File 0001-Allow-domain-admin-to-list-projest-assignments.patch of Package openstack-keystone

From 7b1e6def0f9cbe3e29aff9763fa33e7c035f5f1f Mon Sep 17 00:00:00 2001
From: Boris Bobrov <bbobrov@suse.com>
Date: Fri, 29 Mar 2019 16:40:30 +0100
Subject: [PATCH] Allow domain admin to list projest assignments

Domain admin (i.e. admin role on the given domain) is able to list the
role assignments on the domain (with the --domain filter) itself and the
projects (with the --project filter) under that domain.
---
 keystone/assignment/controllers.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/keystone/assignment/controllers.py b/keystone/assignment/controllers.py
index 845744d1f..f7630da33 100644
--- a/keystone/assignment/controllers.py
+++ b/keystone/assignment/controllers.py
@@ -955,7 +955,8 @@ class RoleAssignmentV3(controller.V3Controller):
     @controller.filterprotected('group.id', 'role.id',
                                 'scope.domain.id', 'scope.project.id',
                                 'scope.OS-INHERIT:inherited_to', 'user.id')
-    def list_role_assignments(self, request, filters):
+    def list_role_assignments(self, request, filters, **kwargs):
+        # not passing kwargs because they were used only for policy check
         return self._list_role_assignments(request, filters)
 
     def _check_list_tree_protection(self, request, protection_info):
@@ -999,4 +1000,9 @@ class RoleAssignmentV3(controller.V3Controller):
                 self.query_filter_is_true(params['include_subtree'])):
             return self.list_role_assignments_for_tree(request)
         else:
-            return self.list_role_assignments(request)
+            kwargs = {}
+            scope_project_id = params.get('scope.project.id')
+            if scope_project_id:
+                project = self.resource_api.get_project(scope_project_id)
+                kwargs['scope.project.domain.id'] = project['domain_id']
+            return self.list_role_assignments(request, **kwargs)
-- 
2.13.7