Re: [Openstack] Keystone client, user belongs to many tenants?
Guang, I think you need to re-read the code. The association between a user and tenant is what the role represents, and its inaccurate to assert that a user is aligned only with a single tenant ever, that is not the case. A role is no longer global, specifically to avoid the tremendous confusion and inaccuracy of implementation about how to apply a role that relates a tenant and user along with a potential global role concept that was in the earliest implementations of Keystone. The current implementation is simpler and far more specific and clear in it's implementation. -joe On May 9, 2012, at 10:22 PM, Yee, Guang wrote: I think this use case underscores one of the key differences between the fat Keystone (Diablo - E3) and KSL (Essex final). In fat Keystone, users and tenants are loosely coupled. They are bind together by role assignments. In KSL, users and tenants are tightly coupled, and IMHO very inflexible. Maybe the following example would further clarify this … Suppose you have tenants Dodgers, Giants, and Brewers, user Bud Selid, roles Commissioner and Minority Owner, and service MLB. And you want Bud Selid to have the Commissioner role for Dodgers, Giants, and Brewers, but Minority Owner role for Brewers only. In fat Keystone, there a couple of ways you can accomplish this. 1) Make Commissioner a “global role” (unscoped) and assign it to user Bud Selid. Assign the Minority Owner role to Bud Selid for tenant Brewers by creating a role reference. When Bud Selid tries to access MLB with his unscoped token, MLB will get his Commissioner role back from Keystone. When Bud Selid tries to access MLB with his token scoped to Brewers, MLB will get both his Commissioner and Minority Owner roles back from Keystone. When Bud Selid tries to acess MLB with his token scoped to Giants or Dodgers, MLB will only get his Commissioner role back from Keystone. 2) Assign the Commissioner role to Bud Selid to tenants Giants, Dodgers, and Brewers individually by creating the respective role references. Assign the Minority Owner role to Bud Selid for tenant Brewers by creating another role reference. In this scenario, Bud Selid will always need a scoped token to access MLB. In KSL, there really aren’t any effective ways to accomplish the same thing. Global roles are no longer supported. A given user must assign to exactly one tenant. I suppose you can have Bud Selid under the “Default Tenant”, and assign both Commissioner and Minority Owner roles to him. But there are two major side effects. 1) Bud Selid must access MLB with the token scoped to the “Default Tenant” in order for MLB to recognize him as Commissioner. Which means he IS ALSO the Minority Owner for Dodgers, Giants, and Brewers. J 2) If Bud Selid tries to access MLB with the token scoped to either Giants, Dodgers, or Brewers, his a NOBODY. J The upcoming Domains blueprint (to be implemented for Folsom), which offers true multitenancy, should support these types of use cases. https://blueprints.launchpad.net/keystone/+spec/keystone-domains With Domains, you can create a MLB domain with tenants Dodgers, Giants, and Brewers. And have Bud Selid under the MLB domain. Notice that users will no longer be assigned to tenants. They will be under a domain. Create roles Commissioner and Minority Owner in the MLB domain. Assign the Commissioner role to Bud Selid, and the Minority Owner role scoped to Brewers. Suppose you have another domain NFL, Bud Selid will not be able to access any tenants in the NFL domain, unless the NFL domain administrator explicitly assign NFL roles to Bud Selid. Guang From: openstack-bounces+guang.yee=hp@lists.launchpad.net [mailto:openstack-bounces+guang.yee=hp@lists.launchpad.net] On Behalf Of Dolph Mathews Sent: Wednesday, May 09, 2012 4:34 PM To: Joshua Harlow Cc: openstack Subject: Re: [Openstack] Keystone client, user belongs to many tenants? The user create command is actually creating discrete users, each with a default tenant reference. While that's fine for a lot of simple use cases, it doesn't directly support a user accessing multiple tenants at all. Instead, create a role, and grant that role to a user-tenant pair, creating an explicit relationship between the two. Using default tenants is optional with this method, but will affect how users must auth. -Dolph Mathews On May 9, 2012, at 3:46 PM, Joshua Harlow harlo...@yahoo-inc.com wrote: A question, I am using anvil to setup the keystone roles/users/tenants. It seems like the python keystone client has the following command: client.users.create Which seems to take in the following: create(self, name, password, email, tenant_id=None, enabled=True): I would assume a user name can be used in multiple tenants but when I am trying to create a user that spans tenants
Re: [Openstack] Keystone client, user belongs to many tenants?
+1 The second way to accomplish this is exactly what keystone currently supports (explicit role grants), which didn't change between diablo and essex at all. The first method (using global unscopedness) was dropped because its just as confusing as you describe it. -Dolph Mathews On May 10, 2012, at 2:35 AM, Joseph Heck he...@mac.com wrote: Guang, I think you need to re-read the code. The association between a user and tenant is what the role represents, and its inaccurate to assert that a user is aligned only with a single tenant ever, that is not the case. A role is no longer global, specifically to avoid the tremendous confusion and inaccuracy of implementation about how to apply a role that relates a tenant and user along with a potential global role concept that was in the earliest implementations of Keystone. The current implementation is simpler and far more specific and clear in it's implementation. -joe On May 9, 2012, at 10:22 PM, Yee, Guang wrote: I think this use case underscores one of the key differences between the fat Keystone (Diablo - E3) and KSL (Essex final). In fat Keystone, users and tenants are loosely coupled. They are bind together by role assignments. In KSL, users and tenants are tightly coupled, and IMHO very inflexible. Maybe the following example would further clarify this … Suppose you have tenants Dodgers, Giants, and Brewers, user Bud Selid, roles Commissioner and Minority Owner, and service MLB. And you want Bud Selid to have the Commissioner role for Dodgers, Giants, and Brewers, but Minority Owner role for Brewers only. In fat Keystone, there a couple of ways you can accomplish this. 1) Make Commissioner a “global role” (unscoped) and assign it to user Bud Selid. Assign the Minority Owner role to Bud Selid for tenant Brewers by creating a role reference. When Bud Selid tries to access MLB with his unscoped token, MLB will get his Commissioner role back from Keystone. When Bud Selid tries to access MLB with his token scoped to Brewers, MLB will get both his Commissioner and Minority Owner roles back from Keystone. When Bud Selid tries to acess MLB with his token scoped to Giants or Dodgers, MLB will only get his Commissioner role back from Keystone. 2) Assign the Commissioner role to Bud Selid to tenants Giants, Dodgers, and Brewers individually by creating the respective role references. Assign the Minority Owner role to Bud Selid for tenant Brewers by creating another role reference. In this scenario, Bud Selid will always need a scoped token to access MLB. In KSL, there really aren’t any effective ways to accomplish the same thing. Global roles are no longer supported. A given user must assign to exactly one tenant. I suppose you can have Bud Selid under the “Default Tenant”, and assign both Commissioner and Minority Owner roles to him. But there are two major side effects. 1) Bud Selid must access MLB with the token scoped to the “Default Tenant” in order for MLB to recognize him as Commissioner. Which means he IS ALSO the Minority Owner for Dodgers, Giants, and Brewers. J 2) If Bud Selid tries to access MLB with the token scoped to either Giants, Dodgers, or Brewers, his a NOBODY. J The upcoming Domains blueprint (to be implemented for Folsom), which offers true multitenancy, should support these types of use cases. https://blueprints.launchpad.net/keystone/+spec/keystone-domains With Domains, you can create a MLB domain with tenants Dodgers, Giants, and Brewers. And have Bud Selid under the MLB domain. Notice that users will no longer be assigned to tenants. They will be under a domain. Create roles Commissioner and Minority Owner in the MLB domain. Assign the Commissioner role to Bud Selid, and the Minority Owner role scoped to Brewers. Suppose you have another domain NFL, Bud Selid will not be able to access any tenants in the NFL domain, unless the NFL domain administrator explicitly assign NFL roles to Bud Selid. Guang From: openstack-bounces+guang.yee=hp@lists.launchpad.net [mailto:openstack-bounces+guang.yee=hp@lists.launchpad.net] On Behalf Of Dolph Mathews Sent: Wednesday, May 09, 2012 4:34 PM To: Joshua Harlow Cc: openstack Subject: Re: [Openstack] Keystone client, user belongs to many tenants? The user create command is actually creating discrete users, each with a default tenant reference. While that's fine for a lot of simple use cases, it doesn't directly support a user accessing multiple tenants at all. Instead, create a role, and grant that role to a user-tenant pair, creating an explicit relationship between the two. Using default tenants is optional with this method, but will affect how users must auth. -Dolph Mathews On May 9, 2012, at 3:46 PM, Joshua Harlow harlo...@yahoo-inc.com wrote: A question, I am using anvil to setup
Re: [Openstack] Keystone client, user belongs to many tenants?
another domain NFL, Bud Selid will not be able to access any
tenants in the NFL domain, unless the NFL domain administrator explicitly
assign NFL roles to Bud Selid.
