yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1361758] Re: Keystone should bootstrap CONF.member_role_name

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1361758@xxxxxxxxxxxxxxxxxx>
Date: Fri, 26 Sep 2014 14:02:27 -0000
Reply-to: Bug 1361758 <1361758@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Not all deployments utilize a member_role, which is just a workaround to
support default tenancy assignments in v2. So, the "member" role should
be created on-demand, and only if necessary. In the case of a read-only
LDAP backend for assignments (which again, the community generally
doesn't have much interest in supporting), the deployer is expected to
create the role. The more elegant deployment would use a read-only LDAP
backend for only users and groups, keeping assignment information
(inlcuding openstack-specific roles, like the member role) in a SQL
backend.

** Changed in: keystone
       Status: Incomplete => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1361758

Title:
  Keystone should bootstrap CONF.member_role_name

Status in OpenStack Identity (Keystone):
  Opinion

Bug description:
  Keystone should bootstrap CONF.member_role_name.  As of now , it is
  created on  first create_user call .  In case of LDAP backend there is
  no create_user call, so we will be missing this role.   Horizon will
  not work without this role.

  Just like "default" domain, we should also bootstrap
  CONF.member_role_name  via keystone-manage db-synch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1361758/+subscriptions

References

[Bug 1361758] [NEW] Keystone should bootstrap CONF.member_role_name
From: Haneef Ali, 2014-08-26