openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #21251
Re: [Keystone]Question: Assignment of default role
Yes, those are the two use cases we're supporting, although I'd encourage
Case 2, as it's generally much more intuitive.
-Dolph
On Mon, Feb 25, 2013 at 1:54 AM, Leo Toyoda <
toyoda-reo@xxxxxxxxxxxxxxxxxxxxx> wrote:
> Hi Adam
>
> Thanks a lot for your answer.
>
> It is my understanding follows. Would that be OK with you?
> Case1: Create a user *with* specifying the tenant.
> * Default role is assigned.
> * I need to assign the required roles in "keystone user-role-add".
> * The user has two roles.
>
> Case2: Create a user *without* specifying the tenant.
> * I need to assign the required roles and the tenant in "keystone
> user-role-add".
> * The user has one role.
>
> Thanks,
> Leo Toyoda
>
>
> > -----Original Message-----
> > From:
> > openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lists.launc
> > hpad.net
> > [mailto:openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lis
> > ts.launchpad.net] On Behalf Of Adam Young
> > Sent: Saturday, February 23, 2013 5:31 AM
> > To: openstack@xxxxxxxxxxxxxxxxxxx
> > Subject: Re: [Openstack] [Keystone]Question: Assignment of
> > default role
> >
> > Yes, this is new. We are removing the direct associtation
> > between users and projects (Project members) and replacing it
> > with a Role (_member_)
> >
> > The _ is there to ensure it does not conflict with existing roles.
> >
> > The two different ways of associating users to projects was
> > causing problems. With RBAC, we can now enforce policy about
> > project membership that we could not do before.
> >
> >
> >
> >
> >
> > On 02/21/2013 09:39 PM, Leo Toyoda wrote:
> > > Hi, everyone
> > >
> > > I'm using the master branch devstack.
> > > I hava a question about assignment of default role (Keystone).
> > >
> > > When I create a user to specify the tenant, '_member_' is
> > assigned to the roles.
> > > $ keystone user-create --name test --tenant-id e61..7f6 --pass test
> > > --email test@xxxxxxxxxxx
> > > +----------+-------------------+
> > > | Property | Value |
> > > +----------+-------------------+
> > > | email | test5@xxxxxxxxxxx |
> > > | enabled | True |
> > > | id | af1..8d2 |
> > > | name | test |
> > > | tenantId | e61..7f6 |
> > > +----------+-------------------+
> > > $ keystone user-role-list --user test --tenant e61..7f6
> > > +----------+----------+----------+-----------+
> > > | id | name | user_id | tenant_id |
> > > +----------+----------+----------+-----------+
> > > | 9fe..bab | _member_ | af1..8d2 | e61..7f6 |
> > > +----------+----------+----------+-----------+
> > >
> > > Then, assign the "Member" role to the user.
> > > Hitting assigned two roles of 'Member' and '_member_'.
> > > $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant
> > > e61..7f6 $ keystone user-role-list --user af1..8d2 --tenant e61..7f6
> > > +----------+----------+----------+-----------+
> > > | id | name | user_id | tenant_id |
> > > +----------+----------+----------+-----------+
> > > | 57d..d1f | Member | af1..8d2 | e61..7f6 | 9fe..bab |
> > _member_ |
> > > | af1..8d2 | e61..7f6 |
> > > +----------+----------+----------+-----------+
> > >
> > > When I create a user without specifying a tenant, I assign
> > 'Member' role.
> > > In this case, Only one role is assigned.
> > > $ keystone user-create --name test2 --pass test --email
> > > test2@xxxxxxxxxxx
> > > +----------+-------------------+
> > > | Property | Value |
> > > +----------+-------------------+
> > > | email | test2@xxxxxxxxxxx |
> > > | enabled | True |
> > > | id | c22..a6d |
> > > | name | test2 |
> > > | tenantId | |
> > > +----------+-------------------+
> > > $ keystone user-role-add --user c22..a6d --role 57d..d1f --tenant
> > > e61..7f6 $ keystone user-role-list --user c22..a6d --tenant e61..7f6
> > > +----------+----------+----------+-----------+
> > > | id | name | user_id | tenant_id |
> > > +----------+----------+----------+-----------+
> > > | 57d..d1f | Member | c22..a6d | e61..7f6 |
> > > +----------+----------+----------+-----------+
> > >
> > > Is it expected behavior that two rolls are assigned?
> > >
> > > Thanks
> > > Leo Toyoda
> > >
> > >
> > > _______________________________________________
> > > Mailing list: https://launchpad.net/~openstack
> > > Post to : openstack@xxxxxxxxxxxxxxxxxxx
> > > Unsubscribe : https://launchpad.net/~openstack
> > > More help : https://help.launchpad.net/ListHelp
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to : openstack@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~openstack
> > More help : https://help.launchpad.net/ListHelp
> >
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
Follow ups
References