[Openstack] Keystone "Why does it? What does?" questions

Jesse Andrews anotherjesse at gmail.com
Tue Oct 25 19:54:26 UTC 2011


I'm not an expert ... adding some comments

On Tue, Oct 25, 2011 at 12:05 PM, Joseph Heck <heckj at me.com> wrote:
> I've just dropped in place a bunch of developer documentation (RST) for
> Keystone - one in, one pending (https://review.openstack.org/#change,1089).
> Making these docs  brought up a number of questions that I wasn't able to
> answer. I want to put more context around the commands and concepts for the
> reader prior to updating the docbook documentaiton. Joe Savak suggested on
> IRC that I just drop them out here to the list, so here goes:
> If any of these are "just bugs", let me know and I'll file them.
>
> Q: Why is an administrative service token bound to a tenant?
> Right now, keystone-manage to create an administrative service token, the
> token which in turn is configured into nova, swift, glance, and dashboard,
> requires a tenant - but as I understand tenant that doesn't make sense - as
> the various services all serve more than one tenant.

we create a tenant for services and then create the long lived validation for

> Q: How do you remove a service?

You can invalidate the token - which means the service can no longer
validate user tokens
You can remove the service from the catalog

> Q: How do you remove an EndpointTemplate?

not sure through the api, but can you via keystone-manage?  If not you
can remove via the database.

> Q: What's the purpose of a "role" prior to RBAC
> Is it really just relevant for the Keystone administrative API, but more
> coming online later with the RBAC work? Does any role based link between a
> user and a tenant allow that user to get a scoped token for that tenant?

Currently as specified a token validation can return roles, which then
can allow services to implement rbac.  The session on "can haz" was
talking about how nova can do that without any changes in keystone.

> Q: How do you remove a role?

Not sure how to - I think this should be another extension since in an
enterprise deployment the roles would be set by mapping ldap/ad groups
into roles

> Q: What's the keystone-manage command for "credential add" do? There's also
> no corresponding delete or disable - is this password update for the
> passwords that are set on "keystone-manage user add"? If not, how are those
> passwords updated?
> Q: What are "type" and "key" as related to "credential add" command, and
> what are they intended to do?
> Q: Why isn't there a "user delete" and a "tenant delete"? Is this a "just
> haven't gotten to it yet" bug?

Those should probably be in the user/tenant extension.  Not sure if
they are there or not.

> -joe
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>




More information about the Openstack mailing list