Re: [openstack-dev] [Keystone][OSC] Keystone v3 user create --project $projid does not add user to project?
On 18/06/15 17:58, Dolph Mathews wrote: This was entirely intentional, in order to replace the implicit role assignment behavior in v2 with an explicit behavior in v3. I must admit, this is quite irritating, as the command line client still offers the --project ability; dropping this silently leads to somewhat unexpected results. From a user perspective, I would appreciate a warning in such cases; this is a common pattern everywhere else in OpenStack. Matthias __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][OSC] Keystone v3 user create --project $projid does not add user to project?
On Fri, Jun 19, 2015 at 12:30 AM, Matthias Runge mru...@redhat.com wrote: On 18/06/15 17:58, Dolph Mathews wrote: This was entirely intentional, in order to replace the implicit role assignment behavior in v2 with an explicit behavior in v3. I must admit, this is quite irritating, as the command line client still offers the --project ability; dropping this silently leads to somewhat unexpected results. From a user perspective, I would appreciate a warning in such cases; this is a common pattern everywhere else in OpenStack. A good place to vent your rage: https://launchpad.net/python-openstackclient __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][OSC] Keystone v3 user create --project $projid does not add user to project?
Terry Howe terrylh...@gmail.com wrote on 06/19/2015 10:22:51 AM: From: Terry Howe terrylh...@gmail.com To: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Date: 06/19/2015 10:25 AM Subject: Re: [openstack-dev] [Keystone][OSC] Keystone v3 user create --project $projid does not add user to project? On Fri, Jun 19, 2015 at 12:30 AM, Matthias Runge mru...@redhat.com wrote: On 18/06/15 17:58, Dolph Mathews wrote: This was entirely intentional, in order to replace the implicit role assignment behavior in v2 with an explicit behavior in v3. I must admit, this is quite irritating, as the command line client still offers the --project ability; dropping this silently leads to somewhat unexpected results. From a user perspective, I would appreciate a warning in such cases; this is a common pattern everywhere else in OpenStack. A good place to vent your rage: https://launchpad.net/python-openstackclient I don't think OSC is the place to vent, we are simply following the APIs [0] and python clients [1]. It's a valid option for setting a default project. The behavior of the --project parameter changed from v2 to v3. In v2.0 it used to imply a _member_ role in that project. Now, in v3, it sets a default project that the user can leverage at authentication time [2]. [0] http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html#create-user [1] https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/users.py#L51 [2] https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L413-L431 Thanks, Steve Martinelli OpenStack Keystone Core __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][OSC] Keystone v3 user create --project $projid does not add user to project?
Hi Rick, In Keystone, Domains are the container of users, so a user belongs to a domain and you can grant role assignments for projects. With this call that you made, you will set the project default to this user, after that you need to grant a role for this user in this project. So, you can do:* openstack role add --user USER_NAME --project TENANT_ID ROLE_NAME* and after that, you can verify if the assignment works doing:* openstack role list --user USER_NAME --projec TENANT_ID* You can find more information about this here: http://docs.openstack.org/user-guide-admin/manage_projects_users_and_roles.html or find us on #openstack-keystone Cheers, Raildo Mascena On Tue, Jun 16, 2015 at 1:52 PM Rich Megginson rmegg...@redhat.com wrote: Using admin token credentials with the Keystone v2.0 API and the openstackclient, doing this: # openstack project create bar --enable # openstack user create foo --project bar --enable ... The user will be added to the project. Using admin token credentials with the Keystone v3 API and the openstackclient, using the v3 policy file with is_admin:1 added just about everywhere, doing this: # openstack project create bar --domain Default --enable # openstack user create foo --domain Default --enable --project $project_id_of_bar ... The user will NOT be added to the project. Is this intentional? Am I missing some sort of policy to allow user create to add the user to the given project? __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][OSC] Keystone v3 user create --project $projid does not add user to project?
