[Openstack-zh] 关于让user 加入project的API

xiangsun4 at iflytek.com xiangsun4 at iflytek.com
Sat Sep 30 03:40:51 UTC 2017 

您好:
        我最近在做Keystone的相关调研,有一个地方不太明白,想请教您。我想要让一个user 加入到 project中,但是在官网没有找到相关API,是我对这两个名称理解有误吗?后来,我找到这个API :Assign role to user on project. 这个API有将user加入到project的作用吗?  我尝试使用了上面这个API ,并使用下面这个API:List projects for user 去检查是否把用户加入了Project。

过程中使用的TOKEN 是这么获取的:
curl -i -X POST\
      -H "Content-Type: application/json" \
      -d '
        { "auth": {
            "identity": {
              "methods": ["password"],
              "password": {
                "user": {
                  "name": "admin",
                  "domain": { "id": "default" },
                  "password": "0407"
                }
              }
            },
             "scope": {
                    "project": {
                        "domain": {
                            "name": "Default"
                        },
                        "name": "admin"
                    }
                }
          }
        }' \
      "http://localhost:5000/v3/auth/tokens" ;

这个是用户:
    {
            "user": {
                "name": "xiangsun4",
                "links": {
                    "self": "http://localhost:5000/v3/users/95df8c5d80ff4f43bd239500048973b3"
                },
                "domain_id": "default",
                "enabled": true,
                "options": {},
                "default_project_id": "a44c2e1e6eb247e086e62d81a0573c7b",
                "id": "95df8c5d80ff4f43bd239500048973b3",
                "password_expires_at": null
            }
        }

这个是project:
{
            "project": {
                "is_domain": false,
                "description": "My first project",
                "links": {
                    "self": "http://localhost:5000/v3/projects/dae552c5d08f4657a2af34bcb39bafd3"
                },
                "enabled": true,
                "id": "dae552c5d08f4657a2af34bcb39bafd3",
                "parent_id": "default",
                "domain_id": "default",
                "name": "project4"
            }
        }


**这个是role,role中定义了domain_id
        {
            "role": {
                "domain_id": "default",
                "id": "aa07402e8bc041e89db3fc4c0fbe98a0",
                "links": {
                    "self": "http://localhost:5000/v3/roles/aa07402e8bc041e89db3fc4c0fbe98a0"
                },
                "name": "noDomainRole2"
            }
        }

然后我调用了下面的 API尝试把三者捆绑。 
 curl -i -X  PUT \
        -H "X-Auth-Token: $OS_TOKEN" \
        "http://localhost:5000/v3/projects/dae552c5d08f4657a2af34bcb39bafd3/users/95df8c5d80ff4f43bd239500048973b3/roles/aa07402e8bc041e89db3fc4c0fbe98a0"

接着我调用了下面的API, 查看这个user是否有project:
curl -i -X GET -H "X-Auth-Token: $OS_TOKEN" "http://localhost:5000/v3/users/95df8c5d80ff4f43bd239500048973b3/projects"

返回的结果是:
{"links": {"self": "http://localhost:5000/v3/users/95df8c5d80ff4f43bd239500048973b3/projects", "previous": null, "next": null}, "projects": []}

由返回看出projects 是空数组。


但我使用了另外一个role, 这个role和上面role的区别就在于  没有domain_id:
{
            "role": {
                "domain_id": null,
                "id": "1cf7d2e43c814dc8bd7d66e380f6b339",
                "links": {
                    "self": "http://localhost:5000/v3/roles/1cf7d2e43c814dc8bd7d66e380f6b339"
                },
                "name": "noDomainRole1"
            }
        }

然后再捆绑同一个project-user,再用同样的方式检查, 他的project数组是有值的

这个是为什么呢??


我进一步测试我修改了第一个role数据库中的domain_id,由default修改成了<<null>>,再调用相同的方式检查,他返回的project数组有值,我再由<<null>>修改成了default,返回的project数组又是空的。 
这又是为什么呢?捆绑三者的域都是default,为什么会和default_id有关呢?

麻烦您了,请您帮我解答一下,万分感谢!!!



孙翔

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-zh/attachments/20170930/c053165b/attachment-0001.html>

More information about the Openstack-zh mailing list