openstack team mailing list archive

Thread
Date

Re: [Keystone]Question: Assignment of default role

To: Leo Toyoda <toyoda-reo@xxxxxxxxxxxxxxxxxxxxx>
From: Dolph Mathews <dolph.mathews@xxxxxxxxx>
Date: Mon, 25 Feb 2013 16:11:06 -0600
Cc: openstack <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <59677C12212144B380AF8EFC1AD11DE3@nsl.ad.nec.co.jp>

Yes, those are the two use cases we're supporting, although I'd encourage
Case 2, as it's generally much more intuitive.

-Dolph


On Mon, Feb 25, 2013 at 1:54 AM, Leo Toyoda <
toyoda-reo@xxxxxxxxxxxxxxxxxxxxx> wrote:

> Hi Adam
>
> Thanks a lot for your answer.
>
> It is my understanding follows. Would that be OK with you?
> Case1: Create a user *with* specifying the tenant.
>     * Default role is assigned.
>     * I need to assign the required roles in "keystone user-role-add".
>     * The user has two roles.
>
> Case2: Create a user *without* specifying the tenant.
>     * I need to assign the required roles and the tenant in "keystone
> user-role-add".
>     * The user has one role.
>
> Thanks,
> Leo Toyoda
>
>
> > -----Original Message-----
> > From:
> > openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lists.launc
> > hpad.net
> > [mailto:openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lis
> > ts.launchpad.net] On Behalf Of Adam Young
> > Sent: Saturday, February 23, 2013 5:31 AM
> > To: openstack@xxxxxxxxxxxxxxxxxxx
> > Subject: Re: [Openstack] [Keystone]Question: Assignment of
> > default role
> >
> > Yes, this is new.  We are removing the direct associtation
> > between users and projects (Project members) and replacing it
> > with a Role (_member_)
> >
> > The _ is there to ensure it does not conflict with existing roles.
> >
> > The two different ways of associating users to projects was
> > causing problems.  With RBAC, we can now enforce policy about
> > project membership that we could not do before.
> >
> >
> >
> >
> >
> > On 02/21/2013 09:39 PM, Leo Toyoda wrote:
> > > Hi, everyone
> > >
> > > I'm using the master branch devstack.
> > > I hava a question about assignment of default role (Keystone).
> > >
> > > When I create a user to specify the tenant, '_member_' is
> > assigned to the roles.
> > > $ keystone user-create --name test --tenant-id e61..7f6 --pass test
> > > --email test@xxxxxxxxxxx
> > > +----------+-------------------+
> > > | Property |      Value        |
> > > +----------+-------------------+
> > > |  email   | test5@xxxxxxxxxxx |
> > > | enabled  |       True        |
> > > |    id    |     af1..8d2      |
> > > |   name   |       test        |
> > > | tenantId |     e61..7f6      |
> > > +----------+-------------------+
> > > $ keystone user-role-list --user test --tenant e61..7f6
> > > +----------+----------+----------+-----------+
> > > |    id    |   name   | user_id  | tenant_id |
> > > +----------+----------+----------+-----------+
> > > | 9fe..bab | _member_ | af1..8d2 | e61..7f6  |
> > > +----------+----------+----------+-----------+
> > >
> > > Then, assign the "Member" role to the user.
> > > Hitting assigned two roles of 'Member' and '_member_'.
> > > $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant
> > > e61..7f6 $ keystone user-role-list --user af1..8d2 --tenant e61..7f6
> > > +----------+----------+----------+-----------+
> > > |    id    |   name   | user_id  | tenant_id |
> > > +----------+----------+----------+-----------+
> > > | 57d..d1f |  Member  | af1..8d2 | e61..7f6  | 9fe..bab |
> > _member_  |
> > > | af1..8d2 | e61..7f6  |
> > > +----------+----------+----------+-----------+
> > >
> > > When I create a user without specifying a tenant, I assign
> > 'Member' role.
> > > In this case, Only one role is assigned.
> > > $ keystone user-create --name test2 --pass test --email
> > > test2@xxxxxxxxxxx
> > > +----------+-------------------+
> > > | Property |      Value        |
> > > +----------+-------------------+
> > > |  email   | test2@xxxxxxxxxxx |
> > > | enabled  |      True         |
> > > |    id    |    c22..a6d       |
> > > |   name   |      test2        |
> > > | tenantId |                   |
> > > +----------+-------------------+
> > > $ keystone user-role-add --user c22..a6d --role 57d..d1f  --tenant
> > > e61..7f6 $ keystone user-role-list --user c22..a6d --tenant e61..7f6
> > > +----------+----------+----------+-----------+
> > > |    id    |   name   | user_id  | tenant_id |
> > > +----------+----------+----------+-----------+
> > > | 57d..d1f |  Member  | c22..a6d | e61..7f6  |
> > > +----------+----------+----------+-----------+
> > >
> > > Is it expected behavior that two rolls are assigned?
> > >
> > > Thanks
> > > Leo Toyoda
> > >
> > >
> > > _______________________________________________
> > > Mailing list: https://launchpad.net/~openstack
> > > Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> > > Unsubscribe : https://launchpad.net/~openstack
> > > More help   : https://help.launchpad.net/ListHelp
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~openstack
> > More help   : https://help.launchpad.net/ListHelp
> >
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>

Follow ups

Re: [Keystone]Question: Assignment of default role
From: Leo Toyoda, 2013-02-26

References

[Keystone]Question: Assignment of default role
From: Leo Toyoda, 2013-02-22
Re: [Keystone]Question: Assignment of default role
From: Adam Young, 2013-02-22
Re: [Keystone]Question: Assignment of default role
From: Leo Toyoda, 2013-02-25