openstack/python-openstackclient
Code Issues Proposed changes
python-openstackclient/doc/source/command-objects/role.rst
Henry Nash 713d92df4e Add assignment list to v2 identity and deprecate alternate listing 
The current identity role list command (both v2 and v3) is
overloaded with listing roles as well as assignments (if you
provide user, group, project or domain options). This is in
addition to the v3 assignment list command designed for this
purpose.

This overloading complicates the fact that roles can now be
domain specific (i.e. have a domain attribute), so the
command 'role list --domain <domain-name' will soon become
ambigious (this is in a follow on patch).

This patch:

- Adds a v2 assignments list, with support for pulling the
user and project from the auth credentials
- For comapability, adds the same auth support to the
existing v3 assignments list
- Deprecates the use of role list and user role list to list
assignments

Change-Id: I65bafdef4f8c89e863dab101369d0d629fa818b8
Partial-Bug: 1605774
2016-07-22 21:46:29 +00:00

5.4 KiB
Raw Blame History

role

Identity v2, v3

role add

Add role assignment to a user or group in a project or domain

role add

os role add
    --domain <domain> | --project <project> [--project-domain <project-domain>]
    --user <user> [--user-domain <user-domain>] | --group <group> [--group-domain <group-domain>]
    --inherited
    <role>

--domain <domain>

Include <domain> (name or ID)

3

--project <project>

Include <project> (name or ID)

--user <user>

Include <user> (name or ID)

--group <group>

Include <group> (name or ID)

3

--user-domain <user-domain>

Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.

3

--group-domain <group-domain>

Domain the group belongs to (name or ID). This can be used in case collisions between group names exist.

3

--project-domain <project-domain>

Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.

3

--inherited

Specifies if the role grant is inheritable to the sub projects.

3

<role>

Role to add to <project>:<user> (name or ID)

role create

Create new role

role create

os role create
    [--or-show]
    <name>

--or-show

Return existing role

If the role already exists return the existing role data and do not fail.

<name>

New role name

role delete

Delete role(s)

role delete

os role delete
    <role> [<role> ...]

<role>

Role to delete (name or ID)

role list

List roles

role list

os role list
    --domain <domain> | --project <project> [--project-domain <project-domain>]
    --user <user> [--user-domain <user-domain>] | --group <group> [--group-domain <group-domain>]
    --inherited

--domain <domain>

Filter roles by <domain> (name or ID)

(Deprecated, please use role assignment list instead)

--project <project>

Filter roles by <project> (name or ID)

(Deprecated, please use role assignment list instead)

--user <user>

Filter roles by <user> (name or ID)

(Deprecated, please use role assignment list instead)

--group <group>

Filter roles by <group> (name or ID)

(Deprecated, please use role assignment list instead)

--user-domain <user-domain>

Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.

(Deprecated, please use role assignment list instead)

3

--group-domain <group-domain>

Domain the group belongs to (name or ID). This can be used in case collisions between group names exist.

(Deprecated, please use role assignment list instead)

3

--project-domain <project-domain>

Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.

(Deprecated, please use role assignment list instead)

3

--inherited

Specifies if the role grant is inheritable to the sub projects.

(Deprecated, please use role assignment list instead)

3

role remove

Remove role assignment from domain/project : user/group

role remove

os role remove
    --domain <domain> | --project <project> [--project-domain <project-domain>]
    --user <user> [--user-domain <user-domain>] | --group <group> [--group-domain <group-domain>]
    --inherited
    <role>

--domain <domain>

Include <domain> (name or ID)

3

--project <project>

Include <project> (name or ID)

--user <user>

Include <user> (name or ID)

--group <group>

Include <group> (name or ID)

3

--user-domain <user-domain>

Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.

3

--group-domain <group-domain>

Domain the group belongs to (name or ID). This can be used in case collisions between group names exist.

3

--project-domain <project-domain>

Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.

3

--inherited

Specifies if the role grant is inheritable to the sub projects.

3

<role>

Role to remove (name or ID)

role set

Set role properties

3

role set

os role set
    [--name <name>]
    <role>

--name <name>

Set role name

<role>

Role to modify (name or ID)

role show

Display role details

role show

os role show
    <role>

<role>

Role to display (name or ID)