[Openstack] [Keystone]Question: Assignment of default role

Adam Young ayoung at redhat.com
Fri Feb 22 20:31:07 UTC 2013 

Yes, this is new.  We are removing the direct associtation between users 
and projects (Project members) and replacing it with a Role (_member_)

The _ is there to ensure it does not conflict with existing roles.

The two different ways of associating users to projects was causing 
problems.  With RBAC, we can now enforce policy about project membership 
that we could not do before.





On 02/21/2013 09:39 PM, Leo Toyoda wrote:
> Hi, everyone
>
> I'm using the master branch devstack.
> I hava a question about assignment of default role (Keystone).
>
> When I create a user to specify the tenant, '_member_' is assigned to the roles.
> $ keystone user-create --name test --tenant-id e61..7f6 --pass test --email test at example.com
> +----------+-------------------+
> | Property |      Value        |
> +----------+-------------------+
> |  email   | test5 at example.com |
> | enabled  |       True        |
> |    id    |     af1..8d2      |
> |   name   |       test        |
> | tenantId |     e61..7f6      |
> +----------+-------------------+
> $ keystone user-role-list --user test --tenant e61..7f6
> +----------+----------+----------+-----------+
> |    id    |   name   | user_id  | tenant_id |
> +----------+----------+----------+-----------+
> | 9fe..bab | _member_ | af1..8d2 | e61..7f6  |
> +----------+----------+----------+-----------+
>
> Then, assign the "Member" role to the user.
> Hitting assigned two roles of 'Member' and '_member_'.
> $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6
> $ keystone user-role-list --user af1..8d2 --tenant e61..7f6
> +----------+----------+----------+-----------+
> |    id    |   name   | user_id  | tenant_id |
> +----------+----------+----------+-----------+
> | 57d..d1f |  Member  | af1..8d2 | e61..7f6  |
> | 9fe..bab | _member_  | af1..8d2 | e61..7f6  |
> +----------+----------+----------+-----------+
>
> When I create a user without specifying a tenant, I assign 'Member' role.
> In this case, Only one role is assigned.
> $ keystone user-create --name test2 --pass test --email test2 at example.com
> +----------+-------------------+
> | Property |      Value        |
> +----------+-------------------+
> |  email   | test2 at example.com |
> | enabled  |      True         |
> |    id    |    c22..a6d       |
> |   name   |      test2        |
> | tenantId |                   |
> +----------+-------------------+
> $ keystone user-role-add --user c22..a6d --role 57d..d1f  --tenant e61..7f6
> $ keystone user-role-list --user c22..a6d --tenant e61..7f6
> +----------+----------+----------+-----------+
> |    id    |   name   | user_id  | tenant_id |
> +----------+----------+----------+-----------+
> | 57d..d1f |  Member  | c22..a6d | e61..7f6  |
> +----------+----------+----------+-----------+
>
> Is it expected behavior that two rolls are assigned?
>
> Thanks
> Leo Toyoda
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

More information about the Openstack mailing list