[openstack-dev] [heat][heat-templates] Creating a role with no domain
Zane Bitter
zbitter at redhat.com
Thu Jun 21 19:17:45 UTC 2018
On 21/06/18 07:39, Rabi Mishra wrote:
> Looks like that's a bug where we create a domain specific role for
> 'default' domain[1], when domain is not specified.
>
> [1]
> https://github.com/openstack/heat/blob/master/heat/engine/resources/openstack/keystone/role.py#L54
You can _probably_ pass
domain: null
in your template. Worth a try, anyway.
- ZB
> You're welcome to raise a bug and propose a fix where we should be just
> removing the default.
>
> On Thu, Jun 21, 2018 at 4:14 PM, Tikkanen, Viktor (Nokia - FI/Espoo)
> <viktor.tikkanen at nokia.com <mailto:viktor.tikkanen at nokia.com>> wrote:
>
> Hi!
> There was a new ’domain’ property added to OS::Keystone::Role
> (_https://storyboard.openstack.org/#!/story/1684558_
> <https://storyboard.openstack.org/#!/story/1684558>,
> _https://review.openstack.org/#/c/459033/_
> <https://review.openstack.org/#/c/459033/>).
> With “openstack role create” CLI command it is still possible to
> create roles with no associated domains; but it seems that the same
> cannot be done with heat templates.
> An example: if I create two roles, CliRole (with “openstack role
> create CliRole” command) and SimpleRole with the following heat
> template:
> heat_template_version: 2015-04-30
> description: Creates a role
> resources:
> role_resource:
> type: OS::Keystone::Role
> properties:
> name: SimpleRole
> the result in the keystone database will be:
> MariaDB [keystone]> select * from role;
> +----------------------------------+------------------+-------+-----------+
> | id | name | extra | domain_id |
> +----------------------------------+------------------+-------+-----------+
> | 5de0eee4990e4a59b83dae93af9c0951 | SimpleRole | {} |
> default |
> | 79472e6e1bf341208bd88e1c2dcf7f85 | CliRole | {} |
> <<null>> |
> | 7dd5e4ea87e54a13897eb465fdd0e950 | heat_stack_owner | {} |
> <<null>> |
> | 80fd61edbe8842a7abb47fd7c91ba9d7 | heat_stack_user | {} |
> <<null>> |
> | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | {} |
> <<null>> |
> | e174c27e79b84ea392d28224eb0af7c9 | admin | {} |
> <<null>> |
> +----------------------------------+------------------+-------+-----------+
> Should it be possible to create a role without associated domain
> with a heat template?
> -V.
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
>
>
>
> --
> Regards,
> Rabi Mishra
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
More information about the OpenStack-dev
mailing list