Re: [Openstack] [Keystone]Question: Assignment of default role
Hi Adam Thanks a lot for your answer. It is my understanding follows. Would that be OK with you? Case1: Create a user *with* specifying the tenant. * Default role is assigned. * I need to assign the required roles in keystone user-role-add. * The user has two roles. Case2: Create a user *without* specifying the tenant. * I need to assign the required roles and the tenant in keystone user-role-add. * The user has one role. Thanks, Leo Toyoda -Original Message- From: openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lists.launc hpad.net [mailto:openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lis ts.launchpad.net] On Behalf Of Adam Young Sent: Saturday, February 23, 2013 5:31 AM To: openstack@lists.launchpad.net Subject: Re: [Openstack] [Keystone]Question: Assignment of default role Yes, this is new. We are removing the direct associtation between users and projects (Project members) and replacing it with a Role (_member_) The _ is there to ensure it does not conflict with existing roles. The two different ways of associating users to projects was causing problems. With RBAC, we can now enforce policy about project membership that we could not do before. On 02/21/2013 09:39 PM, Leo Toyoda wrote: Hi, everyone I'm using the master branch devstack. I hava a question about assignment of default role (Keystone). When I create a user to specify the tenant, '_member_' is assigned to the roles. $ keystone user-create --name test --tenant-id e61..7f6 --pass test --email t...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True| |id| af1..8d2 | | name | test| | tenantId | e61..7f6 | +--+---+ $ keystone user-role-list --user test --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ Then, assign the Member role to the user. Hitting assigned two roles of 'Member' and '_member_'. $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user af1..8d2 --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | af1..8d2 | e61..7f6 | 9fe..bab | _member_ | | af1..8d2 | e61..7f6 | +--+--+--+---+ When I create a user without specifying a tenant, I assign 'Member' role. In this case, Only one role is assigned. $ keystone user-create --name test2 --pass test --email te...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True | |id|c22..a6d | | name | test2| | tenantId | | +--+---+ $ keystone user-role-add --user c22..a6d --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user c22..a6d --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | c22..a6d | e61..7f6 | +--+--+--+---+ Is it expected behavior that two rolls are assigned? Thanks Leo Toyoda ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone]Question: Assignment of default role
Hi Dolph Thanks a lot for the reply. I could understand very well. Regards, Leo Toyoda _ From: Dolph Mathews [mailto:dolph.math...@gmail.com] Sent: Tuesday, February 26, 2013 7:11 AM To: Leo Toyoda Cc: Adam Young; openstack Subject: Re: [Openstack] [Keystone]Question: Assignment of default role Yes, those are the two use cases we're supporting, although I'd encourage Case 2, as it's generally much more intuitive. -Dolph On Mon, Feb 25, 2013 at 1:54 AM, Leo Toyoda toyoda-...@cnt.mxw.nes.nec.co.jp wrote: Hi Adam Thanks a lot for your answer. It is my understanding follows. Would that be OK with you? Case1: Create a user *with* specifying the tenant. * Default role is assigned. * I need to assign the required roles in keystone user-role-add. * The user has two roles. Case2: Create a user *without* specifying the tenant. * I need to assign the required roles and the tenant in keystone user-role-add. * The user has one role. Thanks, Leo Toyoda -Original Message- From: openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lists.launc hpad.net [mailto:openstack-bounces+toyoda-reo mailto:openstack-bounces%2Btoyoda-reo =cnt.mxw.nes.nec.co.jp@lis ts.launchpad.net] On Behalf Of Adam Young Sent: Saturday, February 23, 2013 5:31 AM To: openstack@lists.launchpad.net Subject: Re: [Openstack] [Keystone]Question: Assignment of default role Yes, this is new. We are removing the direct associtation between users and projects (Project members) and replacing it with a Role (_member_) The _ is there to ensure it does not conflict with existing roles. The two different ways of associating users to projects was causing problems. With RBAC, we can now enforce policy about project membership that we could not do before. On 02/21/2013 09:39 PM, Leo Toyoda wrote: Hi, everyone I'm using the master branch devstack. I hava a question about assignment of default role (Keystone). When I create a user to specify the tenant, '_member_' is assigned to the roles. $ keystone user-create --name test --tenant-id e61..7f6 --pass test --email t...