Python-keystoneclient roles_for_user, add_user_role & remove_user_role function

Asked by Michael Lin

Dear all,

I've trace python-keystoneclient roles.py.

There have 3 functions that I have some question.

First of all, the "add_user_role" function comment said that

"If tenant is specified, the role is added just for that tenant, otherwise the role is added globally."

and the function is "def add_user_role(self, user, role, tenant=None):"

I saw that tenant args could be NONE, but when I wrote

>>> from keystoneclient.v2_0 import client
>>> auth = client.Client(username="admin", password="password", tenant_name="TENANT", auth_url="http://localhost:5000/v2.0")
>>>auth.roles.add_user_role('user_id', 'role_id')

It gave me a error message:

HTTPNotImplemented: User roles not supported: tenant_id required (HTTP 501)

Why?

Thanks for anyone to help me solve this question :D

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Identity (keystone) Edit question
Assignee:
No assignee Edit question
Solved by:
Joseph Heck
Solved:
Last query:
Last reply:
Revision history for this message
Best Joseph Heck (heckj) said :
#1

We're actively removing the idea that a user can have a "role" outside of an association with a tenant. The user-role concept introduced a great deal of indeterminism in the API and how keystone should respond, as well as what the idea of what a "role" meant.

The intention going forward is that a role is a named relationship between a user and a tenant that is used in conduction with a service-defined policy (see nova/etc/policy.json in the nova project for an example) to define what
actions can be taken by that user in the context of a group of ownership (i.e. related to a tenant)

Revision history for this message
Michael Lin (michael-lin) said :
#2

Thanks Joseph Heck, that solved my question.