Yes, this is new. We are removing the direct associtation between users
and projects (Project members) and replacing it with a Role (_member_)
The _ is there to ensure it does not conflict with existing roles.
The two different ways of associating users to projects was causing
problems. With RBAC, we can now enforce policy about project membership
that we could not do before.
On 02/21/2013 09:39 PM, Leo Toyoda wrote:
Hi, everyone
I'm using the master branch devstack.
I hava a question about assignment of default role (Keystone).
When I create a user to specify the tenant, '_member_' is assigned to the roles.
$ keystone user-create --name test --tenant-id e61..7f6 --pass test --email
t...@example.com
+----------+-------------------+
| Property | Value |
+----------+-------------------+
| email | te...@example.com |
| enabled | True |
| id | af1..8d2 |
| name | test |
| tenantId | e61..7f6 |
+----------+-------------------+
$ keystone user-role-list --user test --tenant e61..7f6
+----------+----------+----------+-----------+
| id | name | user_id | tenant_id |
+----------+----------+----------+-----------+
| 9fe..bab | _member_ | af1..8d2 | e61..7f6 |
+----------+----------+----------+-----------+
Then, assign the "Member" role to the user.
Hitting assigned two roles of 'Member' and '_member_'.
$ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant e61..7f6
$ keystone user-role-list --user af1..8d2 --tenant e61..7f6
+----------+----------+----------+-----------+
| id | name | user_id | tenant_id |
+----------+----------+----------+-----------+
| 57d..d1f | Member | af1..8d2 | e61..7f6 |
| 9fe..bab | _member_ | af1..8d2 | e61..7f6 |
+----------+----------+----------+-----------+
When I create a user without specifying a tenant, I assign 'Member' role.
In this case, Only one role is assigned.
$ keystone user-create --name test2 --pass test --email te...@example.com
+----------+-------------------+
| Property | Value |
+----------+-------------------+
| email | te...@example.com |
| enabled | True |
| id | c22..a6d |
| name | test2 |
| tenantId | |
+----------+-------------------+
$ keystone user-role-add --user c22..a6d --role 57d..d1f --tenant e61..7f6
$ keystone user-role-list --user c22..a6d --tenant e61..7f6
+----------+----------+----------+-----------+
| id | name | user_id | tenant_id |
+----------+----------+----------+-----------+
| 57d..d1f | Member | c22..a6d | e61..7f6 |
+----------+----------+----------+-----------+
Is it expected behavior that two rolls are assigned?
Thanks
Leo Toyoda
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