Guang
From: openstack-bounces+guang.yee=hp@lists.launchpad.net
[mailto:openstack-bounces+guang.yee=hp@lists.launchpad.net] On Behalf
Of Dolph Mathews
Sent: Wednesday, May 09, 2012 4:34 PM
To: Joshua Harlow
Cc: openstack
Subject: Re: [Openstack] Keystone client, user belongs to many tenants?
The user create command is actually creating discrete users, each with a
default tenant reference.
While that's fine for a lot of simple use cases, it doesn't directly
support a user accessing multiple tenants at all.
Instead, create a role, and grant that role to a user-tenant pair, creating
an explicit relationship between the two. Using default tenants is optional
with this method, but will affect how users must auth.
-Dolph Mathews
On May 9, 2012, at 3:46 PM, Joshua Harlow harlo...@yahoo-inc.com wrote:
A question,
I am using anvil to setup the keystone roles/users/tenants.
It seems like the python keystone client has the following command:
client.users.create
Which seems to take in the following:
create(self, name, password, email, tenant_id=None, enabled=True):
I would assume a user name can be used in multiple tenants but when I am
trying to create a user that spans tenants and it seems like it borks.
ClientException: Conflict occurred attempting to store user.
(IntegrityError) (1062, Duplicate entry 'admin' for key 'name') 'INSERT
INTO user (id, name, extra) VALUES (%s, %s, %s)'
('3e14a9c1fd404c7e81c0dba8bd640575', 'admin', '{password:
$6$rounds=4$yX5fL51OyGKjuPjr$8yv.S3GpqsKeaHv4GjNY4YW2vvykWzrEV7RX.qJpyy3CjmyXrZMRRJifEzfa7xv1l.NzoggQBXUAESn3Oqm0x/,
enabled: true, email: ad...@example.com, tenantId:
d1506184877a449a91fc6adcb553ad97}') (HTTP 409)
Is this supposed to happen? Is the client supposed to send back this much
info also (hashed password??) :-P
Any ideas?
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone client, user belongs to many tenants?
reference. When Bud Selid tries to access MLB
with his unscoped token, MLB will get his Commissioner role back from
Keystone. When Bud Selid tries to access MLB with his token scoped to
Brewers, MLB will get both his Commissioner and Minority Owner roles back
from Keystone. When Bud Selid tries to acess MLB with his token scoped to
Giants or Dodgers, MLB will only get his Commissioner role back from
Keystone.
2) Assign the Commissioner role to Bud Selid to tenants Giants,
Dodgers, and Brewers individually by creating the respective role
references. Assign the Minority Owner role to Bud Selid for tenant Brewers
by creating another role reference. In this scenario, Bud Selid will always
need a scoped token to access MLB.
** **
In KSL, there really aren’t any effective ways to accomplish the same
thing. Global roles are no longer supported. A given user must assign to
exactly one tenant. I suppose you can have Bud Selid under the “Default
Tenant”, and assign both Commissioner and Minority Owner roles to him. But
there are two major side effects.
** **
1) Bud Selid must access MLB with the token scoped to the “Default
Tenant” in order for MLB to recognize him as Commissioner. Which means he
IS ALSO the Minority Owner for Dodgers, Giants, and Brewers. J
2) If Bud Selid tries to access MLB with the token scoped to either
Giants, Dodgers, or Brewers, his a NOBODY. J
** **
The upcoming Domains blueprint (to be implemented for Folsom), which
offers true multitenancy, should support these types of use cases.
** **
https://blueprints.launchpad.net/keystone/+spec/keystone-domains
** **
With Domains, you can create a MLB domain with tenants Dodgers, Giants,
and Brewers. And have Bud Selid under the MLB domain. Notice that users
will no longer be assigned to tenants. They will be under a domain. Create
roles Commissioner and Minority Owner in the MLB domain. Assign the
Commissioner role to Bud Selid, and the Minority Owner role scoped to
Brewers. Suppose you have another domain NFL, Bud Selid will not be able to
access any tenants in the NFL domain, unless the NFL domain administrator
explicitly assign NFL roles to Bud Selid.
