[openstack-dev] [Keystone][OSC] Keystone v3 user create --project $projid does not add user to project?
Rich Megginson
rmeggins at redhat.com
Thu Jun 18 13:25:43 UTC 2015
On 06/18/2015 06:43 AM, Raildo Mascena wrote:
> Hi Rick,
>
> In Keystone, Domains are the container of users, so a user belongs to
> a domain and you can grant role assignments for projects.
>
> With this call that you made, you will set the project default to this
> user, after that you need to grant a role for this user in this project.
>
> So, you can do:* openstack role add --user USER_NAME --project
> TENANT_ID ROLE_NAME*
> *
> *
> and after that, you can verify if the assignment works
> doing:* openstack role list --user USER_NAME --projec TENANT_ID*
> *
> *
> You can find more information about this
> here:**http://docs.openstack.org/user-guide-admin/manage_projects_users_and_roles.html or
> find us on #openstack-keystone
Yes, I realize that.
My issue was that in going from Keystone v2.0 to v3, openstack user
create --project $project changed behavior - in v2.0, openstack user
create --project $project adds the user as a member of the $project. I
wanted to know if this was 1) intentional behavior in v2.0 2)
intentionally removed in v3. I'm trying to make puppet-keystone work
with v3, while at the same time making sure all of the existing puppet
manifests work exactly as before. Since this has changed, I had to work
around it, by making the puppet-keystone user create function also add
the user to the project.
https://review.openstack.org/#/c/174976/24/lib/puppet/provider/keystone_user/openstack.rb
>
> Cheers,
>
> Raildo Mascena
>
>
> On Tue, Jun 16, 2015 at 1:52 PM Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> Using admin token credentials with the Keystone v2.0 API and the
> openstackclient, doing this:
>
> # openstack project create bar --enable
> # openstack user create foo --project bar --enable ...
>
> The user will be added to the project.
>
> Using admin token credentials with the Keystone v3 API and the
> openstackclient, using the v3 policy file with is_admin:1 added just
> about everywhere, doing this:
>
> # openstack project create bar --domain Default --enable
> # openstack user create foo --domain Default --enable --project
> $project_id_of_bar ...
>
> The user will NOT be added to the project.
>
> Is this intentional? Am I missing some sort of policy to allow user
> create to add the user to the given project?
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150618/b56fb72e/attachment.html>
More information about the OpenStack-dev
mailing list