Author: Lance Bragstad <lbrags...@gmail.com>
Date: Thu Dec 28 22:11:32 2017 +0000
Grant admin a role on the system during bootstrap
Now that we have system scope in place, we should make sure at least
one user has a role assignment on the system. We can do this at the
same time we grant the user a role on a project during bootstrap.
This is backwards compatible because even if a deployment doesn't use
system-scope, the assignment will just sit there. The deployment will
have to opt into enforcing scope by updating configuration options
for oslo.policy to enforce scoping.
This shouldn't prevent deployments from fixing bug 968696 and using
** Changed in: keystone
Status: In Progress => Fix Released
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
`keystone-manage bootstrap` doesn't handle system role assignments
Status in OpenStack Identity (keystone):
Status in OpenStack Identity (keystone) queens series:
The whole purpose of the `keystone-manage bootstrap` command is to
help operators establish an admin account they can use to administer
the rest of the deployment. It does this by granting the admin user in
the bootstrap command an admin role on a project .
A system role assignment should also be created so that operators
don't lock themselves out of APIs if they set enabled_scope=True in
configuration but don't actually have a user with any system role
To manage notifications about this bug go to:
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : email@example.com
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp