Atom feed of this document
  
 

 User management

The main components of Identity user management are:

  • User. Represents a human user. Has associated information such as user name, password, and email. This example creates a user named alice:

    $ keystone user-create --name=alice --pass=mypassword123 [email protected]
  • Tenant. A project, group, or organization. When you make requests to OpenStack services, you must specify a tenant. For example, if you query the Compute service for a list of running instances, you get a list of all running instances in the tenant that you specified in your query. This example creates a tenant named acme:

    $ keystone tenant-create --name=acme
    [Note]Note

    Because the term project was used instead of tenant in earlier versions of OpenStack Compute, some command-line tools use --project_id instead of --tenant-id or --os-tenant-id to refer to a tenant ID.

  • Role. Captures the operations that a user can perform in a given tenant.

    This example creates a role named compute-user:

    $ keystone role-create --name=compute-user
    [Note]Note

    Individual services, such as Compute and the Image Service, assign meaning to roles. In the Identity Service, a role is simply a name.

The Identity Service assigns a tenant and a role to a user. You might assign the compute-user role to the alice user in the acme tenant:

$ keystone user-list
+--------+---------+-------------------+--------+
|   id   | enabled |       email       |  name  |
+--------+---------+-------------------+--------+
| 892585 |   True  | [email protected] | alice  |
+--------+---------+-------------------+--------+
$ keystone role-list
+--------+--------------+
|   id   |     name     |
+--------+--------------+
| 9a764e | compute-user |
+--------+--------------+
$ keystone tenant-list
+--------+------+---------+
|   id   | name | enabled |
+--------+------+---------+
| 6b8fd2 | acme |   True  |
+--------+------+---------+
$ keystone user-role-add --user=892585 --role=9a764e --tenant-id=6b8fd2       

A user can have different roles in different tenants. For example, Alice might also have the admin role in the Cyberdyne tenant. A user can also have multiple roles in the same tenant.

The /etc/[SERVICE_CODENAME]/policy.json file controls the tasks that users can perform for a given service. For example, /etc/nova/policy.json specifies the access policy for the Compute service, /etc/glance/policy.json specifies the access policy for the Image Service, and /etc/keystone/policy.json specifies the access policy for the Identity Service.

The default policy.json files in the Compute, Identity, and Image Service recognize only the admin role: all operations that do not require the admin role are accessible by any user that has any role in a tenant.

If you wish to restrict users from performing operations in, say, the Compute service, you need to create a role in the Identity Service and then modify /etc/nova/policy.json so that this role is required for Compute operations.

For example, this line in /etc/nova/policy.json specifies that there are no restrictions on which users can create volumes: if the user has any role in a tenant, they can create volumes in that tenant.

"volume:create": [],

To restrict creation of volumes to users who had the compute-user role in a particular tenant, you would add "role:compute-user", like so:

"volume:create": ["role:compute-user"],

To restrict all Compute service requests to require this role, the resulting file would look like:

