The _member_ role is a handicap for the v2 API to provide an explicit means of expressing default tenancy. The existing behavior satisfies that behavior just fine.
There's really no reason you should be creating the "_member_" role manually as a deployer. Use another role name instead, such as "Member" (the pre-existing role which ayoung opted to not conflict with). ** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1426184 Title: CONF.member_role_name isn't used for lookups Status in OpenStack Identity (Keystone): Invalid Bug description: The CONF.member_role_name is completely overridden by the CONF.member_role_id parameter. The only time that _name is used is on first request if there is not a role with member_role_id it will be created with _name. However from a deployment perspective I can't set the _id, the id is given to me when i create the role so i would need to: 1. openstack role create _member_ 2. take the id and put it into the CONF file 3. restart keystone to make this work. Worse there is a default member_role_id. I think member_role_id should default to None, the _id should be generated on first request as per now and saved (somewhere), if member_role_id is needed and not cached then the first step should be to do a role lookup on an existing member_role_name. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1426184/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp