project membership to role conversion

Changes the relationship between users and projects. There is no more direct membership in projects. Instead, all membership is now done via roles. A default role has been created called _member_ with a uuid (both configurable) that will be added in place of the group membership for databse upgrades. DocImpact: https://bugs.launchpad.net/openstack-manuals/+bug/1087483 Change-Id: I2482f9ef7b838e5dade5096d6d00e81db71604d1
author: Adam Young <ayoung@redhat.com> 2013-02-01 11:18:16 -0500
committer: Adam Young <ayoung@redhat.com> 2013-02-18 15:11:43 -0500
commit: b20302aa3e08421295140576d0aeea2fa9e34188 (patch)
tree: 50459bb43b70c4ae82cf3fc6d5228c9ba1dc4dbf /etc
parent: b1bfca2501ad11a861c9064b97b7fa06fc6d958e (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample
index 8eddfe1a..3143f3fe 100644
--- a/etc/keystone.conf.sample
+++ b/etc/keystone.conf.sample
@@ -27,6 +27,14 @@
 # FIXME(dolph): This should really be defined as [policy] default_rule
 # policy_default_rule = admin_required
 
+# Role for migrating membership relationships
+# During a SQL upgrade, the following values will be used to create a new role
+# that will replace records in the user_tenant_membership table with explicit
+# role grants.  After migration, the member_role_id will be used in the API
+# add_user_to_project, and member_role_name will be ignored.
+# member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
+# member_role_name = _member_
+
 # === Logging Options ===
 # Print debugging output
 # (includes plaintext request logging, potentially including passwords)
author	Adam Young <ayoung@redhat.com>	2013-02-01 11:18:16 -0500
committer	Adam Young <ayoung@redhat.com>	2013-02-18 15:11:43 -0500
commit	b20302aa3e08421295140576d0aeea2fa9e34188 (patch)
tree	50459bb43b70c4ae82cf3fc6d5228c9ba1dc4dbf /etc
parent	b1bfca2501ad11a861c9064b97b7fa06fc6d958e (diff)