python-openstackclient

Cannot create role inference rule with domain-specific role

Bug #2065148 reported by Boris Bobrov on 2024-05-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python-openstackclient	In Progress	Medium	Mohammed Al-Dokimi

Bug Description

Steps to reproduce:

1. Create a domain-specific role: openstack role create --domain mydomain test_role
2. Create a role reference with the role: openstack implied role create --implied-role member test_role

Expected: the role reference is created
Observed: a request is made to PUT /v3/roles/None/implies/<member role id> HTTP/1.1 and it results in 404.

3. Fine, the `openstack` cli cannot resolve `test_role` into id. Use the id directly: openstack implied role create --implied-role member ac929851d5a247f5af4c7e0ec5a2b326

Expected: the role reference is created
Observed: a request is made to PUT /v3/roles/None/implies/<member role id> HTTP/1.1 and it results in 404. `openstack` does not use the id even if directly provided.

Note: if i replace None in the requests above with the role id and make the request using curl, it succeeds.

Stephen Finucane (stephenfinucane) on 2024-08-07

Changed in python-openstackclient:
importance:	Undecided → Medium
status:	New → Confirmed

Revision history for this message

Mohammed Al-Dokimi (maldokim) wrote on 2025-10-20:

Hello all,

The problem here is with the domain. When we list the roles in openstack, we cannot get the domain scoped roles unless if we specify this. Thus, I am now working on a solution to add a new parameter ('--implied-role-domain' or '--role-domain'), I will then use this specified domain to get the scoped role and continue with the creation of the role interface.

Best,