© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
In Rocky keystone add support for two additional roles, one called 'reader' and the other called 'member'. These are in addition to the 'admin' role that has been supported for some time.
Since there is now more than one officially supported role, it was decided to imply relationships between them. The 'admin' role implies 'member' which implies 'reader'. This means users with a 'member' role assignment on a target get the 'reader' role implied. Users with the 'admin' role assignment on a target get the 'member' and 'reader' roles implied. This helps simplify assignment structure.
This information should be relayed in token response bodies and appears to be the case for project-scoped tokens [0]. System scoped tokens however are lacking the expanded role assignments via implied roles in the response body [1].
To recreate:
- authenticate for a project-scoped token as a user with at least the member role on a project
- observe that the token response body contains both 'member' and 'reader'
- authenticate for a system-scoped token as a user with 'member' or 'admin' role on the system
- observe that the token response body only contains a single role instead of all implied roles