** **
** **
Guang
** **
** **
** **
** **
*From:* openstack-bounces+guang.yee=hp@lists.launchpad.net [mailto:
openstack-bounces+guang.yee=hp@lists.launchpad.net] *On Behalf Of *Dolph
Mathews
*Sent:* Wednesday, May 09, 2012 4:34 PM
*To:* Joshua Harlow
*Cc:* openstack
*Subject:* Re: [Openstack] Keystone client, user belongs to many tenants?*
***
** **
The user create command is actually creating discrete users, each with a
default tenant reference.
** **
While that's fine for a lot of simple use cases, it doesn't directly
support a user accessing multiple tenants at all.
** **
Instead, create a role, and grant that role to a user-tenant pair,
creating an explicit relationship between the two. Using default tenants is
optional with this method, but will affect how users must auth.
-Dolph Mathews
On May 9, 2012, at 3:46 PM, Joshua Harlow harlo...@yahoo-inc.com wrote:*
***
A question,
I am using anvil to setup the keystone roles/users/tenants.
It seems like the python keystone client has the following command:
client.users.create
Which seems to take in the following:
*create*(self, name, password, email, tenant_id*=*None, enabled*=*True):
I would assume a user name can be used in multiple tenants but when I am
trying to create a user that spans tenants and it seems like it borks.
ClientException: Conflict occurred attempting to store user.
(IntegrityError) (1062, Duplicate entry 'admin' for key 'name') 'INSERT
INTO user (id, name, extra) VALUES (%s, %s, %s)'
('3e14a9c1fd404c7e81c0dba8bd640575', 'admin', '{password:
$6$rounds=4$yX5fL51OyGKjuPjr$8yv.S3GpqsKeaHv4GjNY4YW2vvykWzrEV7RX.qJpyy3CjmyXrZMRRJifEzfa7xv1l.NzoggQBXUAESn3Oqm0x/,
enabled: true, email: ad...@example.com, tenantId:
d1506184877a449a91fc6adcb553ad97}') (HTTP 409)
Is this supposed to happen? Is the client supposed to send back this much
info also (hashed password??) :-P
Any ideas?
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list
Re: [Openstack] Keystone client, user belongs to many tenants?
the Commissioner role for Dodgers, Giants, and Brewers, but
Minority Owner role for Brewers only.
In fat Keystone, there a couple of ways you can accomplish this.
1) Make Commissioner a “global role” (unscoped) and assign it to user
Bud Selid. Assign the Minority Owner role to Bud Selid for tenant Brewers by
creating a role reference. When Bud Selid tries to access MLB with his
unscoped token, MLB will get his Commissioner role back from Keystone. When
Bud Selid tries to access MLB with his token scoped to Brewers, MLB will get
both his Commissioner and Minority Owner roles back from Keystone. When Bud
Selid tries to acess MLB with his token scoped to Giants or Dodgers, MLB
will only get his Commissioner role back from Keystone.
2) Assign the Commissioner role to Bud Selid to tenants Giants,
Dodgers, and Brewers individually by creating the respective role
references. Assign the Minority Owner role to Bud Selid for tenant Brewers
by creating another role reference. In this scenario, Bud Selid will always
need a scoped token to access MLB.
In KSL, there really aren’t any effective ways to accomplish the same
thing. Global roles are no longer supported. A given user must assign to
exactly one tenant. I suppose you can have Bud Selid under the “Default
Tenant”, and assign both Commissioner and Minority Owner roles to him. But
there are two major side effects.
1) Bud Selid must access MLB with the token scoped to the “Default
Tenant” in order for MLB to recognize him as Commissioner. Which means he IS
ALSO the Minority Owner for Dodgers, Giants, and Brewers. J
2) If Bud Selid tries to access MLB with the token scoped to either
Giants, Dodgers, or Brewers, his a NOBODY. J
The upcoming Domains blueprint (to be implemented for Folsom), which
offers true multitenancy, should support these types of use cases.
https://blueprints.launchpad.net/keystone/+spec/keystone-domains
With Domains, you can create a MLB domain with tenants Dodgers, Giants,
and Brewers. And have Bud Selid under the MLB domain. Notice that users will
no longer be assigned to tenants. They will be under a domain. Create roles
Commissioner and Minority Owner in the MLB domain. Assign the Commissioner
role to Bud Selid, and the Minority Owner role scoped to Brewers. Suppose
you have another domain NFL, Bud Selid will not be able to access any
tenants in the NFL domain, unless the NFL domain administrator explicitly
assign NFL roles to Bud Selid.
