Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-2916

BZ#2054712 [RFE] Support System Role Assignments

XMLWordPrintable

    • [RFE] Support System Role Assignments
    • False
    • False
    • Proposed
    • Proposed
    • Proposed
    • Proposed

      Description of problem:
      HEAT stack does not support the keystone keyword 'system' in user roles.

      In the OSP docs we see that we can assign system roles to users:

      https://docs.openstack.org/api-ref/identity/v3/?expanded=assign-a-system-role-to-a-user-detail#assign-a-system-role-to-a-user

      In the Keystone heat templates I only found an option to assign a role to a user, along with either project or domain (no system option).

      https://docs.openstack.org/heat/latest/template_guide/openstack.html#OS::Keystone::Role

      '...Roles can be granted at either the domain or project level...'

      There should be a way to create a heat template which assigns system user roles as well.

      Version-Release number of selected component (if applicable):
      17

      How reproducible:
      100%

      Steps to Reproduce:
      1. Run the yaml/template file mentioned below with the command:
      `openstack stack create -t <yaml_file> my_roles`
      2.
      3.

      Actual results:
      Error:
      heat.common.exception.StackValidationFailed: Property error: resources.system_reader.properties.roles[0]: Unknown Property system

      Expected results:
      Heat engine accepts the mentioned template and creates the resources.

      Additional info:
      Here is a short version of the heat template I use:

      ```

      heat_template_version: rocky

      description: All resources which are required to deploy for the Secure RBAC test plan

      parameters:

      resources:

      1. Users
        system_reader:
        type: OS::Keystone::User
        properties:
        name: system_reader
        password: testerpass
        roles: [ {"system": all, "role": reader}

        ]
        ```

      In the 'roles' value, using 'project' or 'domain' as keywords works, but 'system' doesn't.

      The cli also accepts "--system all" as an argument when running:
      `openstack role add reader --user reader --system all`

              Unassigned Unassigned
              jira-bugzilla-migration RH Bugzilla Integration
              rhos-dfg-df
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: