[Openstack] keystone-admin-role question

Ziad Sawalha ziad.sawalha at rackspace.com
Tue Aug 23 14:28:41 UTC 2011 

Hi Rafael -

These are special roles that allow you to administer Keystone itself or act as a service (register yourself, your endpoints, and your roles). Those operations are global and make no sense at the tenant level (at least I haven't seen a valid use case for them at the tenant level).

As for being able to administer a tenant (example, having an Admin role on a tenant so you can, for example, grant users access to that tenant), that’s a valid future use case that isn't being addressed right now. We're leaving that use case to be addressed through extensions (and are proposing some in the Diablo timeframe).

Z


From: Rafael Durán Castañeda <rafadurancastaneda at gmail.com<mailto:rafadurancastaneda at gmail.com>>
Date: Tue, 23 Aug 2011 16:20:31 +0200
To: <openstack at lists.launchpad.net<mailto:openstack at lists.launchpad.net>>
Subject: [Openstack] keystone-admin-role question

Hi,

Looking at code from Keystone I found something that doesn't make sense to me. Looking at  __validate_service_or_keystone_admin_token <https://github.com/openstack/keystone/blob/master/keystone/logic/service.py#L510> method Keystone-admin-role is valid only if it isn't associated to any tenant (role_ref.tenant_id is None), so a user has Admin role for all tenants or none, is this the expected behavior?  Is it possible to grant Admin role for specific tenant in any way? I think would be more flexible being able to grant role to specific tenant too, but I suppose there is a good reason for this, it isn't?

Bye
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack at lists.launchpad.net<mailto:openstack at lists.launchpad.net> Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
This email may include confidential information. If you received it in error, please delete it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20110823/2541774b/attachment.html>

More information about the Openstack mailing list