stack@ubnt-devstack:~/devstack$ env | grep OS_ OS_REGION_NAME=RegionOne OS_PROJECT_DOMAIN_ID=default OS_CACERT= OS_AUTH_URL=http://172.24.1.39/identity OS_TENANT_NAME=privilege-test OS_USER_DOMAIN_ID=default OS_USERNAME=privtest OS_VOLUME_API_VERSION=3 OS_AUTH_TYPE=password OS_PROJECT_NAME=privilege-test OS_PASSWORD=<snip> OS_IDENTITY_API_VERSION=3 stack@ubnt-devstack:~/devstack$ openstack user show demo +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | email | <email address hidden> | | enabled | False | | id | 960e1d31f46a46a5bc0512ff9e5416b3 | | name | demo | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ stack@ubnt-devstack:~/devstack$ openstack user set --enable demo stack@ubnt-devstack:~/devstack$ openstack user show demo +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | email | <email address hidden> | | enabled | True | | id | 960e1d31f46a46a5bc0512ff9e5416b3 | | name | demo | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ stack@ubnt-devstack:~/devstack$ openstack role assignment list --names +-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+ | admin | | admins@Default | admin@Default | | | False | | anotherrole | alt_demo@Default | | alt_demo@Default | | | False | | member | alt_demo@Default | | alt_demo@Default | | | False | | anotherrole | | nonadmins@Default | alt_demo@Default | | | False | | member | | nonadmins@Default | alt_demo@Default | | | False | | anotherrole | | nonadmins@Default | demo@Default | | | False | | member | | nonadmins@Default | demo@Default | | | False | | admin | nova@Default | | service@Default | | | False | | service | nova@Default | | service@Default | | | False | | admin | placement@Default | | service@Default | | | False | | service | placement@Default | | service@Default | | | False | | service | glance@Default | | service@Default | | | False | | member | demo@Default | | invisible_to_admin@Default | | | False | | anotherrole | demo@Default | | demo@Default | | | False | | member | demo@Default | | demo@Default | | | False | | service | cinder@Default | | service@Default | | | False | | admin | privtest@Default | | privilege-test@Default | | | False | | service | neutron@Default | | service@Default | | | False | | admin | admin@Default | | admin@Default | | | False | | admin | admin@Default | | alt_demo@Default | | | False | | admin | admin@Default | | demo@Default | | | False | | admin | admin@Default | | | Default | | False | | admin | admin@Default | | | | all | False | +-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
NOTE that the privtest user used here has no other affiliations nor roles than admin in privilege-test@Default.
Not sure how far this goes in Keystone but based on the scope I've been poking at, I'd assume it's global.
stack@ubnt- devstack: ~/devstack$ env | grep OS_ NAME=RegionOne DOMAIN_ ID=default 172.24. 1.39/identity NAME=privilege- test DOMAIN_ ID=default privtest API_VERSION= 3 TYPE=password NAME=privilege- test API_VERSION= 3 devstack: ~/devstack$ openstack user show demo ------- ------- -+----- ------- ------- ------- ------- -+ ------- ------- -+----- ------- ------- ------- ------- -+ 5bc0512ff9e5416 b3 | ------- ------- -+----- ------- ------- ------- ------- -+ devstack: ~/devstack$ openstack user set --enable demo devstack: ~/devstack$ openstack user show demo ------- ------- -+----- ------- ------- ------- ------- -+ ------- ------- -+----- ------- ------- ------- ------- -+ 5bc0512ff9e5416 b3 | ------- ------- -+----- ------- ------- ------- ------- -+ devstack: ~/devstack$ openstack role assignment list --names ------- +------ ------- ------+ ------- ------- -----+- ------- ------- ------- ------+ ------- --+---- ----+-- ------- --+ ------- +------ ------- ------+ ------- ------- -----+- ------- ------- ------- ------+ ------- --+---- ----+-- ------- --+ to_admin@ Default | | | False | test@Default | | | False | ------- +------ ------- ------+ ------- ------- -----+- ------- ------- ------- ------+ ------- --+---- ----+-- ------- --+
OS_REGION_
OS_PROJECT_
OS_CACERT=
OS_AUTH_URL=http://
OS_TENANT_
OS_USER_
OS_USERNAME=
OS_VOLUME_
OS_AUTH_
OS_PROJECT_
OS_PASSWORD=<snip>
OS_IDENTITY_
stack@ubnt-
+------
| Field | Value |
+------
| domain_id | default |
| email | <email address hidden> |
| enabled | False |
| id | 960e1d31f46a46a
| name | demo |
| options | {} |
| password_expires_at | None |
+------
stack@ubnt-
stack@ubnt-
+------
| Field | Value |
+------
| domain_id | default |
| email | <email address hidden> |
| enabled | True |
| id | 960e1d31f46a46a
| name | demo |
| options | {} |
| password_expires_at | None |
+------
stack@ubnt-
+------
| Role | User | Group | Project | Domain | System | Inherited |
+------
| admin | | admins@Default | admin@Default | | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | | False |
| member | alt_demo@Default | | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | | False |
| member | | nonadmins@Default | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | demo@Default | | | False |
| member | | nonadmins@Default | demo@Default | | | False |
| admin | nova@Default | | service@Default | | | False |
| service | nova@Default | | service@Default | | | False |
| admin | placement@Default | | service@Default | | | False |
| service | placement@Default | | service@Default | | | False |
| service | glance@Default | | service@Default | | | False |
| member | demo@Default | | invisible_
| anotherrole | demo@Default | | demo@Default | | | False |
| member | demo@Default | | demo@Default | | | False |
| service | cinder@Default | | service@Default | | | False |
| admin | privtest@Default | | privilege-
| service | neutron@Default | | service@Default | | | False |
| admin | admin@Default | | admin@Default | | | False |
| admin | admin@Default | | alt_demo@Default | | | False |
| admin | admin@Default | | demo@Default | | | False |
| admin | admin@Default | | | Default | | False |
| admin | admin@Default | | | | all | False |
+------
NOTE that the privtest user used here has no other affiliations nor roles than admin in privilege- test@Default.
Not sure how far this goes in Keystone but based on the scope I've been poking at, I'd assume it's global.