Guang
From: openstack-bounces+guang.yee=hp@lists.launchpad.net
[mailto:openstack-bounces+guang.yee=hp@lists.launchpad.net] On Behalf
Of Dolph Mathews
Sent: Wednesday, May 09, 2012 4:34 PM
To: Joshua Harlow
Cc: openstack
Subject: Re: [Openstack] Keystone client, user belongs to many tenants?
The user create command is actually creating discrete users, each with a
default tenant reference.
While that's fine for a lot of simple use cases, it doesn't directly
support a user accessing multiple tenants at all.
Instead, create a role, and grant that role to a user-tenant pair,
creating an explicit relationship between the two. Using default tenants is
optional with this method, but will affect how users must auth.
-Dolph Mathews
On May 9, 2012, at 3:46 PM, Joshua Harlow harlo...@yahoo-inc.com wrote:
A question,
I am using anvil to setup the keystone roles/users/tenants.
It seems like the python keystone client has the following command:
client.users.create
Which seems to take in the following:
create(self, name, password, email, tenant_id=None, enabled=True):
I would assume a user name can be used in multiple tenants but when I am
trying to create a user that spans tenants and it seems like it borks.
ClientException: Conflict occurred attempting to store user.
(IntegrityError) (1062, Duplicate entry 'admin' for key 'name') 'INSERT
INTO user (id, name, extra) VALUES (%s, %s, %s)'
('3e14a9c1fd404c7e81c0dba8bd640575', 'admin', '{password:
$6$rounds=4$yX5fL51OyGKjuPjr$8yv.S3GpqsKeaHv4GjNY4YW2vvykWzrEV7RX.qJpyy3CjmyXrZMRRJifEzfa7xv1l.NzoggQBXUAESn3Oqm0x/,
enabled: true, email: ad...@example.com, tenantId:
d1506184877a449a91fc6adcb553ad97}') (HTTP 409)
Is this supposed to happen? Is the client supposed to send back this much
info also (hashed password??) :-P
Any ideas?
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Re: [Openstack] Keystone client, user belongs to many tenants?
users are defined as globally unique in keystone
what's anvil?
-joe
On May 9, 2012, at 1:46 PM, Joshua Harlow wrote:
A question,
I am using anvil to setup the keystone roles/users/tenants.
It seems like the python keystone client has the following command:
client.users.create
Which seems to take in the following:
create(self, name, password, email, tenant_id=None, enabled=True):
I would assume a user name can be used in multiple tenants but when I am
trying to create a user that spans tenants and it seems like it borks.
ClientException: Conflict occurred attempting to store user. (IntegrityError)
(1062, Duplicate entry 'admin' for key 'name') 'INSERT INTO user (id, name,
extra) VALUES (%s, %s, %s)' ('3e14a9c1fd404c7e81c0dba8bd640575', 'admin',
'{password:
$6$rounds=4$yX5fL51OyGKjuPjr$8yv.S3GpqsKeaHv4GjNY4YW2vvykWzrEV7RX.qJpyy3CjmyXrZMRRJifEzfa7xv1l.NzoggQBXUAESn3Oqm0x/,
enabled: true, email: ad...@example.com, tenantId:
d1506184877a449a91fc6adcb553ad97}') (HTTP 409)
Is this supposed to happen? Is the client supposed to send back this much
info also (hashed password??) :-P
Any ideas?
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone client, user belongs to many tenants?
The user create command is actually creating discrete users, each with a
default tenant reference.
While that's fine for a lot of simple use cases, it doesn't directly support a
user accessing multiple tenants at all.
Instead, create a role, and grant that role to a user-tenant pair, creating an
explicit relationship between the two. Using default tenants is optional with
this method, but will affect how users must auth.
-Dolph Mathews
On May 9, 2012, at 3:46 PM, Joshua Harlow harlo...@yahoo-inc.com wrote:
A question,
I am using anvil to setup the keystone roles/users/tenants.
It seems like the python keystone client has the following command:
client.users.create
Which seems to take in the following:
create(self, name, password, email, tenant_id=None, enabled=True):
I would assume a user name can be used in multiple tenants but when I am
trying to create a user that spans tenants and it seems like it borks.
