Briefly, those roles are managed by keystone command line utilities [1]. These roles are also related to policies [2] set in policy.json (e.g. [3]) and the policy API [4]. Understanding the policy system will allow you understand what operations you can carry out with what credentials.
Token ID is associated with a User (ID) for a period of time. Role ID uniquely identifies a Keystone managed role. Tenant ID uniquely identifies a tenant what was once known as a project (think of it like a multi-user account).
For more info there is copious amounts of documentation available at docs.openstack.org
HTH,
Andy
[1] http://keystone.openstack.org/configuration.html#roles
[2] http://keystone.openstack.org/architecture.html#simple-match
[3] https://github.com/openstack/nova/blob/master/etc/nova/policy.json
[4] https://github.com/openstack/nova/blob/master/nova/common/policy.py
From: FERNANDO LOPEZ AGUILAR [mailto:fla at tid.es]<mailto:[mailto:fla at tid.es]>
Sent: Tuesday, April 17, 2012 12:40 PM
To: Edmonds, AndrewX
Cc: fiware-cloud at lists.fi-ware.eu<mailto:fiware-cloud at lists.fi-ware.eu>
Subject: [FIWARE.Cloud] Question about keystone.
Hi Andy,
Working with the Keystone, I have several questions about it that I hope that you can resolve me.
1) When to request a validation token to the keystone, it gives you a list of roles associated to a (this ?) user like the following:
{
"access":{
"token":{
"expires":"2010-11-01T03:32:15-05:00",
"id":"ab48a9efdfedb23ty3494"
},
"user":{
"id":"123",
"name":"jqsmith",
"roles":[{
"id":"234",
"name":"compute:admin"
},
{
"id":"234",
"name":"object-store:admin",
"tenantId":"1"
}
],
"roles_links":[]
}
}
}
- What is the role of each "role"?
- What is the responsible of them to create/delete/... them? I cannot find how to manage them in the API
- How can I know which type of operations we could use for a specific role?
- I can assume that the token id is directly associated to the user id and user name, what what is the different between role id and tenantId?
2) I assume that the portal receives the user & password and it authenticate through keystone. Keystone responses with the token of the user, the different roles and service available for this user. Those roles have to be the same that validate token responses. How can check afterward that the service (with the appropriate token) that I receive is valid or not?
BR,
Fernando López Aguilar
Cloud Computing
fla at tid dot es
+34 914 832 729
Telefónica I+D (R&D)
Ronda de la Comunicación s/n
Distrito C, Edificio Oeste 1, Planta 5
28050 Madrid, Spain
[Description: Description: cid:image001.png at 01CD1C97.F61C1F50]
________________________________
Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo.
This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at
http://www.tid.es/ES/PAGINAS/disclaimer.aspx
-------------------------------------------------------------
Intel Ireland Limited (Branch)
Collinstown Industrial Park, Leixlip, County Kildare, Ireland
Registered Number: E902934
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/old-fiware-cloud/attachments/20120418/423843f3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 20124 bytes
Desc: image001.png
URL: <https://lists.fiware.org/private/old-fiware-cloud/attachments/20120418/423843f3/attachment.png>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy