I think this use case underscores one of the key differences between the fat Keystone (Diablo - E3) and KSL (Essex final). In fat Keystone, users and tenants are loosely coupled. They are bind together by role assignments. In KSL, users and tenants are tightly coupled, and IMHO very inflexible. Maybe the following example would further clarify this …
Suppose you have tenants Dodgers, Giants, and Brewers, user Bud Selid, roles Commissioner and Minority Owner, and service MLB. And you want Bud Selid to have the Commissioner role for Dodgers, Giants, and Brewers, but Minority Owner role for Brewers only. In fat Keystone, there a couple of ways you can accomplish this. 1) Make Commissioner a “global role” (unscoped) and assign it to user Bud Selid. Assign the Minority Owner role to Bud Selid for tenant Brewers by creating a role reference. When Bud Selid tries to access MLB with his unscoped token, MLB will get his Commissioner role back from Keystone. When Bud Selid tries to access MLB with his token scoped to Brewers, MLB will get both his Commissioner and Minority Owner roles back from Keystone. When Bud Selid tries to acess MLB with his token scoped to Giants or Dodgers, MLB will only get his Commissioner role back from Keystone. 2) Assign the Commissioner role to Bud Selid to tenants Giants, Dodgers, and Brewers individually by creating the respective role references. Assign the Minority Owner role to Bud Selid for tenant Brewers by creating another role reference. In this scenario, Bud Selid will always need a scoped token to access MLB. In KSL, there really aren’t any effective ways to accomplish the same thing. Global roles are no longer supported. A given user must assign to exactly one tenant. I suppose you can have Bud Selid under the “Default Tenant”, and assign both Commissioner and Minority Owner roles to him. But there are two major side effects. 1) Bud Selid must access MLB with the token scoped to the “Default Tenant” in order for MLB to recognize him as Commissioner. Which means he IS ALSO the Minority Owner for Dodgers, Giants, and Brewers. J 2) If Bud Selid tries to access MLB with the token scoped to either Giants, Dodgers, or Brewers, his a NOBODY. J The upcoming Domains blueprint (to be implemented for Folsom), which offers true multitenancy, should support these types of use cases. https://blueprints.launchpad.net/keystone/+spec/keystone-domains With Domains, you can create a MLB domain with tenants Dodgers, Giants, and Brewers. And have Bud Selid under the MLB domain. Notice that users will no longer be assigned to tenants. They will be under a domain. Create roles Commissioner and Minority Owner in the MLB domain. Assign the Commissioner role to Bud Selid, and the Minority Owner role scoped to Brewers. Suppose you have another domain NFL, Bud Selid will not be able to access any tenants in the NFL domain, unless the NFL domain administrator explicitly assign NFL roles to Bud Selid. Guang From: openstack-bounces+guang.yee=hp....@lists.launchpad.net [mailto:openstack-bounces+guang.yee=hp....@lists.launchpad.net] On Behalf Of Dolph Mathews Sent: Wednesday, May 09, 2012 4:34 PM To: Joshua Harlow Cc: openstack Subject: Re: [Openstack] Keystone client, user belongs to many tenants? The user create command is actually creating discrete users, each with a "default tenant" reference. While that's fine for a lot of simple use cases, it doesn't directly support a user accessing multiple tenants at all. Instead, create a role, and grant that role to a user-tenant pair, creating an explicit relationship between the two. Using default tenants is optional with this method, but will affect how users must auth. -Dolph Mathews On May 9, 2012, at 3:46 PM, Joshua Harlow <harlo...@yahoo-inc.com> wrote: A question, I am using anvil to setup the keystone roles/users/tenants. It seems like the python keystone client has the following command: client.users.create Which seems to take in the following: create(self, name, password, email, tenant_id=None, enabled=True): I would assume a user name can be used in multiple tenants but when I am trying to create a user that spans tenants and it seems like it borks. ClientException: Conflict occurred attempting to store user. (IntegrityError) (1062, "Duplicate entry 'admin' for key 'name'") 'INSERT INTO user (id, name, extra) VALUES (%s, %s, %s)' ('3e14a9c1fd404c7e81c0dba8bd640575', 'admin', '{"password": "$6$rounds=40000$yX5fL51OyGKjuPjr$8yv.S3GpqsKeaHv4GjNY4YW2vvykWzrEV7RX.qJpyy3CjmyXrZMRRJifEzfa7xv1l.NzoggQBXUAESn3Oqm0x/", "enabled": true, "email": "ad...@example.com", "tenantId": "d1506184877a449a91fc6adcb553ad97"}') (HTTP 409) Is this supposed to happen? Is the client supposed to send back this much info also (hashed password??) :-P Any ideas? _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
