Hi Rafael - These are special roles that allow you to administer Keystone itself or act as a service (register yourself, your endpoints, and your roles). Those operations are global and make no sense at the tenant level (at least I haven't seen a valid use case for them at the tenant level).
As for being able to administer a tenant (example, having an Admin role on a tenant so you can, for example, grant users access to that tenant), that’s a valid future use case that isn't being addressed right now. We're leaving that use case to be addressed through extensions (and are proposing some in the Diablo timeframe). Z From: Rafael Durán Castañeda <[email protected]<mailto:[email protected]>> Date: Tue, 23 Aug 2011 16:20:31 +0200 To: <[email protected]<mailto:[email protected]>> Subject: [Openstack] keystone-admin-role question Hi, Looking at code from Keystone I found something that doesn't make sense to me. Looking at __validate_service_or_keystone_admin_token <https://github.com/openstack/keystone/blob/master/keystone/logic/service.py#L510> method Keystone-admin-role is valid only if it isn't associated to any tenant (role_ref.tenant_id is None), so a user has Admin role for all tenants or none, is this the expected behavior? Is it possible to grant Admin role for specific tenant in any way? I think would be more flexible being able to grant role to specific tenant too, but I suppose there is a good reason for this, it isn't? Bye _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected]<mailto:[email protected]> Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp This email may include confidential information. If you received it in error, please delete it.
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp

