OpenStack Identity (keystone)

  1. Bug #1933271
  2. Comment #0

Comment 0 for bug 1933271

Revision history for this message
Erno Kuvaja (jokke) wrote :

stack@ubnt-devstack:~/devstack$ env | grep OS_
OS_REGION_NAME=RegionOne
OS_PROJECT_DOMAIN_ID=default
OS_CACERT=
OS_AUTH_URL=http://172.24.1.39/identity
OS_TENANT_NAME=privilege-test
OS_USER_DOMAIN_ID=default
OS_USERNAME=privtest
OS_VOLUME_API_VERSION=3
OS_AUTH_TYPE=password
OS_PROJECT_NAME=privilege-test
OS_PASSWORD=<snip>
OS_IDENTITY_API_VERSION=3
stack@ubnt-devstack:~/devstack$ openstack user show demo
+---------------------+----------------------------------+
| Field | Value |
 +---------------------+----------------------------------+
| domain_id | default |
| email | <email address hidden> |
| enabled | False |
| id | 960e1d31f46a46a5bc0512ff9e5416b3 |
| name | demo |
| options | {} |
| password_expires_at | None |
 +---------------------+----------------------------------+
stack@ubnt-devstack:~/devstack$ openstack user set --enable demo
stack@ubnt-devstack:~/devstack$ openstack user show demo
+---------------------+----------------------------------+
| Field | Value |
 +---------------------+----------------------------------+
| domain_id | default |
| email | <email address hidden> |
| enabled | True |
| id | 960e1d31f46a46a5bc0512ff9e5416b3 |
| name | demo |
| options | {} |
| password_expires_at | None |
 +---------------------+----------------------------------+
stack@ubnt-devstack:~/devstack$ openstack role assignment list --names
+-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
 +-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+
| admin | | admins@Default | admin@Default | | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | | False |
| member | alt_demo@Default | | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | | False |
| member | | nonadmins@Default | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | demo@Default | | | False |
| member | | nonadmins@Default | demo@Default | | | False |
| admin | nova@Default | | service@Default | | | False |
| service | nova@Default | | service@Default | | | False |
| admin | placement@Default | | service@Default | | | False |
| service | placement@Default | | service@Default | | | False |
| service | glance@Default | | service@Default | | | False |
| member | demo@Default | | invisible_to_admin@Default | | | False |
| anotherrole | demo@Default | | demo@Default | | | False |
| member | demo@Default | | demo@Default | | | False |
| service | cinder@Default | | service@Default | | | False |
| admin | privtest@Default | | privilege-test@Default | | | False |
| service | neutron@Default | | service@Default | | | False |
| admin | admin@Default | | admin@Default | | | False |
| admin | admin@Default | | alt_demo@Default | | | False |
| admin | admin@Default | | demo@Default | | | False |
| admin | admin@Default | | | Default | | False |
| admin | admin@Default | | | | all | False |
 +-------------+-------------------+-------------------+----------------------------+---------+--------+-----------+

NOTE that the privtest user used here has no other affiliations nor roles than admin in privilege-test@Default.

Not sure how far this goes in Keystone but based on the scope I've been poking at, I'd assume it's global.