Hi Kuo, RBAC is a hot topic at Essex right now with a few sessions to explicitly discuss them:
http://essexdesignsummit.sched.org/event/2610368e1c5bd0e52982777f75baafb5 http://essexdesignsummit.sched.org/event/2d4b84fe8559d6a144897a1d53adbb9e http://essexdesignsummit.sched.org/event/6648ad6a353fd56d39d45193a69f6908 I'm sure notes will be shared about the Essex design summit soon. In the meantime, Keystone tag 2011.03 provides the following functionality for roles: 1. Core calls as defined in https://github.com/openstack/keystone/blob/master/keystone/content/admin/identityadminguide.pdf (should be fully developed) a. GET /users/{user_id}/roles - returns global roles for a specific user (excludes tenant roles) b. GET /tenants/{tenantId}/users/{user_id}/roles - returns roles for a specific user on a specific tenant (excludes global roles) 2. Extension calls as defined in https://github.com/openstack/keystone/blob/master/keystone/content/admin/OS-KSADM-admin-devguide.pdf (contract complete but not code complete) a. GET /OS-KSADM/roles - list roles b. POST /OS-KSADM/roles - add role c. GET /OS-KSADM/roles/{roleId} - get a role d. DELETE /OS-KSADM/roles/{roleId} - delete a role Since the extension isn't complete yet, you can use keystone-manage to add users, roles, etc for testing. Thanks, Joe From: openstack-bounces+joe.savak=rackspace....@lists.launchpad.net [mailto:openstack-bounces+joe.savak=rackspace....@lists.launchpad.net] On Behalf Of Kuo Hugo Sent: Wednesday, October 05, 2011 6:39 PM To: openstack@lists.launchpad.net Subject: [Openstack] RBAC handled by keystone or each services ? Hello folks , While playing with Keystone , there's four roles named [Admin,Member,KeystoneAdmin,KeystoneServiceAdmin]. I'm confusing about that who handles these roles's permission / privileges .... I mean RBAC include admin, itsec, projectmanager, netadmin, developer roles in NOVA but not Admin/Member . is that handled by keystone or service itself ??? Is there any API to add Roles(also set permission / privileges)? In my guess , the RBAC still on each service(nova / swift ) , but how NOVA knows the permission of Role "Admin" ? -- +Hugo Kuo+ tonyt...@gmail.com<mailto:tonyt...@gmail.com> hugo....@cloudena.com<mailto:hugo....@cloudena.com> +886-935-004-793 www.cloudena.com<http://www.cloudena.com> This email may include confidential information. If you received it in error, please delete it.
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
