Identity v2, v3
Add role assignment to a user or group in a project or domain
openstack role add
--system <system> | --domain <domain> | --project <project> [--project-domain <project-domain>]
--user <user> [--user-domain <user-domain>] | --group <group> [--group-domain <group-domain>]
--role-domain <role-domain>
--inherited
<role>
--system
<system>
¶Include <system>
System or service to grant authorization to. Currently only all
is
supported which encompasses the entire deployment system.
New in version 3.
--domain
<domain>
¶Include <domain> (name or ID)
New in version 3.
--project
<project>
¶Include <project> (name or ID)
--user
<user>
¶Include <user> (name or ID)
--group
<group>
¶Include <group> (name or ID)
New in version 3.
--user-domain
<user-domain>
¶Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
New in version 3.
--group-domain
<group-domain>
¶Domain the group belongs to (name or ID). This can be used in case collisions between group names exist.
New in version 3.
--project-domain
<project-domain>
¶Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
New in version 3.
--inherited
¶Specifies if the role grant is inheritable to the sub projects.
New in version 3.
--role-domain
<role-domain>
¶Domain the role belongs to (name or ID). This must be specified when the name of a domain specific role is used.
New in version 3.
<role>
Role to add to <project>:<user> (name or ID)
Create new role
openstack role create
[--or-show]
[--domain <domain>]
<name>
--domain
<domain>
¶Domain the role belongs to (name or ID).
New in version 3.
--or-show
¶Return existing role
If the role already exists return the existing role data and do not fail.
<name>
New role name
Delete role(s)
openstack role delete
<role> [<role> ...]
[--domain <domain>]
<role>
Role to delete (name or ID)
--domain
<domain>
¶Domain the role belongs to (name or ID).
New in version 3.
List roles
openstack role list
--domain <domain> | --project <project> [--project-domain <project-domain>]
--user <user> [--user-domain <user-domain>] | --group <group> [--group-domain <group-domain>]
--inherited
--domain
<domain>
¶Filter roles by <domain> (name or ID)
(Deprecated if being used to list assignments in conjunction with the
--user <user>
, option, please use role assignment list
instead)
--project
<project>
¶Filter roles by <project> (name or ID)
(Deprecated, please use role assignment list
instead)
--user
<user>
¶Filter roles by <user> (name or ID)
(Deprecated, please use role assignment list
instead)
--group
<group>
¶Filter roles by <group> (name or ID)
(Deprecated, please use role assignment list
instead)
--user-domain
<user-domain>
¶Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
(Deprecated, please use role assignment list
instead)
New in version 3.
--group-domain
<group-domain>
¶Domain the group belongs to (name or ID). This can be used in case collisions between group names exist.
(Deprecated, please use role assignment list
instead)
New in version 3.
--project-domain
<project-domain>
¶Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
(Deprecated, please use role assignment list
instead)
New in version 3.
--inherited
¶Specifies if the role grant is inheritable to the sub projects.
(Deprecated, please use role assignment list
instead)
New in version 3.
Remove role assignment from domain/project : user/group
openstack role remove
--system <system> | --domain <domain> | --project <project> [--project-domain <project-domain>]
--user <user> [--user-domain <user-domain>] | --group <group> [--group-domain <group-domain>]
--role-domain <role-domain>
--inherited
<role>
--system
<system>
¶Include <system>
System or service to remove authorization from. Currently only all
is
supported which encompasses the entire deployment system.
New in version 3.
--domain
<domain>
¶Include <domain> (name or ID)
New in version 3.
--project
<project>
¶Include <project> (name or ID)
--user
<user>
¶Include <user> (name or ID)
--group
<group>
¶Include <group> (name or ID)
New in version 3.
--user-domain
<user-domain>
¶Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
New in version 3.
--group-domain
<group-domain>
¶Domain the group belongs to (name or ID). This can be used in case collisions between group names exist.
New in version 3.
--project-domain
<project-domain>
¶Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
New in version 3.
--inherited
¶Specifies if the role grant is inheritable to the sub projects.
New in version 3.
--role-domain
<role-domain>
¶Domain the role belongs to (name or ID). This must be specified when the name of a domain specific role is used.
New in version 3.
<role>
Role to remove (name or ID)
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.