Ask Your Question

Doubts about User role in keystone

asked 2012-06-18 14:40:39 -0500

a-williams-karl gravatar image


I have some doubts about user roles in Keystone, i think this doubt comes because i get used to tempauth and swauth roles and a couldn't map this roles to Keystone...

the doubt is this:

In tempauth e swauth there are 3 types of user's roles: user, admin e resseler admin. The first have the acess to object in a container limited to what is admin set for him (container acl permission). The admin has full control over the container in his account and the resselr admin has full control over then accounts, containers and objects in a cluster.

In keystone, we can create the tenant and the role ( ( ) . So if I create the role, how do i set that one role is the "admin" role? How do i set that the role i create is is a role under the admin role? ("user" role)

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted

answered 2012-06-27 12:20:52 -0500

a-williams-karl gravatar image

hi Joseph, thanks very much for clarify this!

edit flag offensive delete link more

answered 2012-06-27 12:20:58 -0500

a-williams-karl gravatar image

Thanks Joseph Heck, that solved my question.

edit flag offensive delete link more

answered 2012-06-24 19:31:37 -0500

heckj gravatar image

Hi Karl -

In Keystone, the "role" is simply an identifier (i.e. a name) that can be applied between a tenant (aka project) and a user. How the service provides authZ based on this is up to the service - keystone simply passes to nova, swift, etc - the list of roles for the user as they're associated to a tenant.

In some implementations, the deployer chooses "admin" to mean a global admin across all services (think "cloud administrator"), and assigns those users with the 'admin' role. That's then passed down to Nova, Glance, Swift, etc. and those services choose what to do (or not to do) with with the role.

For using swift_auth with keystone, the middleware allows you to define what role names you wish to use for providing information to swift about being a "swift_operator" or "reseller_admin". Those default to 'admin' and 'swift operator' for the first, and 'ResellerAdmin' for the later. You can see some detail of how to configure this in the source for swift_auth at (

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2012-06-18 14:40:39 -0500

Seen: 117 times

Last updated: Jun 27 '12