Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2054712

Summary: [RFE] Support System Role Assignments
Product: Red Hat OpenStack Reporter: Omer Schwartz <oschwart>
Component: openstack-heatAssignee: OSP Team <rhos-maint>
Status: CLOSED MIGRATED QA Contact: David Rosenfeld <drosenfe>
Severity: medium Docs Contact:
Priority: medium    
Version: 18.0 (Zed)CC: bbonguar, dmendiza, pweeks, ramishra
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-01-04 16:24:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Omer Schwartz 2022-02-15 14:52:54 UTC 
Description of problem:
HEAT stack does not support the keystone keyword 'system' in user roles.

In the OSP docs we see that we can assign system roles to users:

https://docs.openstack.org/api-ref/identity/v3/?expanded=assign-a-system-role-to-a-user-detail#assign-a-system-role-to-a-user

In the Keystone heat templates I only found an option to assign a role to a user, along with either project or domain (no system option).

https://docs.openstack.org/heat/latest/template_guide/openstack.html#OS::Keystone::Role

'...Roles can be granted at either the domain or project level...'


There should be a way to create a heat template which assigns system user roles as well.

Version-Release number of selected component (if applicable):
17

How reproducible:
100%

Steps to Reproduce:
1. Run the yaml/template file mentioned below with the command:
`openstack stack create -t <yaml_file> my_roles`
2.
3.

Actual results:
Error:
heat.common.exception.StackValidationFailed: Property error: resources.system_reader.properties.roles[0]: Unknown Property system

Expected results:
Heat engine accepts the mentioned template and creates the resources.

Additional info:
Here is a short version of the heat template I use:

```
---

heat_template_version: rocky

description: All resources which are required to deploy for the Secure RBAC test plan

parameters:

resources:

  # Users
  system_reader:
    type: OS::Keystone::User
    properties:
      name: system_reader
      password: testerpass
      roles: [{"system": all, "role": reader}]
```


In the 'roles' value, using 'project' or 'domain' as keywords works, but 'system' doesn't.


The cli also accepts "--system all" as an argument when running:
`openstack role add reader --user reader --system all`