<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; ">
<div>Hi Rafael -</div>
<div><br>
</div>
<div>These are special roles that allow you to administer Keystone itself or act as a service (register yourself, your endpoints, and your roles). Those operations are global and make no sense at the tenant level (at least I haven't seen a valid use case for
them at the tenant level).</div>
<div><br>
</div>
<div>As for being able to administer a tenant (example, having an Admin role on a tenant so you can, for example, grant users access to that tenant), that’s a valid future use case that isn't being addressed right now. We're leaving that use case to be addressed
through extensions (and are proposing some in the Diablo timeframe).</div>
<div><br>
</div>
<div>Z</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Rafael Durán Castañeda <<a href="mailto:rafadurancastaneda@gmail.com">rafadurancastaneda@gmail.com</a>><br>
<span style="font-weight:bold">Date: </span>Tue, 23 Aug 2011 16:20:31 +0200<br>
<span style="font-weight:bold">To: </span><<a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>><br>
<span style="font-weight:bold">Subject: </span>[Openstack] keystone-admin-role question<br>
</div>
<div><br>
</div>
<font size="2">Hi,<br>
<br>
</font><font size="2">Looking at code from Keystone I found something that doesn't make sense to me. Looking at
</font><font size="4"><span class="nf"><font size="2"><a href="https://github.com/openstack/keystone/blob/master/keystone/logic/service.py#L510">__validate_service_or_keystone_admin_token
</a>method Keystone-admin-role is valid only if it isn't associated to any tenant (</font></span></font><font size="2"><span class="n">role_ref</span><span class="o">.</span><span class="n">tenant_id</span>
<span class="ow">is</span> <span class="bp">None</span></font><font size="4"><span class="nf"><font size="2">), so a user has Admin role for all tenants or none, is this the expected behavior? Is it possible to grant Admin role for specific tenant in any way?
I think would be more flexible being able to grant role to specific tenant too, but I suppose there is a good reason for this, it isn't?<br>
<br>
Bye</font><br>
</span></font>_______________________________________________ Mailing list: <a href="https://launchpad.net/~openstack">
https://launchpad.net/~openstack</a> Post to : <a href="mailto:openstack@lists.launchpad.net">
openstack@lists.launchpad.net</a> Unsubscribe : <a href="https://launchpad.net/~openstack">
https://launchpad.net/~openstack</a> More help : <a href="https://help.launchpad.net/ListHelp">
https://help.launchpad.net/ListHelp</a> </span>
<font face="monospace">This email may include confidential information. If you received it in error, please delete it.</font></body>
</html>