[sdk] Fixing role assignment for groups on a domain different than default

Pedro Alvarez pedro.alvarez at softiron.com
Mon Mar 28 14:47:19 UTC 2022

Hi all,

Some time ago I discovered that I wasn't able to add groups as members 
of a project (when not in the default domain) using 

I spent some time debugging and figured what was the issue, and that a 
solution was already in place for "users", and not "groups".

I also noticed that the master branch had all this part of the codebase 
rewritten, and probably the bug doesn't exist in there, but I believe 
that version of the sdk won't work with Xena. Additionally just noticed 
that the stable/yoga branch also has the issue.

So, I'm sending a patch to fix this issue, hoping the next tag/release 
of openstacksdk could have the fix.

You can find them here:

My guess is that the only relevant one would be the one for 
'stable/yoga' and I can drop the other. Also I'm assuming that Zuul is 
taking its time to run CI, and I'll need to update some unit tests 
before it can be merged.

Just wanted to know your thoughts before I finish with the tests.


PS: An example of the current issue:

The full traceback is:
line 407, in __call__
     results = self.run()
line 178, in run
line 1379, in grant_role
     raise exc.OpenStackCloudException(
failed: [localhost] (item={'name': 'sa', 'groups': ['openstack-sa', 
'openstack-pe', 'openstack-technology']}) => {
     "ansible_facts": {
         "discovered_interpreter_python": "/usr/bin/python3"
     "ansible_loop_var": "item",
     "changed": false,
     "extra_data": {
         "data": null,
         "details": "None",
         "response": "None"
     "invocation": {
         "module_args": {
             "api_timeout": null,
             "auth": null,
             "auth_type": null,
             "availability_zone": null,
             "ca_cert": null,
             "client_cert": null,
             "client_key": null,
             "domain": "LDAP",
             "group": "openstack-pe",
             "interface": "public",
             "project": "sa",
             "region_name": null,
             "role": "member",
             "state": "present",
             "timeout": 180,
             "user": null,
             "validate_certs": null,
             "wait": true
     "item": {
         "groups": [
         "name": "sa"
     "msg": "Must specify either a user or a group"

More information about the openstack-discuss mailing list