Is this a know/wanted feature or a bug by itself?
>> So the way to be a 'member' of a project so that you can get a token scoped to that project is to have a role defined on that project. 
>> The way we would handle that from keystone for default_projects is to create a default role _member_ which had no permissions attached to it, but by assigning it to the user on the project we granted membership of that project.
>> If the user has any other roles on the project then the _member_ role is essentially ignored. 
>>
>> In that devstack patch I removed the default project because we want our users to explicitly ask for the project they want to be scoped to.
>> This patch shouldn't have caused any issues though because in each of those cases the user is immediately granted a different role on the project - therefore having 'membership'. 
>>
>> Creating the _member_ role manually won't cause any problems, but what issue are you seeing where you need it?
>>
>>
>> Jamie
>>
>>
>>> --
>>> Pasquale Porreca
>>>
>>> DEK Technologies
>>> Via dei Castelli Romani, 22
>>> 00040 Pomezia (Roma)
>>>
>>> Mobile +39 3394823805
>>> Skype paskporr
>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-- 
Pasquale Porreca

DEK Technologies
Via dei Castelli Romani, 22
00040 Pomezia (Roma)

Mobile +39 3394823805
Skype paskporr




More information about the OpenStack-dev mailing list