
<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <div class="moz-cite-prefix">On 06/18/2015 06:43 AM, Raildo Mascena

      wrote:<br>

    </div>

    <blockquote

cite="mid:CA+o+YkrFHFsQ84hUX5M3wggOhcsSUcVYyfTniQh_yuj7c_DVvQ@mail.gmail.com"

      type="cite">

      <div dir="ltr">Hi Rick,<br>

        <br>

        <div>In Keystone, Domains are the container of users, so a user

          belongs to a domain and you can grant role assignments for

          projects.</div>

        <div><br>

        </div>

        <div>With this call that you made, you will set the project

          default to this user, after that you need to grant a role for

          this user in this project.</div>

        <div><br>

        </div>

        <div>So, you can do:<b> openstack role add --user USER_NAME

            --project TENANT_ID ROLE_NAME</b></div>

        <div><b><br>

          </b></div>

        <div>and after that, you can verify if the assignment works

          doing:<b> openstack role list --user USER_NAME --projec

            TENANT_ID</b></div>

        <div><b><br>

          </b></div>

        <div>You can find more information about this here:<b> </b><a

            moz-do-not-send="true"

href="http://docs.openstack.org/user-guide-admin/manage_projects_users_and_roles.html">http://docs.openstack.org/user-guide-admin/manage_projects_users_and_roles.html</a> or

          find us on #openstack-keystone</div>

      </div>

    </blockquote>

    <br>

    Yes, I realize that.<br>

    <br>

    My issue was that in going from Keystone v2.0 to v3, openstack user

    create --project $project changed behavior - in v2.0, openstack user

    create --project $project adds the user as a member of the

    $project.  I wanted to know if this was 1) intentional behavior in

    v2.0 2) intentionally removed in v3.  I'm trying to make

    puppet-keystone work with v3, while at the same time making sure all

    of the existing puppet manifests work exactly as before.  Since this

    has changed, I had to work around it, by making the puppet-keystone

    user create function also add the user to the project.<br>

    <br>

<a class="moz-txt-link-freetext" href="https://review.openstack.org/#/c/174976/24/lib/puppet/provider/keystone_user/openstack.rb">https://review.openstack.org/#/c/174976/24/lib/puppet/provider/keystone_user/openstack.rb</a><br>

    <br>

    <blockquote

cite="mid:CA+o+YkrFHFsQ84hUX5M3wggOhcsSUcVYyfTniQh_yuj7c_DVvQ@mail.gmail.com"

      type="cite">

      <div dir="ltr">

        <div><br>

        </div>

        <div>Cheers,</div>

        <div><br>

        </div>

        <div>Raildo Mascena</div>

        <div><br>

        </div>

        <br>

        <div class="gmail_quote">

          <div dir="ltr">On Tue, Jun 16, 2015 at 1:52 PM Rich Megginson

            <<a moz-do-not-send="true"

              href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>

            wrote:<br>

          </div>

          <blockquote class="gmail_quote" style="margin:0 0 0

            .8ex;border-left:1px #ccc solid;padding-left:1ex">Using

            admin token credentials with the Keystone v2.0 API and the<br>

            openstackclient, doing this:<br>

            <br>

            # openstack project create bar --enable<br>

            # openstack user create foo --project bar --enable ...<br>

            <br>

            The user will be added to the project.<br>

            <br>

            Using admin token credentials with the Keystone v3 API and

            the<br>

            openstackclient, using the v3 policy file with is_admin:1

            added just<br>

            about everywhere, doing this:<br>

            <br>

            # openstack project create bar --domain Default --enable<br>

            # openstack user create foo --domain Default --enable

            --project<br>

            $project_id_of_bar ...<br>

            <br>

            The user will NOT be added to the project.<br>

            <br>

            Is this intentional?  Am I missing some sort of policy to

            allow user<br>

            create to add the user to the given project?<br>

            <br>

            <br>

__________________________________________________________________________<br>

            OpenStack Development Mailing List (not for usage questions)<br>

            Unsubscribe: <a moz-do-not-send="true"

href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"

              rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

            <a moz-do-not-send="true"

              href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"

              rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

          </blockquote>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">__________________________________________________________________________

OpenStack Development Mailing List (not for usage questions)

Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>

<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>

</pre>

    </blockquote>

    <br>

  </body>

</html>