Yes, those are the two use cases we're supporting, although I'd encourage Case 2, as it's generally much more intuitive.
-Dolph On Mon, Feb 25, 2013 at 1:54 AM, Leo Toyoda < toyoda-...@cnt.mxw.nes.nec.co.jp> wrote: > Hi Adam > > Thanks a lot for your answer. > > It is my understanding follows. Would that be OK with you? > Case1: Create a user *with* specifying the tenant. > * Default role is assigned. > * I need to assign the required roles in "keystone user-role-add". > * The user has two roles. > > Case2: Create a user *without* specifying the tenant. > * I need to assign the required roles and the tenant in "keystone > user-role-add". > * The user has one role. > > Thanks, > Leo Toyoda > > > > -----Original Message----- > > From: > > openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lists.launc > > hpad.net > > [mailto:openstack-bounces+toyoda-reo=cnt.mxw.nes.nec.co.jp@lis > > ts.launchpad.net] On Behalf Of Adam Young > > Sent: Saturday, February 23, 2013 5:31 AM > > To: openstack@lists.launchpad.net > > Subject: Re: [Openstack] [Keystone]Question: Assignment of > > default role > > > > Yes, this is new. We are removing the direct associtation > > between users and projects (Project members) and replacing it > > with a Role (_member_) > > > > The _ is there to ensure it does not conflict with existing roles. > > > > The two different ways of associating users to projects was > > causing problems. With RBAC, we can now enforce policy about > > project membership that we could not do before. > > > > > > > > > > > > On 02/21/2013 09:39 PM, Leo Toyoda wrote: > > > Hi, everyone > > > > > > I'm using the master branch devstack. > > > I hava a question about assignment of default role (Keystone). > > > > > > When I create a user to specify the tenant, '_member_' is > > assigned to the roles. > > > $ keystone user-create --name test --tenant-id e61..7f6 --pass test > > > --email t...@example.com > > > +----------+-------------------+ > > > | Property | Value | > > > +----------+-------------------+ > > > | email | te...@example.com | > > > | enabled | True | > > > | id | af1..8d2 | > > > | name | test | > > > | tenantId | e61..7f6 | > > > +----------+-------------------+ > > > $ keystone user-role-list --user test --tenant e61..7f6 > > > +----------+----------+----------+-----------+ > > > | id | name | user_id | tenant_id | > > > +----------+----------+----------+-----------+ > > > | 9fe..bab | _member_ | af1..8d2 | e61..7f6 | > > > +----------+----------+----------+-----------+ > > > > > > Then, assign the "Member" role to the user. > > > Hitting assigned two roles of 'Member' and '_member_'. > > > $ keystone user-role-add --user af1..8d2 --role 57d..d1f --tenant > > > e61..7f6 $ keystone user-role-list --user af1..8d2 --tenant e61..7f6 > > > +----------+----------+----------+-----------+ > > > | id | name | user_id | tenant_id | > > > +----------+----------+----------+-----------+ > > > | 57d..d1f | Member | af1..8d2 | e61..7f6 | 9fe..bab | > > _member_ | > > > | af1..8d2 | e61..7f6 | > > > +----------+----------+----------+-----------+ > > > > > > When I create a user without specifying a tenant, I assign > > 'Member' role. > > > In this case, Only one role is assigned. > > > $ keystone user-create --name test2 --pass test --email > > > te...@example.com > > > +----------+-------------------+ > > > | Property | Value | > > > +----------+-------------------+ > > > | email | te...@example.com | > > > | enabled | True | > > > | id | c22..a6d | > > > | name | test2 | > > > | tenantId | | > > > +----------+-------------------+ > > > $ keystone user-role-add --user c22..a6d --role 57d..d1f --tenant > > > e61..7f6 $ keystone user-role-list --user c22..a6d --tenant e61..7f6 > > > +----------+----------+----------+-----------+ > > > | id | name | user_id | tenant_id | > > > +----------+----------+----------+-----------+ > > > | 57d..d1f | Member | c22..a6d | e61..7f6 | > > > +----------+----------+----------+-----------+ > > > > > > Is it expected behavior that two rolls are assigned? > > > > > > Thanks > > > Leo Toyoda > > > > > > > > > _______________________________________________ > > > Mailing list: https://launchpad.net/~openstack > > > Post to : openstack@lists.launchpad.net > > > Unsubscribe : https://launchpad.net/~openstack > > > More help : https://help.launchpad.net/ListHelp > > > > > > _______________________________________________ > > Mailing list: https://launchpad.net/~openstack > > Post to : openstack@lists.launchpad.net > > Unsubscribe : https://launchpad.net/~openstack > > More help : https://help.launchpad.net/ListHelp > > > > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
