Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Hi Karl -

In Keystone, the "role" is simply an identifier (i.e. a name) that can be applied between a tenant (aka project) and a user. How the service provides authZ based on this is up to the service - keystone simply passes to nova, swift, etc - the list of roles for the user as they're associated to a tenant.

In some implementations, the deployer chooses "admin" to mean a global admin across all services (think "cloud administrator"), and assigns those users with the 'admin' role. That's then passed down to Nova, Glance, Swift, etc. and those services choose what to do (or not to do) with with the role.

For using swift_auth with keystone, the middleware allows you to define what role names you wish to use for providing information to swift about being a "swift_operator" or "reseller_admin". Those default to 'admin' and 'swift operator' for the first, and 'ResellerAdmin' for the later. You can see some detail of how to configure this in the source for swift_auth at https://github.com/openstack/keystone/blob/master/keystone/middleware/swift_auth.py#L59-L65