<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19400"></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT color=#0000ff size=2>Hi Dolph</FONT></DIV>
<DIV><FONT color=#0000ff size=2></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2>Thanks a lot for the
reply.<BR>I <SPAN class=976444903-26022013>could </SPAN>understand very
well.</FONT></DIV>
<DIV><FONT color=#0000ff size=2></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2>Regards,<BR>Leo
Toyoda</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face="MS ゴシック"></FONT> </DIV><FONT
color=#0000ff size=2></FONT><FONT color=#0000ff size=2></FONT><FONT
color=#0000ff size=2></FONT><FONT color=#0000ff size=2></FONT><FONT
color=#0000ff size=2></FONT><FONT color=#0000ff size=2></FONT><FONT
color=#0000ff size=2></FONT><BR>
<BLOCKQUOTE
style="BORDER-LEFT: #0000ff 2px solid; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px"
dir=ltr>
<DIV dir=ltr lang=ja class=OutlookMessageHeader align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B> Dolph Mathews
[mailto:dolph.mathews@gmail.com] <BR><B>Sent:</B> Tuesday, February 26, 2013
7:11 AM<BR><B>To:</B> Leo Toyoda<BR><B>Cc:</B> Adam Young;
openstack<BR><B>Subject:</B> Re: [Openstack] [Keystone]Question: Assignment of
default role<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr>Yes, those are the two use cases we're supporting, although I'd
encourage Case 2, as it's generally much more intuitive.<BR>
<DIV class=gmail_extra>
<DIV>
<DIV><BR></DIV>-Dolph</DIV><BR><BR>
<DIV class=gmail_quote>On Mon, Feb 25, 2013 at 1:54 AM, Leo Toyoda <SPAN
dir=ltr><<A href="mailto:toyoda-reo@cnt.mxw.nes.nec.co.jp"
target=_blank>toyoda-reo@cnt.mxw.nes.nec.co.jp</A>></SPAN> wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>Hi Adam<BR><BR>Thanks a lot for your answer.<BR><BR>It is
my understanding follows. Would that be OK with you?<BR>Case1: Create a user
*with* specifying the tenant.<BR> * Default role is
assigned.<BR> * I need to assign the required roles in
"keystone user-role-add".<BR> * The user has two
roles.<BR><BR>Case2: Create a user *without* specifying the
tenant.<BR> * I need to assign the required roles and the
tenant in "keystone user-role-add".<BR> * The user has one
role.<BR><BR>Thanks,<BR>Leo Toyoda<BR>
<DIV class=HOEnZb>
<DIV class=h5><BR><BR>> -----Original Message-----<BR>> From:<BR>>
openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lists.launc<BR>> <A
href="http://hpad.net" target=_blank>hpad.net</A><BR>> [mailto:<A
href="mailto:openstack-bounces%2Btoyoda-reo">openstack-bounces+toyoda-reo</A>=cnt.mxw.nes.nec.co.jp@lis<BR>>
<A href="http://ts.launchpad.net" target=_blank>ts.launchpad.net</A>] On
Behalf Of Adam Young<BR>> Sent: Saturday, February 23, 2013 5:31
AM<BR>> To: <A
href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</A><BR>>
Subject: Re: [Openstack] [Keystone]Question: Assignment of<BR>> default
role<BR>><BR>> Yes, this is new. We are removing the direct
associtation<BR>> between users and projects (Project members) and
replacing it<BR>> with a Role (_member_)<BR>><BR>> The _ is there
to ensure it does not conflict with existing roles.<BR>><BR>> The two
different ways of associating users to projects was<BR>> causing
problems. With RBAC, we can now enforce policy about<BR>> project
membership that we could not do
before.<BR>><BR>><BR>><BR>><BR>><BR>> On 02/21/2013 09:39
PM, Leo Toyoda wrote:<BR>> > Hi, everyone<BR>> ><BR>> >
I'm using the master branch devstack.<BR>> > I hava a question about
assignment of default role (Keystone).<BR>> ><BR>> > When I
create a user to specify the tenant, '_member_' is<BR>> assigned to the
roles.<BR>> > $ keystone user-create --name test --tenant-id e61..7f6
--pass test<BR>> > --email <A
href="mailto:test@example.com">test@example.com</A><BR>> >
+----------+-------------------+<BR>> > | Property |