ClientException: Conflict occurred attempting to store user. (IntegrityError)
(1062, Duplicate entry 'admin' for key 'name') 'INSERT INTO user (id, name,
extra) VALUES (%s, %s, %s)' ('3e14a9c1fd404c7e81c0dba8bd640575', 'admin',
'{password:
$6$rounds=4$yX5fL51OyGKjuPjr$8yv.S3GpqsKeaHv4GjNY4YW2vvykWzrEV7RX.qJpyy3CjmyXrZMRRJifEzfa7xv1l.NzoggQBXUAESn3Oqm0x/,
enabled: true, email: ad...@example.com, tenantId:
d1506184877a449a91fc6adcb553ad97}') (HTTP 409)
Is this supposed to happen? Is the client supposed to send back this much
info also (hashed password??) :-P
Any ideas?
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone client, user belongs to many tenants?
The tenant_id field on user creation is the default tenant for the user.
Adding a user to additional tenants is done by granting the user one or more
roles on those tenants.
All the best,
- Gabriel
From: openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net
[mailto:openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net] On
Behalf Of Joshua Harlow
Sent: Wednesday, May 09, 2012 1:46 PM
To: openstack
Subject: [Openstack] Keystone client, user belongs to many tenants?
A question,
I am using anvil to setup the keystone roles/users/tenants.
It seems like the python keystone client has the following command:
client.users.create
Which seems to take in the following:
create(self, name, password, email, tenant_id=None, enabled=True):
I would assume a user name can be used in multiple tenants but when I am trying
to create a user that spans tenants and it seems like it borks.
ClientException: Conflict occurred attempting to store user. (IntegrityError)
(1062, Duplicate entry 'admin' for key 'name') 'INSERT INTO user (id, name,
extra) VALUES (%s, %s, %s)' ('3e14a9c1fd404c7e81c0dba8bd640575', 'admin',
'{password:
$6$rounds=4$yX5fL51OyGKjuPjr$8yv.S3GpqsKeaHv4GjNY4YW2vvykWzrEV7RX.qJpyy3CjmyXrZMRRJifEzfa7xv1l.NzoggQBXUAESn3Oqm0x/,
enabled: true, email: ad...@example.com, tenantId:
d1506184877a449a91fc6adcb553ad97}') (HTTP 409)
Is this supposed to happen? Is the client supposed to send back this much info
also (hashed password??) :-P
Any ideas?
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone client, user belongs to many tenants?
On May 9, 2012, at 4:46 PM, Joshua Harlow wrote:
A question,
I am using anvil to setup the keystone roles/users/tenants.
It seems like the python keystone client has the following command:
client.users.create
Which seems to take in the following:
create(self, name, password, email, tenant_id=None, enabled=True):
I would assume a user name can be used in multiple tenants but when I am
trying to create a user that spans tenants and it seems like it borks.
My guess is that once you have a user created, you would then use the
client.tenants.add_user method to add the user to different tenants:
add_user(tenant, user, role)
I think you would do something like:
user=client.users.create(…)
role=…
for tenant in other_tenants:
client.tenants.add_user(tenant, user, role)
ClientException: Conflict occurred attempting to store user. (IntegrityError)
(1062, Duplicate entry 'admin' for key 'name') 'INSERT INTO user (id, name,
extra) VALUES (%s, %s, %s)' ('3e14a9c1fd404c7e81c0dba8bd640575', 'admin',
'{password:
$6$rounds=4$yX5fL51OyGKjuPjr$8yv.S3GpqsKeaHv4GjNY4YW2vvykWzrEV7RX.qJpyy3CjmyXrZMRRJifEzfa7xv1l.NzoggQBXUAESn3Oqm0x/,
enabled: true, email: ad...@example.com, tenantId:
d1506184877a449a91fc6adcb553ad97}') (HTTP 409)
Is this supposed to happen? Is the client supposed to send back this much
info also (hashed password??) :-P
Not sure about this one.
Take care,
Lorin
--
Lorin Hochstein
Lead Architect - Cloud Services
Nimbis Services, Inc.
www.nimbisservices.com
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone client, user belongs to many tenants?
I think this use case underscores one of the key differences between the fat
Keystone (Diablo - E3) and KSL (Essex final). In fat Keystone, users and
tenants are loosely coupled. They are bind together by role assignments. In
KSL, users and tenants are tightly coupled, and IMHO very inflexible. Maybe the
following example would further clarify this …
Suppose you have tenants Dodgers, Giants, and Brewers, user Bud Selid, roles
Commissioner and Minority Owner, and service MLB. And you want Bud Selid to
have the Commissioner role for Dodgers, Giants, and Brewers, but Minority Owner
role for Brewers only.