On 06/18/2015 06:43 AM, Raildo Mascena wrote: Hi Rick, In Keystone, Domains are the container of users, so a user belongs to a domain and you can grant role assignments for projects. With this call that you made, you will set the project default to this user, after that you need to grant a role for this user in this project. So, you can do:* openstack role add --user USER_NAME --project TENANT_ID ROLE_NAME* * * and after that, you can verify if the assignment works doing:* openstack role list --user USER_NAME --projec TENANT_ID* * * You can find more information about this here:**http://docs.openstack.org/user-guide-admin/manage_projects_users_and_roles.html or find us on #openstack-keystone Yes, I realize that. My issue was that in going from Keystone v2.0 to v3, openstack user create --project $project changed behavior - in v2.0, openstack user create --project $project adds the user as a member of the $project. I wanted to know if this was 1) intentional behavior in v2.0 2) intentionally removed in v3. I'm trying to make puppet-keystone work with v3, while at the same time making sure all of the existing puppet manifests work exactly as before. Since this has changed, I had to work around it, by making the puppet-keystone user create function also add the user to the project. https://review.openstack.org/#/c/174976/24/lib/puppet/provider/keystone_user/openstack.rb Cheers, Raildo Mascena On Tue, Jun 16, 2015 at 1:52 PM Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: Using admin token credentials with the Keystone v2.0 API and the openstackclient, doing this: # openstack project create bar --enable # openstack user create foo --project bar --enable ... The user will be added to the project. Using admin token credentials with the Keystone v3 API and the openstackclient, using the v3 policy file with is_admin:1 added just about everywhere, doing this: # openstack project create bar --domain Default --enable # openstack user create foo --domain Default --enable --project $project_id_of_bar ... The user will NOT be added to the project. Is this intentional? Am I missing some sort of policy to allow user create to add the user to the given project? __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][OSC] Keystone v3 user create --project $projid does not add user to project?
This was entirely intentional, in order to replace the implicit role assignment behavior in v2 with an explicit behavior in v3. The default_project_id attribute (***emphasis*** mine): References the user's default project against which to authorize, if the API user does not explicitly specify one when creating a token. ***Setting this attribute does not grant any actual authorization on the project,*** and is merely provided for the user's convenience. Therefore, the referenced project does not need to exist within the user's domain. New in version 3.1 If the user does not have authorization to their default project, the default project will be ignored at token creation. Source: https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#users-v3users In fact, since Grizzly, Keystone has *explicitly* assigned a role (_member_ by default) to users behind the scenes when you try to *implicitly* give them authorization using the v2 user.tenant_id attribute. Prior to the new, more explicit behaviors, default tenancy could not be consumed by RBAC policy engines, because there was nothing explicit about the relationship. On Thu, Jun 18, 2015 at 8:25 AM, Rich Megginson rmegg...@redhat.com wrote: On 06/18/2015 06:43 AM, Raildo Mascena wrote: Hi Rick, In Keystone, Domains are the container of users, so a user belongs to a domain and you can grant role assignments for projects. With this call that you made, you will set the project default to this user, after that you need to grant a role for this user in this project. So, you can do:* openstack role add --user USER_NAME --project TENANT_ID ROLE_NAME* and after that, you can verify if the assignment works doing:* openstack role list --user USER_NAME --projec TENANT_ID* You can find more information about this here: http://docs.openstack.org/user-guide-admin/manage_projects_users_and_roles.html or find us on #openstack-keystone Yes, I realize that. My issue was that in going from Keystone v2.0 to v3, openstack user create --project $project changed behavior - in v2.0, openstack user create --project $project adds the user as a member of the $project. I wanted to know if this was 1) intentional behavior in v2.0 2) intentionally removed in v3. I'm trying to make puppet-keystone work with v3, while at the same time making sure all of the existing puppet manifests work exactly as before. Since this has changed, I had to work around it, by making the puppet-keystone user create function also add the user to the project. https://review.openstack.org/#/c/174976/24/lib/puppet/provider/keystone_user/openstack.rb Cheers, Raildo Mascena On Tue, Jun 16, 2015 at 1:52 PM Rich Megginson rmegg...@redhat.com wrote: Using admin token credentials with the Keystone v2.0 API and the openstackclient, doing this: # openstack project create bar --enable # openstack user create foo --project bar --enable ... The user will be added to the project. Using admin token credentials with the Keystone v3 API and the openstackclient, using the v3 policy file with is_admin:1 added just about everywhere, doing this: # openstack project create bar --domain Default --enable # openstack user create foo --domain Default --enable --project $project_id_of_bar ... The user will NOT be added to the project. Is this intentional? Am I missing some sort of policy to allow user create to add the user to the given project? __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribehttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Keystone][OSC] Keystone v3 user create --project $projid does not add user to project?
Using admin token credentials with the Keystone v2.0 API and the openstackclient, doing this: # openstack project create bar --enable # openstack user create foo --project bar --enable ... The user will be added to the project. Using admin token credentials with the Keystone v3 API and the openstackclient, using the v3 policy file with is_admin:1 added just about everywhere, doing this: # openstack project create bar --domain Default --enable # openstack user create foo --domain Default --enable --project $project_id_of_bar ... The user will NOT be added to the project. Is this intentional? Am I missing some sort of policy to allow user create to add the user to the given project? __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev