openstack - Keystone returning is_admin = 0 in every case -
did search on , found:
keystone returning token metadata is_admin = 0
which doesn't reply question, , it's year old, thought i'd open new one.
i running vm instance of ubuntu 14.04 running latest build of devstack (as in less few weeks old) , seeing unusual behavior keystone, think.
i understand admin role supposed tenant specific, observations contradict that.
1) keystone never returns is_admin=1. authenticating admin tenant, admin user, has admin role admin tenant still returns "is_admin 0". there guarantee admin role named "admin"? if so, utilize .user.roles.name = admin check?
2) if that's true, still need provide tenant when authenticating in order array populated in response. why matter? authenticate without tenant, list of tenants , roles, , re-authenticate particular tenant useful. why? because don't want have know list of tenants , roles ahead of time. want write automated process allows login , upon authenticating, displays list of tenants , additional functionality, if , if user admin.
3) frustratingly, , continuation of #2. if admin role tenant specific, logging in using tenant shouldn't allow me admin things on tenant b when i'm not fellow member of tenant b, , does. lead me believe admin role global, period. create more sense me, think have tenant specific admins, admins have access set of tenants, , global admins, either not case , they're lying or bafffled openstack identity.
since net searches have come nada, or seem assume reader knows context , reply question trying address, can explain me:
a) official prupose/limitations of admin role?
b) why on earth doesn't first point work?
c) why admin role seem global?
d) there documentation on doesn't assume know intimate details of keystone? e.g., admin role blah blah blah. configure access here in blah blah blah. operates way: blah blah blah. not referencing or assuming prior exposure openstack , in 1 place?
e) asking much? :)
thanks.
openstack devstack keystone
No comments:
Post a Comment