[openstack-dev] [Keystone] [devstack] About _member_ role

Jamie Lennox jamielennox at redhat.com
Tue Feb 17 20:01:22 UTC 2015



----- Original Message -----
> From: "Pasquale Porreca" <pasquale.porreca at dektech.com.au>
> To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org>
> Sent: Tuesday, 17 February, 2015 9:07:14 PM
> Subject: [openstack-dev]  [Keystone] [devstack] About _member_ role
> 
> I proposed a fix for a bug in devstack
> https://review.openstack.org/#/c/156527/ caused by the fact the role
> _member_ was not anymore created due to a recent change.
> 
> But why is the existence of _member_ role necessary, even if it is not
> necessary to be used? Is this a know/wanted feature or a bug by itself?

So the way to be a 'member' of a project so that you can get a token scoped to that project is to have a role defined on that project. 
The way we would handle that from keystone for default_projects is to create a default role _member_ which had no permissions attached to it, but by assigning it to the user on the project we granted membership of that project.
If the user has any other roles on the project then the _member_ role is essentially ignored. 

In that devstack patch I removed the default project because we want our users to explicitly ask for the project they want to be scoped to.
This patch shouldn't have caused any issues though because in each of those cases the user is immediately granted a different role on the project - therefore having 'membership'. 

Creating the _member_ role manually won't cause any problems, but what issue are you seeing where you need it?


Jamie


> --
> Pasquale Porreca
> 
> DEK Technologies
> Via dei Castelli Romani, 22
> 00040 Pomezia (Roma)
> 
> Mobile +39 3394823805
> Skype paskporr
> 
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 



More information about the OpenStack-dev mailing list