OpenStack Identity (keystone)

difference between KeystoneServiceAdmin and Admin role

Asked by crayon_z

In my opinion, the Admin role can access to all operations of Keystone, while what the KeystoneServiceAdmin role can access is just a subset of the Admin role. Am I right? If so, why the first user created in Keystone(aka admin) should be assigned both the Admin and KeystoneServiceAdmin role? Isn't that redundant? If not, what the KeystoneServiceAdmin is used for?

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Identity (keystone) Edit question
Assignee:
No assignee Edit question
Solved by:
crayon_z
Solved:
Last query:
Last reply:
Revision history for this message
Ziad Sawalha (ziad-sawalha) said : 		#1

You are right. If both roles are being assigned it is redundant.

Revision history for this message
Anne Gentle (annegentle) said : 		#2

Devstack assigns these in https://github.com/cloudbuilders/devstack/blob/master/files/keystone_data.sh, and I had the same question. My best guess is that since Devstack is used for testing, there is some edge case they are seeking with that particular role. Sorry that's not exactly an answer but it does let you safely ignore it for your setup. :)

Revision history for this message
crayon_z (crayon-z) said : 		#3

Thanks for the answers, I read the code recently and my guess is right, the KeystoneServiceAdmin role is just a subset of the Admin role.

Revision history for this message
Karl Williams (a-williams-karl) said : 		#4

Hi,

  I have some doubts about user roles in Keystone, i think this doubt comes because i get used to tempauth and swauth roles and a couldn't map this roles to Keystone...

  the doubt is this:

    In tempauth e swauth there are 3 types of user's roles: user, admin e resseler admin. The first have the acess to object in a container limited to what is admin set for him (container acl permission). The admin has full control over the container in his account and the resselr admin has full control over then accounts, containers and objects in a cluster.

 In keystone, we can create the tenant and the role (http://docs.openstack.org/essex/openstack-compute/starter/content/Creating_Keystone_Roles-d1e460.html) . So if I create the role, how do i set that one role is the "admin" role? How do i set that the role i create is is a role under the admin role? ("user" role)

Revision history for this message
Karl Williams (a-williams-karl) said : 		#5

wops, a posted the question in the wrong place, sorry.