<div dir="ltr"><div>Looks like that's a bug where we create a domain specific role for 'default' domain[1], when domain is not specified. <br></div><div><br></div><div>[1] <a href="https://github.com/openstack/heat/blob/master/heat/engine/resources/openstack/keystone/role.py#L54">https://github.com/openstack/heat/blob/master/heat/engine/resources/openstack/keystone/role.py#L54</a></div><div><br></div><div>You're welcome to raise a bug and propose a fix where we should be just removing the default.<br></div><div><br></div><div>On Thu, Jun 21, 2018 at 4:14 PM, Tikkanen, Viktor (Nokia - FI/Espoo) <span dir="ltr"><<a href="mailto:viktor.tikkanen@nokia.com" target="_blank">viktor.tikkanen@nokia.com</a>></span> wrote:</div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<font face="Calibri" size="2"><span style="font-size:11pt">
<div>Hi!</div>
<div> </div>
<div>There was a new ’domain’ property added to OS::Keystone::Role (<a href="https://storyboard.openstack.org/#!/story/1684558" target="_blank"><font color="#0563C1"><u>https://storyboard.openstack.<wbr>org/#!/story/1684558</u></font></a>, <a href="https://review.openstack.org/#/c/459033/" target="_blank"><font color="#0563C1"><u>https://review.openstack.org/#<wbr>/c/459033/</u></font></a>).</div>
<div> </div>
<div>With “openstack role create” CLI command it is still possible to create roles with no associated domains; but it seems that the same cannot be done with heat templates.</div>
<div> </div>
<div>An example: if I create two roles, CliRole (with “openstack role create CliRole” command) and SimpleRole with the following heat template:</div>
<div> </div>
<div><font face="Courier New" size="2"><span style="font-size:10pt">heat_template_version: 2015-04-30</span></font></div>
<div><font face="Courier New" size="2"><span style="font-size:10pt">description: Creates a role</span></font></div>
<div><font face="Courier New" size="2"><span style="font-size:10pt">resources:</span></font></div>
<div><font face="Courier New" size="2"><span style="font-size:10pt"> role_resource:</span></font></div>
<div><font face="Courier New" size="2"><span style="font-size:10pt"> type: OS::Keystone::Role</span></font></div>
<div><font face="Courier New" size="2"><span style="font-size:10pt"> properties:</span></font></div>
<div><font face="Courier New" size="2"><span style="font-size:10pt"> name: SimpleRole</span></font></div>
<div> </div>
<div>the result in the keystone database will be:</div>
<div> </div>
<div><font face="Courier New" size="2"><span style="font-size:10pt">MariaDB [keystone]> select * from role;</span></font></div>
<div><font face="Courier New" size="2"><span style="font-size:10pt">+-----------------------------<wbr>-----+------------------+-----<wbr>--+-----------+</span></font></div>
<div><font face="Courier New" size="2"><span style="font-size:10pt">| id <wbr> | name | extra | domain_id |</span></font></div>
<div><font face="Courier New" size="2"><span style="font-size:10pt">+-----------------------------<wbr>-----+------------------+-----<wbr>--+-----------+</span></font></div>
<div><font face="Courier New" size="2"><span style="font-size:10pt">| 5de0eee4990e4a59b83dae93af9c09<wbr>51 | SimpleRole | {} | default |</span></font></div>
<div><font face="Courier New" size="2"><span style="font-size:10pt">| 79472e6e1bf341208bd88e1c2dcf7f<wbr>85 | CliRole | {} | <<null>> |</span></font></div>
<div><font face="Courier New" size="2"><span style="font-size:10pt">| 7dd5e4ea87e54a13897eb465fdd0e9<wbr>50 | heat_stack_owner | {} | <<null>> |</span></font></div>
<div><font face="Courier New" size="2"><span style="font-size:10pt">| 80fd61edbe8842a7abb47fd7c91ba9<wbr>d7 | heat_stack_user | {} | <<null>> |</span></font></div>
<div><font face="Courier New" size="2"><span style="font-size:10pt">| 9fe2ff9ee4384b1894a90878d3e92b<wbr>ab | _member_ | {} | <<null>> |</span></font></div>
<div><font face="Courier New" size="2"><span style="font-size:10pt">| e174c27e79b84ea392d28224eb0af7<wbr>c9 | admin | {} | <<null>> |</span></font></div>
<div><font face="Courier New" size="2"><span style="font-size:10pt">+-----------------------------<wbr>-----+------------------+-----<wbr>--+-----------+</span></font></div>
<div> </div>
<div>Should it be possible to create a role without associated domain with a heat template?</div><span class="gmail-m_8362786257317029042HOEnZb"><font color="#888888">
<div> </div>
<div>-V.</div>
<div> </div>
</font></span></span></font>
</div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail-m_8362786257317029042gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>Regards,</div>Rabi Mishra<div><br></div></div></div></div></div>
</div></div>