In fat Keystone, there a couple of ways you can accomplish this.
1) Make Commissioner a “global role” (unscoped) and assign it to user Bud
Selid. Assign the Minority Owner role to Bud Selid for tenant Brewers by
creating a role reference. When Bud Selid tries to access MLB with his unscoped
token, MLB will get his Commissioner role back from Keystone. When Bud Selid
tries to access MLB with his token scoped to Brewers, MLB will get both his
Commissioner and Minority Owner roles back from Keystone. When Bud Selid tries
to acess MLB with his token scoped to Giants or Dodgers, MLB will only get his
Commissioner role back from Keystone.
2) Assign the Commissioner role to Bud Selid to tenants Giants, Dodgers,
and Brewers individually by creating the respective role references. Assign the
Minority Owner role to Bud Selid for tenant Brewers by creating another role
reference. In this scenario, Bud Selid will always need a scoped token to
access MLB.
In KSL, there really aren’t any effective ways to accomplish the same thing.
Global roles are no longer supported. A given user must assign to exactly one
tenant. I suppose you can have Bud Selid under the “Default Tenant”, and assign
both Commissioner and Minority Owner roles to him. But there are two major side
effects.
1) Bud Selid must access MLB with the token scoped to the “Default Tenant”
in order for MLB to recognize him as Commissioner. Which means he IS ALSO the
Minority Owner for Dodgers, Giants, and Brewers. J
2) If Bud Selid tries to access MLB with the token scoped to either
Giants, Dodgers, or Brewers, his a NOBODY. J
The upcoming Domains blueprint (to be implemented for Folsom), which offers
true multitenancy, should support these types of use cases.
https://blueprints.launchpad.net/keystone/+spec/keystone-domains
With Domains, you can create a MLB domain with tenants Dodgers, Giants, and
Brewers. And have Bud Selid under the MLB domain. Notice that users will no
longer be assigned to tenants. They will be under a domain. Create roles
Commissioner and Minority Owner in the MLB domain. Assign the Commissioner role
to Bud Selid, and the Minority Owner role scoped to Brewers. Suppose you have
another domain NFL, Bud Selid will not be able to access any tenants in the NFL
domain, unless the NFL domain administrator explicitly assign NFL roles to Bud
Selid.
Guang
From: openstack-bounces+guang.yee=hp@lists.launchpad.net
[mailto:openstack-bounces+guang.yee=hp@lists.launchpad.net] On Behalf Of
Dolph Mathews
Sent: Wednesday, May 09, 2012 4:34 PM
To: Joshua Harlow
Cc: openstack
Subject: Re: [Openstack] Keystone client, user belongs to many tenants?
The user create command is actually creating discrete users, each with a
default tenant reference.
While that's fine for a lot of simple use cases, it doesn't directly support a
user accessing multiple tenants at all.
Instead, create a role, and grant that role to a user-tenant pair, creating an
explicit relationship between the two. Using default tenants is optional with
this method, but will affect how users must auth.
-Dolph Mathews
On May 9, 2012, at 3:46 PM, Joshua Harlow harlo...@yahoo-inc.com wrote:
A question,
I am using anvil to setup the keystone roles/users/tenants.
It seems like the python keystone client has the following command:
client.users.create
Which seems to take in the following:
create(self, name, password, email, tenant_id=None, enabled=True):
I would assume a user name can be used in multiple tenants but when I am trying
to create a user that spans tenants and it seems like it borks.
ClientException: Conflict occurred attempting to store user. (IntegrityError)
(1062, Duplicate entry 'admin' for key 'name') 'INSERT INTO user (id, name,
extra) VALUES (%s, %s, %s)' ('3e14a9c1fd404c7e81c0dba8bd640575', 'admin',
'{password:
$6$rounds=4$yX5fL51OyGKjuPjr$8yv.S3GpqsKeaHv4GjNY4YW2vvykWzrEV7RX.qJpyy3CjmyXrZMRRJifEzfa7xv1l.NzoggQBXUAESn3Oqm0x/,
enabled: true, email: ad...@example.com, tenantId:
d1506184877a449a91fc6adcb553ad97}') (HTTP 409)
Is this supposed to happen? Is the client supposed to send back this much info
also (hashed password??) :-P
Any ideas?
___
Mailing list: https://launchpad.net
