Looks like that's a bug where we create a domain specific role for 'default' domain[1], when domain is not specified. [1] https://github.com/openstack/heat/blob/master/heat/engine/resources/openstack/keystone/role.py#L54 You're welcome to raise a bug and propose a fix where we should be just removing the default. On Thu, Jun 21, 2018 at 4:14 PM, Tikkanen, Viktor (Nokia - FI/Espoo) < viktor.tikkanen at nokia.com> wrote: > Hi! > > There was a new ’domain’ property added to OS::Keystone::Role ( > *https://storyboard.openstack.org/#!/story/1684558* > <https://storyboard.openstack.org/#!/story/1684558>, > *https://review.openstack.org/#/c/459033/* > <https://review.openstack.org/#/c/459033/>). > > With “openstack role create” CLI command it is still possible to create > roles with no associated domains; but it seems that the same cannot be done > with heat templates. > > An example: if I create two roles, CliRole (with “openstack role create > CliRole” command) and SimpleRole with the following heat template: > > heat_template_version: 2015-04-30 > description: Creates a role > resources: > role_resource: > type: OS::Keystone::Role > properties: > name: SimpleRole > > the result in the keystone database will be: > > MariaDB [keystone]> select * from role; > +----------------------------------+------------------+----- > --+-----------+ > | id | name | extra | domain_id > | > +----------------------------------+------------------+----- > --+-----------+ > | 5de0eee4990e4a59b83dae93af9c0951 | SimpleRole | {} | default > | > | 79472e6e1bf341208bd88e1c2dcf7f85 | CliRole | {} | <<null>> > | > | 7dd5e4ea87e54a13897eb465fdd0e950 | heat_stack_owner | {} | <<null>> > | > | 80fd61edbe8842a7abb47fd7c91ba9d7 | heat_stack_user | {} | <<null>> > | > | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | {} | <<null>> > | > | e174c27e79b84ea392d28224eb0af7c9 | admin | {} | <<null>> > | > +----------------------------------+------------------+----- > --+-----------+ > > Should it be possible to create a role without associated domain with a > heat template? > > -V. > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Regards, Rabi Mishra -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180621/a0fefee8/attachment.html>