← Back to team overview

openstack team mailing list archive

Re: [Keystone]Question: Assignment of default role

 

Yes, this is new. We are removing the direct associtation between users and projects (Project members) and replacing it with a Role (_member_)

The _ is there to ensure it does not conflict with existing roles.

The two different ways of associating users to projects was causing problems. With RBAC, we can now enforce policy about project membership that we could not do before.





On 02/21/2013 09:39 PM, Leo Toyoda wrote:
Hi, everyone

I'm using the master branch devstack.
I hava a question about assignment of default role (Keystone).

When I create a user to specify the tenant, '_member_' is assigned to the roles.
$ keystone user-create --name test --tenant-id e61..7f6 --pass test --email test@xxxxxxxxxxx
+----------+-------------------+
| Property |      Value        |
+----------+-------------------+
|  email   | test5@xxxxxxxxxxx |
| enabled  |       True        |
|    id    |     af1..8d2      |
|   name   |       test        |
| tenantId |     e61..7f6      |
+----------+-------------------+
$ keystone user-role-list --user test --tenant e61..7f6
+----------+----------+----------+-----------+
|    id    |   name   | user_id  | tenant_id |
+----------+----------+----------+-----------+
| 9fe..bab | _member_ | af1..8d2 | e61..7f6  |
+----------+----------+----------+-----------+

Then, assign the "Member" role to the user.
Hitting assigned two roles of 'Member' and '_member_'.
$ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6
$ keystone user-role-list --user af1..8d2 --tenant e61..7f6
+----------+----------+----------+-----------+
|    id    |   name   | user_id  | tenant_id |
+----------+----------+----------+-----------+
| 57d..d1f |  Member  | af1..8d2 | e61..7f6  |
| 9fe..bab | _member_  | af1..8d2 | e61..7f6  |
+----------+----------+----------+-----------+

When I create a user without specifying a tenant, I assign 'Member' role.
In this case, Only one role is assigned.
$ keystone user-create --name test2 --pass test --email test2@xxxxxxxxxxx
+----------+-------------------+
| Property |      Value        |
+----------+-------------------+
|  email   | test2@xxxxxxxxxxx |
| enabled  |      True         |
|    id    |    c22..a6d       |
|   name   |      test2        |
| tenantId |                   |
+----------+-------------------+
$ keystone user-role-add --user c22..a6d --role 57d..d1f  --tenant e61..7f6
$ keystone user-role-list --user c22..a6d --tenant e61..7f6
+----------+----------+----------+-----------+
|    id    |   name   | user_id  | tenant_id |
+----------+----------+----------+-----------+
| 57d..d1f |  Member  | c22..a6d | e61..7f6  |
+----------+----------+----------+-----------+

Is it expected behavior that two rolls are assigned?

Thanks
Leo Toyoda


_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



Follow ups

References