What is “role”? It is little bit confusing because it has name “admin”.
Which roles we can use except admin? What permissions they can give to the
role is an identical mark of the user. It can associate with
projects(tenants) with different roles. As for the permission of different
user-role-tenant mapping in each service, it’s been defined in the
authorization middleware in the OpenStack services’s pipeline.
Basically, the role means nothing until you define it in the authorization
middleware (Keystone Auth in case of Keystone) . And the authorization
middleware of OpenStack components are almost independent for each service.
[image: 內置圖片 1]
Since you are asking about the Swift & Keystone integration. Here’s how
User get token and Swift storage endpoint from Keystone. Then uses the
token to access it’s associated account in Swift. The mapping of Swift
account and Keystone is . Like AUTH_b1234567890 . The request routes to
keystone middleware for validating the existence of the incoming token from
Keystone server. If exist, pull the full info of this token. The info
includes user-role-tenant mapping. After that, the Swift auth middleware
determine what kind of permission to the requested resource the token has.
In Keystone, you can specify two type of roles only. The operator or
reseller*admin. If the user has a operator role of a project, the user can
do anything to the relevant Swift Account. As for the reseller_admin, the
user can access any account that prefix with `KEY*` in swift cluster.
For your scenario
reader - can read from the next containers: “video”, “audio”, “subtitles”,
The user should not have any role in operator or reseller list. This
requires additional logic to do containers/account ACL for keystone users
media_manager - can do anything in the next containers: “video”, “audio”,
The user must have operator role.
crypt_manager - can not do anything in Swift but can get tokens directly
from keystone (it is for other usage).
no any available roles reflect to operator/reseller_admin in the keystone
But what this role mean? How to set some permissions on this role (i.e. if
I want to set readonly permission for all in swift but write only for some
What we should specify in a region-id?
Which Keystone version are you using ? If the region ID is available in
your version, you can query it from API or DB. If you are not going to have
multiple regions, you can try to ignore it by using the default one.
What we should specify in admin,public,internal url? What they mean?
You can configure 3 set of service endpoints for a single keystone
endpoint. They are admin/public/internal. All three will be returned to
client and client can pickup the one it want to access to. This concept is
design for users from different scope. Internal might be the IP in the DMZ.
Public would be the normal one for the network where end-user can hit your
service. You can defined admin for other network segment or FQDN. It’s
Most of client tools grab the public one as I know.
Regards // Hugo
2016-09-22 18:28 GMT+08:00 Alexandr Porunov <alexandr.poru...@gmail.com>:
> I have installed Swift and Keystone. Now I want to create several users
> with different permissions:
> reader - can read from the next containers: "video", "audio", "subtitles",
> media_manager - can do anything in the next containers: "video", "audio",
> "subtitles", "photos"
> crypt_manager - can not do anything in Swift but can get tokens directly
> from keystone (it is for other usage).
> There are a lot of things in keystone (user, role, project, service,
> endpoint, region-id, admin-url, public-url, internal-url) and it is little
> bit confusing. Can somebody explain me how to configure such users with
> those roles?
> I haven't bootstrap the keystone, so I haven't the admin role yet. I am
> worried about security with an administrator user. Do we need to define it?
> I have read examples which says that firstly you have to bootstrap your
> keystone and it will create the admin user with the admin role:
> keystone-manage bootstrap --bootstrap-password s3cr3t
> Also the full command for define all things is:
> keystone-manage bootstrap \
> --bootstrap-password s3cr3t \
> --bootstrap-username admin \
> --bootstrap-project-name admin \
> --bootstrap-role-name admin \
> --bootstrap-service-name keystone \
> --bootstrap-region-id RegionOne \
> --bootstrap-admin-url http://localhost:35357 \
> --bootstrap-public-url http://localhost:5000 \
> --bootstrap-internal-url http://localhost:5000
> What is "role"? It is little bit confusing because it has name "admin".
> Which roles we can use except admin? What permissions they can give to the
> Also we can create additional roles:
> keystone role-create --name my_new_role
> But what this role mean? How to set some permissions on this role (i.e. if
> I want to set readonly permission for all in swift but write only for some
> What we should specify in a region-id?
> What we should specify in admin,public,internal url? What they mean?
> Sorry for a lot of questions
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
> Post to : firstname.lastname@example.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : email@example.com
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack