[Openstack] _member_ role after keystone installation

Steve Gordon sgordon at redhat.com
Sat Jun 14 19:22:51 UTC 2014 

----- Original Message -----
> From: "Mike Spreitzer" <mspreitz at us.ibm.com>
> To: "Steve Gordon" <sgordon at redhat.com>
> 
> Steve Gordon <sgordon at redhat.com> wrote on 06/14/2014 12:43:48 PM:
> ...
> > Yes, it's supposed to be created by the db creation/migration
> > scripts if it's not there (since Grizzly if I recall correctly).
> 
> But there is also the role spelled "Member".  Why both?
> 
> Thanks,
> Mike

When Keystone started creating a "_member_" role automatically in Grizzly there was a lag period before other projects, particularly Horizon which defaulted to "Member" at the time, started using the new role. As a result the installation guide, and even most automated deployment tools, which previously had to create the role as part of installation still created a "Member" role because that was what Horizon expected and there wasn't any obvious indication (although there was a release note for keystone [1]) this was wrong or no longer required. The Horizon default was eventually updated to match in this commit to horizon (included in Icehouse and backported to Havana):

commit 0aacc44f324c3db049f912da1f84d93c1142cb37
Author: JiaHao Li <kaho_lai at hotmail.com>
Date:   Thu Dec 26 15:37:14 2013 +0800

    Sync OPENSTACK_KEYSTONE_DEFAULT_ROLE with keystone
    
    For now, keystone default role is _member_, while horizon set
    OPENSTACK_KEYSTONE_DEFAULT_ROLE to Member. It will really be user
    friendly to modify horizon default value to _member_ to sync with
    keystone's default setting.
    
    Change-Id: I55d15e6cfb74e52e933c5a44efd6c27930415738
    Closes-Bug: #1264228

The end result is many older environments still have both roles unless action is taken to manually remove the "Member" one and update the Horizon default to the new value, and I should note it probably wouldn't even be that surprising if there are still some deployment tools creating *new* environments and using a "Member" role - setting horizon to match - in this fashion instead of the "_member_" built-in.

Thanks,

Steve

[1] https://wiki.openstack.org/wiki/ReleaseNotes/Grizzly#Upgrade_Notes_5

More information about the Openstack mailing list