[openstack-dev] [Keystone] [devstack] About _member_ role

Pasquale Porreca pasquale.porreca at dektech.com.au
Wed Feb 18 09:04:27 UTC 2015


I saw 2 different bug report that Devstack dashboard gives an error when
trying to manage projects
https://bugs.launchpad.net/devstack/+bug/1421616 and
https://bugs.launchpad.net/horizon/+bug/1421999
In my devstack environment projects were working just fine, so I tried a
fresh installation to see if I could reproduce the bug and I could
confirm that actually the bug is present in current devstack deployment.
Both reports point to the lack of _member_ role this error, so I just
tried to manually (i.e. via CLI) add a _member_ role and I verified that
just having it - even if not assigned to any user - fix the project
management in Horizon.

I didn't deeply analyze yet the root cause of this, but this behaviour
seemed quite weird, this is the reason I sent this mail to dev list.
Your explanation somewhat confirmed my doubts: I presume that adding a
_member_ role is merely a workaround and the real bug is somewhere else
- in Horizon code with highest chance.

On 02/17/15 21:01, Jamie Lennox wrote:
>
> ----- Original Message -----
>> From: "Pasquale Porreca" <pasquale.porreca at dektech.com.au>
>> To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org>
>> Sent: Tuesday, 17 February, 2015 9:07:14 PM
>> Subject: [openstack-dev]  [Keystone] [devstack] About _member_ role
>>
>> I proposed a fix for a bug in devstack
>> https://review.openstack.org/#/c/156527/ caused by the fact the role
>> _member_ was not anymore created due to a recent change.
>>
>> But why is the existence of _member_ role necessary, even if it is not
>> necessary to be used? Is this a know/wanted feature or a bug by itself?
> So the way to be a 'member' of a project so that you can get a token scoped to that project is to have a role defined on that project. 
> The way we would handle that from keystone for default_projects is to create a default role _member_ which had no permissions attached to it, but by assigning it to the user on the project we granted membership of that project.
> If the user has any other roles on the project then the _member_ role is essentially ignored. 
>
> In that devstack patch I removed the default project because we want our users to explicitly ask for the project they want to be scoped to.
> This patch shouldn't have caused any issues though because in each of those cases the user is immediately granted a different role on the project - therefore having 'membership'. 
>
> Creating the _member_ role manually won't cause any problems, but what issue are you seeing where you need it?
>
>
> Jamie
>
>
>> --
>> Pasquale Porreca
>>
>> DEK Technologies
>> Via dei Castelli Romani, 22
>> 00040 Pomezia (Roma)
>>
>> Mobile +39 3394823805
>> Skype paskporr
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-- 
Pasquale Porreca

DEK Technologies
Via dei Castelli Romani, 22
00040 Pomezia (Roma)

Mobile +39 3394823805
Skype paskporr





More information about the OpenStack-dev mailing list