openstack team mailing list archive

[Ziad Sawalha <ziad.sawalha@xxxxxxxxxxxxx>]

Hi Rafael -

These are special roles that allow you to administer Keystone itself or act as a service (register yourself, your endpoints, and your roles). Those operations are global and make no sense at the tenant level (at least I haven't seen a valid use case for them at the tenant level).

As for being able to administer a tenant (example, having an Admin role on a tenant so you can, for example, grant users access to that tenant), that’s a valid future use case that isn't being addressed right now. We're leaving that use case to be addressed through extensions (and are proposing some in the Diablo timeframe).

Z


From: Rafael Durán Castañeda <rafadurancastaneda@xxxxxxxxx<mailto:rafadurancastaneda@xxxxxxxxx>>
Date: Tue, 23 Aug 2011 16:20:31 +0200
To: <openstack@xxxxxxxxxxxxxxxxxxx<mailto:openstack@xxxxxxxxxxxxxxxxxxx>>
Subject: [Openstack] keystone-admin-role question

Hi,

Looking at code from Keystone I found something that doesn't make sense to me. Looking at  __validate_service_or_keystone_admin_token <https://github.com/openstack/keystone/blob/master/keystone/logic/service.py#L510> method Keystone-admin-role is valid only if it isn't associated to any tenant (role_ref.tenant_id is None), so a user has Admin role for all tenants or none, is this the expected behavior?  Is it possible to grant Admin role for specific tenant in any way? I think would be more flexible being able to grant role to specific tenant too, but I suppose there is a good reason for this, it isn't?

Bye
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@xxxxxxxxxxxxxxxxxxx<mailto:openstack@xxxxxxxxxxxxxxxxxxx> Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
This email may include confidential information. If you received it in error, please delete it.