openstack team mailing list archive

Thread
Date

[Keystone]Question: Assignment of default role

To: <openstack@xxxxxxxxxxxxxxxxxxx>
From: "Leo Toyoda" <toyoda-reo@xxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 22 Feb 2013 11:39:50 +0900
Thread-index: Ac4QpeK7UDp48oShTdeWb6E2q+U5VQ==

Hi, everyone

I'm using the master branch devstack.
I hava a question about assignment of default role (Keystone).

When I create a user to specify the tenant, '_member_' is assigned to the roles.
$ keystone user-create --name test --tenant-id e61..7f6 --pass test --email test@xxxxxxxxxxx
+----------+-------------------+
| Property |      Value        |
+----------+-------------------+
|  email   | test5@xxxxxxxxxxx |
| enabled  |       True        |
|    id    |     af1..8d2      |
|   name   |       test        |
| tenantId |     e61..7f6      |
+----------+-------------------+
$ keystone user-role-list --user test --tenant e61..7f6
+----------+----------+----------+-----------+
|    id    |   name   | user_id  | tenant_id |
+----------+----------+----------+-----------+
| 9fe..bab | _member_ | af1..8d2 | e61..7f6  |
+----------+----------+----------+-----------+

Then, assign the "Member" role to the user.
Hitting assigned two roles of 'Member' and '_member_'.
$ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6 
$ keystone user-role-list --user af1..8d2 --tenant e61..7f6
+----------+----------+----------+-----------+
|    id    |   name   | user_id  | tenant_id |
+----------+----------+----------+-----------+
| 57d..d1f |  Member  | af1..8d2 | e61..7f6  |
| 9fe..bab | _member_  | af1..8d2 | e61..7f6  |
+----------+----------+----------+-----------+

When I create a user without specifying a tenant, I assign 'Member' role.
In this case, Only one role is assigned.
$ keystone user-create --name test2 --pass test --email test2@xxxxxxxxxxx
+----------+-------------------+
| Property |      Value        |
+----------+-------------------+
|  email   | test2@xxxxxxxxxxx |
| enabled  |      True         |
|    id    |    c22..a6d       |
|   name   |      test2        |
| tenantId |                   |
+----------+-------------------+
$ keystone user-role-add --user c22..a6d --role 57d..d1f  --tenant e61..7f6
$ keystone user-role-list --user c22..a6d --tenant e61..7f6
+----------+----------+----------+-----------+
|    id    |   name   | user_id  | tenant_id |
+----------+----------+----------+-----------+
| 57d..d1f |  Member  | c22..a6d | e61..7f6  |
+----------+----------+----------+-----------+

Is it expected behavior that two rolls are assigned?

Thanks
Leo Toyoda

Follow ups

Re: [Keystone]Question: Assignment of default role
From: Adam Young, 2013-02-22