openstack team mailing list archive

Thread
Date

Re: [Keystone]Question: Assignment of default role

To: "'Adam Young'" <ayoung@xxxxxxxxxx>, <openstack@xxxxxxxxxxxxxxxxxxx>
From: "Leo Toyoda" <toyoda-reo@xxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 25 Feb 2013 16:54:16 +0900
In-reply-to: <5127D58B.8030908@redhat.com>
Thread-index: Ac4RO5uBzngu5W+GRdykWMFNbXjf7QB8RxCw

Hi Adam

Thanks a lot for your answer.

It is my understanding follows. Would that be OK with you?
Case1: Create a user *with* specifying the tenant.
    * Default role is assigned.
    * I need to assign the required roles in "keystone user-role-add".
    * The user has two roles.

Case2: Create a user *without* specifying the tenant.
    * I need to assign the required roles and the tenant in "keystone user-role-add".
    * The user has one role.

Thanks,
Leo Toyoda


> -----Original Message-----
> From: 
> openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lists.launc
> hpad.net 
> [mailto:openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lis
> ts.launchpad.net] On Behalf Of Adam Young
> Sent: Saturday, February 23, 2013 5:31 AM
> To: openstack@xxxxxxxxxxxxxxxxxxx
> Subject: Re: [Openstack] [Keystone]Question: Assignment of 
> default role
> 
> Yes, this is new.  We are removing the direct associtation 
> between users and projects (Project members) and replacing it 
> with a Role (_member_)
> 
> The _ is there to ensure it does not conflict with existing roles.
> 
> The two different ways of associating users to projects was 
> causing problems.  With RBAC, we can now enforce policy about 
> project membership that we could not do before.
> 
> 
> 
> 
> 
> On 02/21/2013 09:39 PM, Leo Toyoda wrote:
> > Hi, everyone
> >
> > I'm using the master branch devstack.
> > I hava a question about assignment of default role (Keystone).
> >
> > When I create a user to specify the tenant, '_member_' is 
> assigned to the roles.
> > $ keystone user-create --name test --tenant-id e61..7f6 --pass test 
> > --email test@xxxxxxxxxxx
> > +----------+-------------------+
> > | Property |      Value        |
> > +----------+-------------------+
> > |  email   | test5@xxxxxxxxxxx |
> > | enabled  |       True        |
> > |    id    |     af1..8d2      |
> > |   name   |       test        |
> > | tenantId |     e61..7f6      |
> > +----------+-------------------+
> > $ keystone user-role-list --user test --tenant e61..7f6
> > +----------+----------+----------+-----------+
> > |    id    |   name   | user_id  | tenant_id |
> > +----------+----------+----------+-----------+
> > | 9fe..bab | _member_ | af1..8d2 | e61..7f6  |
> > +----------+----------+----------+-----------+
> >
> > Then, assign the "Member" role to the user.
> > Hitting assigned two roles of 'Member' and '_member_'.
> > $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant 
> > e61..7f6 $ keystone user-role-list --user af1..8d2 --tenant e61..7f6
> > +----------+----------+----------+-----------+
> > |    id    |   name   | user_id  | tenant_id |
> > +----------+----------+----------+-----------+
> > | 57d..d1f |  Member  | af1..8d2 | e61..7f6  | 9fe..bab | 
> _member_  | 
> > | af1..8d2 | e61..7f6  |
> > +----------+----------+----------+-----------+
> >
> > When I create a user without specifying a tenant, I assign 
> 'Member' role.
> > In this case, Only one role is assigned.
> > $ keystone user-create --name test2 --pass test --email 
> > test2@xxxxxxxxxxx
> > +----------+-------------------+
> > | Property |      Value        |
> > +----------+-------------------+
> > |  email   | test2@xxxxxxxxxxx |
> > | enabled  |      True         |
> > |    id    |    c22..a6d       |
> > |   name   |      test2        |
> > | tenantId |                   |
> > +----------+-------------------+
> > $ keystone user-role-add --user c22..a6d --role 57d..d1f  --tenant 
> > e61..7f6 $ keystone user-role-list --user c22..a6d --tenant e61..7f6
> > +----------+----------+----------+-----------+
> > |    id    |   name   | user_id  | tenant_id |
> > +----------+----------+----------+-----------+
> > | 57d..d1f |  Member  | c22..a6d | e61..7f6  |
> > +----------+----------+----------+-----------+
> >
> > Is it expected behavior that two rolls are assigned?
> >
> > Thanks
> > Leo Toyoda
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~openstack
> > More help   : https://help.launchpad.net/ListHelp
> 
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>

Follow ups

Re: [Keystone]Question: Assignment of default role
From: Dolph Mathews, 2013-02-25

References

[Keystone]Question: Assignment of default role
From: Leo Toyoda, 2013-02-22
Re: [Keystone]Question: Assignment of default role
From: Adam Young, 2013-02-22