On 06/18/2015 06:43 AM, Raildo Mascena wrote:
Hi Rick,
In Keystone, Domains are the container of users, so a user belongs to
a domain and you can grant role assignments for projects.
With this call that you made, you will set the project default to this
user, after that you need to grant a role for this user in this project.
So, you can do:* openstack role add --user USER_NAME --project
TENANT_ID ROLE_NAME*
*
*
and after that, you can verify if the assignment works
doing:* openstack role list --user USER_NAME --projec TENANT_ID*
*
*
You can find more information about this
here:**http://docs.openstack.org/user-guide-admin/manage_projects_users_and_roles.html or
find us on #openstack-keystone
Yes, I realize that.
My issue was that in going from Keystone v2.0 to v3, openstack user
create --project $project changed behavior - in v2.0, openstack user
create --project $project adds the user as a member of the $project. I
wanted to know if this was 1) intentional behavior in v2.0 2)
intentionally removed in v3. I'm trying to make puppet-keystone work
with v3, while at the same time making sure all of the existing puppet
manifests work exactly as before. Since this has changed, I had to work
around it, by making the puppet-keystone user create function also add
the user to the project.
https://review.openstack.org/#/c/174976/24/lib/puppet/provider/keystone_user/openstack.rb
Cheers,
Raildo Mascena
On Tue, Jun 16, 2015 at 1:52 PM Rich Megginson <[email protected]
<mailto:[email protected]>> wrote:
Using admin token credentials with the Keystone v2.0 API and the
openstackclient, doing this:
# openstack project create bar --enable
# openstack user create foo --project bar --enable ...
The user will be added to the project.
Using admin token credentials with the Keystone v3 API and the
openstackclient, using the v3 policy file with is_admin:1 added just
about everywhere, doing this:
# openstack project create bar --domain Default --enable
# openstack user create foo --domain Default --enable --project
$project_id_of_bar ...
The user will NOT be added to the project.
Is this intentional? Am I missing some sort of policy to allow user
create to add the user to the given project?
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
[email protected]?subject:unsubscribe
<http://[email protected]?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
