OpenStack Identity (keystone)

Replace Tenant-User Membership with default role

Registered by Adam Young

The Roles table will get a role with the name 'member' This will be immutable.

Role assignment will be done in a table called user-project-roles. It will have 3 columns: user_id, project_id, role_id
All entries in user-tenant-assignments will be copied into user-project-role. They will be given the role_id for the 'member' role.

group_project_metadata Will be normalized into the user-project-role table.

get_tenants_for user in the V2 Controller will query select distinct (project_id) from user-project-role where user_id = {user_id}

Comparable changes need to be made on the LDAP side. Tenants currently have users in the member attribute. They will no longer do that. Again, all LDAP installs will have a Member Role by default, and value of the members attribute will be moved to the RoleOccupant attribute for the default Schema

Blueprint information

Status:
Complete
Approver:
None
Priority:
High
Drafter:
Adam Young
Direction:
Needs approval
Assignee:
Adam Young
Definition:
Approved
Series goal:
Accepted for grizzly
Implementation:
Implemented
Milestone target:
milestone icon 2013.1
Started by
Thierry Carrez
Completed by
Thierry Carrez

Related branches

Sprints

Whiteboard

the 'member' role needs a well known role_id as well, e.g. 'default', so that we can explicitly grant/revoke it when a user's default tenant changes on the v2 API.

This has to be resolved prior to the V3 API being accepted. Approving and upping priority to High

Gerrit topic: https://review.openstack.org/#q,topic:bp/replace-tenant-user-membership,n,z

Addressed by: https://review.openstack.org/19723
    roles mean membership

Gerrit topic: https://review.openstack.org/#q,topic:trusts,n,z

Addressed by: https://review.openstack.org/20278
    roles mean membership

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

Nearby

This blueprint contains Public information 
Everyone can see this information.