yahoo-eng-team team mailing list archive

[Morgan Fainberg <morgan.fainberg@xxxxxxxxx>]

This is not really in the plans. Bootstrap is meant to get you to a
place you can setup the rest of the system via the APIs. It is
intentionally very narrow. Marking as wont fix.

** Changed in: keystone
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1553224

Title:
  keystone-manage bootstrap assumes user-project role assignment

Status in OpenStack Identity (keystone):
  Won't Fix

Bug description:
  keystone-manage bootstrap creates a role assignment for the specified
  user on the specified project. That is one way someone might want to
  do bootstrapping, but there are good reasons a user may need/prefer:

  1) user-domain role assignment... e.g. Switching identity drivers for
  an existing single-domain multi-project configuration. Bootstrapping
  is needed to configure the initial role assignments for the new
  driver. Since the "cloud admin" concept is not essential for single-
  domain environments, it may very well not be configured, yet the
  initial role assignment needs to grant someone the ability to create
  additional role assignments for all projects in the domain. This would
  be a domain admin.

  2) group-project role assignment... e.g. Where the desired end result
  is for a group-project role assignment on the cloud admin project, it
  makes more sense to allow that to be created directly (which could be
  done without even knowing the password of any user in that group) than
  to require bootstrapping of a single user and then using their account
  to create the group assignment and delete the bootstrapped assignment.

  3) group-domain role assignment... e.g. combination of #1 and #2

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1553224/+subscriptions