OpenStack Identity (keystone)

Doubts about User role in keystone

Asked by Karl Williams

Hi,

  I have some doubts about user roles in Keystone, i think this doubt comes because i get used to tempauth and swauth roles and a couldn't map this roles to Keystone...

  the doubt is this:

    In tempauth e swauth there are 3 types of user's roles: user, admin e resseler admin. The first have the acess to object in a container limited to what is admin set for him (container acl permission). The admin has full control over the container in his account and the resselr admin has full control over then accounts, containers and objects in a cluster.

 In keystone, we can create the tenant and the role (http://docs.openstack.org/essex/openstack-compute/starter/content/Creating_Keystone_Roles-d1e460.html) . So if I create the role, how do i set that one role is the "admin" role? How do i set that the role i create is is a role under the admin role? ("user" role)

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Identity (keystone) Edit question
Assignee:
No assignee Edit question
Solved by:
Joseph Heck
Solved:
Last query:
Last reply:
Revision history for this message
Best Joseph Heck (heckj) said : 		#1

Hi Karl -

In Keystone, the "role" is simply an identifier (i.e. a name) that can be applied between a tenant (aka project) and a user. How the service provides authZ based on this is up to the service - keystone simply passes to nova, swift, etc - the list of roles for the user as they're associated to a tenant.

In some implementations, the deployer chooses "admin" to mean a global admin across all services (think "cloud administrator"), and assigns those users with the 'admin' role. That's then passed down to Nova, Glance, Swift, etc. and those services choose what to do (or not to do) with with the role.

For using swift_auth with keystone, the middleware allows you to define what role names you wish to use for providing information to swift about being a "swift_operator" or "reseller_admin". Those default to 'admin' and 'swift operator' for the first, and 'ResellerAdmin' for the later. You can see some detail of how to configure this in the source for swift_auth at https://github.com/openstack/keystone/blob/master/keystone/middleware/swift_auth.py#L59-L65

Revision history for this message
Karl Williams (a-williams-karl) said : 		#2

hi Joseph, thanks very much for clarify this!

Revision history for this message
Karl Williams (a-williams-karl) said : 		#3

Thanks Joseph Heck, that solved my question.