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True| |id| af1..8d2 | | name | test| | tenantId | e61..7f6 | +--+---+ $ keystone user-role-list --user test --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ Then, assign the Member role to the user. Hitting assigned two roles of 'Member' and '_member_'. $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user af1..8d2 --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | af1..8d2 | e61..7f6 | 9fe..bab | _member_ | | af1..8d2 | e61..7f6 | +--+--+--+---+ When I create a user without specifying a tenant, I assign 'Member' role. In this case, Only one role is assigned. $ keystone user-create --name test2 --pass test --email te...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True | |id|c22..a6d | | name | test2| | tenantId | | +--+---+ $ keystone user-role-add --user c22..a6d --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user c22..a6d --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | c22..a6d | e61..7f6 | +--+--+--+---+ Is it expected behavior that two rolls are assigned? Thanks Leo Toyoda ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help
Re: [Openstack] [Keystone]Question: Assignment of default role
Yes, this is new. We are removing the direct associtation between users and projects (Project members) and replacing it with a Role (_member_) The _ is there to ensure it does not conflict with existing roles. The two different ways of associating users to projects was causing problems. With RBAC, we can now enforce policy about project membership that we could not do before. On 02/21/2013 09:39 PM, Leo Toyoda wrote: Hi, everyone I'm using the master branch devstack. I hava a question about assignment of default role (Keystone). When I create a user to specify the tenant, '_member_' is assigned to the roles. $ keystone user-create --name test --tenant-id e61..7f6 --pass test --email t...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True| |id| af1..8d2 | | name | test| | tenantId | e61..7f6 | +--+---+ $ keystone user-role-list --user test --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ Then, assign the Member role to the user. Hitting assigned two roles of 'Member' and '_member_'. $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user af1..8d2 --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | af1..8d2 | e61..7f6 | | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ When I create a user without specifying a tenant, I assign 'Member' role. In this case, Only one role is assigned. $ keystone user-create --name test2 --pass test --email te...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True | |id|c22..a6d | | name | test2| | tenantId | | +--+---+ $ keystone user-role-add --user c22..a6d --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user c22..a6d --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | c22..a6d | e61..7f6 | +--+--+--+---+ Is it expected behavior that two rolls are assigned? Thanks Leo Toyoda ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] [Keystone]Question: Assignment of default role
Hi, everyone I'm using the master branch devstack. I hava a question about assignment of default role (Keystone). When I create a user to specify the tenant, '_member_' is assigned to the roles. $ keystone user-create --name test --tenant-id e61..7f6 --pass test --email t...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True| |id| af1..8d2 | | name | test| | tenantId | e61..7f6 | +--+---+ $ keystone user-role-list --user test --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ Then, assign the Member role to the user. Hitting assigned two roles of 'Member' and '_member_'. $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user af1..8d2 --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | af1..8d2 | e61..7f6 | | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | +--+--+--+---+ When I create a user without specifying a tenant, I assign 'Member' role. In this case, Only one role is assigned. $ keystone user-create --name test2 --pass test --email te...@example.com +--+---+ | Property | Value| +--+---+ | email | te...@example.com | | enabled | True | |id|c22..a6d | | name | test2| | tenantId | | +--+---+ $ keystone user-role-add --user c22..a6d --role 57d..d1f --tenant e61..7f6 $ keystone user-role-list --user c22..a6d --tenant e61..7f6 +--+--+--+---+ |id| name | user_id | tenant_id | +--+--+--+---+ | 57d..d1f | Member | c22..a6d | e61..7f6 | +--+--+--+---+ Is it expected behavior that two rolls are assigned? Thanks Leo Toyoda ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp