openstack-manuals

grizzly: keystone user groups

Bug #1090655 reported by Tom Fifield
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-manuals
Fix Released
Medium
Brant Knudson
openstack-manuals grizzly

Bug Description

If the reviews at https://review.openstack.org/#/q/project:openstack/keystone+branch:master+topic:bp/user-groups,n,z succeed, new functionality will be added to keystone in Grizzly.

Client patch here:
https://review.openstack.org/#/c/17693/

This adds user groups, as in:

With the v3 API, the Domain concept is designed to encapsulate users and projects representing some kind of logical entity (e.g. division in an enterprise, customer of a service provider etc.). For certain types of Domains with many users, it will become impractical, to have to individually grant users roles on projects. What is required is for an admin (or Domain admin) to assign users to groups, and then grant those groups roles on projects.

https://blueprints.launchpad.net/keystone/+spec/user-groups
https://docs.google.com/document/d/1Ce6iVPl38_7fNHENNtfCXIrXVQIFqOZZgX0zNIzFLSo/edit

Tags: keystone
Tom Fifield (fifieldt)
Changed in openstack-manuals:
milestone: none → grizzly
tags: added: keystone
Revision history for this message
Tom Fifield (fifieldt) wrote :

Change to watch is here:

https://review.openstack.org/#/c/18097/

Revision history for this message
Tom Fifield (fifieldt) wrote :

patch was merged

Changed in openstack-manuals:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Joe T (joe-topjian-v) wrote :

I _think_ this is related:

http://www.gossamer-threads.com/lists/openstack/dev/24360

My interpretation:

If a project is specified when creating a user, that user will have an implicit role of _member_. If the user then has a role applied, they will have two roles in that project.

If a user is created without specifying a project and a role is then explicitly applied to the user and project, then the user will not have the _member_role.

It's OK to remove the role of _member_ once another role has been applied to the user/project.

Notes:

In devstack, some services are still using the Member role for now:
https://github.com/openstack-dev/devstack/blob/master/lib/keystone#L191-L283

Other services, such as nova, still use the admin role as normal:
https://github.com/openstack-dev/devstack/blob/master/lib/nova#L379-L410

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (master)

Fix proposed to branch: master
Review: https://review.openstack.org/46686

Changed in openstack-manuals:
assignee: nobody → Brant Knudson (blk-u)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (master)

Reviewed: https://review.openstack.org/46686
Committed: http://github.com/openstack/openstack-manuals/commit/15d69563d7bf419ccc0535cd691b4520229f918b
Submitter: Jenkins
Branch: master

commit 15d69563d7bf419ccc0535cd691b4520229f918b
Author: Brant Knudson <email address hidden>
Date: Sun Sep 15 19:16:34 2013 -0500

    Add Groups to Identity

    This adds documentation for the Groups feature introduced in
    Grizzly (Identity API v3).

    Change-Id: If59a12b7c790cbe00b8c81c73e16bbe8e061f580
    Closes-bug: #1090655

Changed in openstack-manuals:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.