Value |<BR>> >
+----------+-------------------+<BR>> > | email | <A
href="mailto:test5@example.com">test5@example.com</A> |<BR>> > |
enabled | True
|<BR>> > | id | af1..8d2
|<BR>> > | name |
test |<BR>> > | tenantId |
e61..7f6 |<BR>> >
+----------+-------------------+<BR>> > $ keystone user-role-list
--user test --tenant e61..7f6<BR>> >
+----------+----------+----------+-----------+<BR>> > |
id | name | user_id | tenant_id
|<BR>> > +----------+----------+----------+-----------+<BR>> > |
9fe..bab | _member_ | af1..8d2 | e61..7f6 |<BR>> >
+----------+----------+----------+-----------+<BR>> ><BR>> >
Then, assign the "Member" role to the user.<BR>> > Hitting assigned
two roles of 'Member' and '_member_'.<BR>> > $ keystone user-role-add
--user af1..8d2 --role 57d..d1f --tenant<BR>> > e61..7f6 $ keystone
user-role-list --user af1..8d2 --tenant e61..7f6<BR>> >
+----------+----------+----------+-----------+<BR>> > |
id | name | user_id | tenant_id
|<BR>> > +----------+----------+----------+-----------+<BR>> > |
57d..d1f | Member | af1..8d2 | e61..7f6 | 9fe..bab
|<BR>> _member_ |<BR>> > | af1..8d2 | e61..7f6
|<BR>> > +----------+----------+----------+-----------+<BR>>
><BR>> > When I create a user without specifying a tenant, I
assign<BR>> 'Member' role.<BR>> > In this case, Only one role is
assigned.<BR>> > $ keystone user-create --name test2 --pass test
--email<BR>> > <A
href="mailto:test2@example.com">test2@example.com</A><BR>> >
+----------+-------------------+<BR>> > | Property |
Value |<BR>> >
+----------+-------------------+<BR>> > | email | <A
href="mailto:test2@example.com">test2@example.com</A> |<BR>> > |
enabled | True
|<BR>> > | id | c22..a6d
|<BR>> > | name |
test2 |<BR>> > | tenantId |
|<BR>> >
+----------+-------------------+<BR>> > $ keystone user-role-add
--user c22..a6d --role 57d..d1f --tenant<BR>> > e61..7f6 $
keystone user-role-list --user c22..a6d --tenant e61..7f6<BR>> >
+----------+----------+----------+-----------+<BR>> > |
id | name | user_id | tenant_id
|<BR>> > +----------+----------+----------+-----------+<BR>> > |
57d..d1f | Member | c22..a6d | e61..7f6 |<BR>> >
+----------+----------+----------+-----------+<BR>> ><BR>> > Is
it expected behavior that two rolls are assigned?<BR>> ><BR>> >
Thanks<BR>> > Leo Toyoda<BR>> ><BR>> ><BR>> >
_______________________________________________<BR>> > Mailing list:
<A href="https://launchpad.net/~openstack"
target=_blank>https://launchpad.net/~openstack</A><BR>> > Post to
: <A
href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</A><BR>>
> Unsubscribe : <A href="https://launchpad.net/~openstack"
target=_blank>https://launchpad.net/~openstack</A><BR>> > More help
: <A href="https://help.launchpad.net/ListHelp"
target=_blank>https://help.launchpad.net/ListHelp</A><BR>><BR>><BR>>
_______________________________________________<BR>> Mailing list: <A
href="https://launchpad.net/~openstack"
target=_blank>https://launchpad.net/~openstack</A><BR>> Post to
: <A
href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</A><BR>>
Unsubscribe : <A href="https://launchpad.net/~openstack"
target=_blank>https://launchpad.net/~openstack</A><BR>> More help
: <A href="https://help.launchpad.net/ListHelp"
target=_blank>https://help.launchpad.net/ListHelp</A><BR>><BR><BR><BR>_______________________________________________<BR>Mailing
list: <A href="https://launchpad.net/~openstack"
target=_blank>https://launchpad.net/~openstack</A><BR>Post to
: <A
href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</A><BR>Unsubscribe
: <A href="https://launchpad.net/~openstack"
target=_blank>https://launchpad.net/~openstack</A><BR>More help : <A
href="https://help.launchpad.net/ListHelp"
target=_blank>https://help.launchpad.net/ListHelp</A><BR></DIV></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></BLOCKQUOTE></BODY></HTML>