{
   "admin_or_owner":[
      [
         "role:admin"
      ],
      [
         "project_id:%(project_id)s"
      ]
   ],
   "default":[
      [
         "rule:admin_or_owner"
      ]
   ],
   "compute:create":[
      "role:compute-user"
   ],
   "compute:create:attach_network":[
      "role:compute-user"
   ],
   "compute:create:attach_volume":[
      "role:compute-user"
   ],
   "compute:get_all":[
      "role:compute-user"
   ],
   "compute:unlock_override":[
      "rule:admin_api"
   ],
   "admin_api":[
      [
         "role:admin"
      ]
   ],
   "compute_extension:accounts":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:admin_actions":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:admin_actions:pause":[
      [
         "rule:admin_or_owner"
      ]
   ],
   "compute_extension:admin_actions:unpause":[
      [
         "rule:admin_or_owner"
      ]
   ],
   "compute_extension:admin_actions:suspend":[
      [
         "rule:admin_or_owner"
      ]
   ],
   "compute_extension:admin_actions:resume":[
      [
         "rule:admin_or_owner"
      ]
   ],
   "compute_extension:admin_actions:lock":[
      [
         "rule:admin_or_owner"
      ]
   ],
   "compute_extension:admin_actions:unlock":[
      [
         "rule:admin_or_owner"
      ]
   ],
   "compute_extension:admin_actions:resetNetwork":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:admin_actions:injectNetworkInfo":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:admin_actions:createBackup":[
      [
         "rule:admin_or_owner"
      ]
   ],
   "compute_extension:admin_actions:migrateLive":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:admin_actions:migrate":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:aggregates":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:certificates":[
      "role:compute-user"
   ],
   "compute_extension:cloudpipe":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:console_output":[
      "role:compute-user"
   ],
   "compute_extension:consoles":[
      "role:compute-user"
   ],
   "compute_extension:createserverext":[
      "role:compute-user"
   ],
   "compute_extension:deferred_delete":[
      "role:compute-user"
   ],
   "compute_extension:disk_config":[
      "role:compute-user"
   ],
   "compute_extension:evacuate":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:extended_server_attributes":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:extended_status":[
      "role:compute-user"
   ],
   "compute_extension:flavorextradata":[
      "role:compute-user"
   ],
   "compute_extension:flavorextraspecs":[
      "role:compute-user"
   ],
   "compute_extension:flavormanage":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:floating_ip_dns":[
      "role:compute-user"
   ],
   "compute_extension:floating_ip_pools":[
      "role:compute-user"
   ],
   "compute_extension:floating_ips":[
      "role:compute-user"
   ],
   "compute_extension:hosts":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:keypairs":[
      "role:compute-user"
   ],
   "compute_extension:multinic":[
      "role:compute-user"
   ],
   "compute_extension:networks":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:quotas":[
      "role:compute-user"
   ],
   "compute_extension:rescue":[
      "role:compute-user"
   ],
   "compute_extension:security_groups":[
      "role:compute-user"
   ],
   "compute_extension:server_action_list":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:server_diagnostics":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:simple_tenant_usage:show":[
      [
         "rule:admin_or_owner"
      ]
   ],
   "compute_extension:simple_tenant_usage:list":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:users":[
      [
         "rule:admin_api"
      ]
   ],
   "compute_extension:virtual_interfaces":[
      "role:compute-user"
   ],
   "compute_extension:virtual_storage_arrays":[
      "role:compute-user"
   ],
   "compute_extension:volumes":[
      "role:compute-user"
   ],
   "compute_extension:volume_attachments:index":[
      "role:compute-user"
   ],
   "compute_extension:volume_attachments:show":[
      "role:compute-user"
   ],
   "compute_extension:volume_attachments:create":[
      "role:compute-user"
   ],
   "compute_extension:volume_attachments:delete":[
      "role:compute-user"
   ],
   "compute_extension:volumetypes":[
      "role:compute-user"
   ],
   "volume:create":[
      "role:compute-user"
   ],
   "volume:get_all":[
      "role:compute-user"
   ],
   "volume:get_volume_metadata":[
      "role:compute-user"
   ],
   "volume:get_snapshot":[
      "role:compute-user"
   ],
   "volume:get_all_snapshots":[
      "role:compute-user"
   ],
   "network:get_all_networks":[
      "role:compute-user"
   ],
   "network:get_network":[
      "role:compute-user"
   ],
   "network:delete_network":[
      "role:compute-user"
   ],
   "network:disassociate_network":[
      "role:compute-user"
   ],
   "network:get_vifs_by_instance":[
      "role:compute-user"
   ],
   "network:allocate_for_instance":[
      "role:compute-user"
   ],
   "network:deallocate_for_instance":[
      "role:compute-user"
   ],
   "network:validate_networks":[
      "role:compute-user"
   ],
   "network:get_instance_uuids_by_ip_filter":[
      "role:compute-user"
   ],
   "network:get_floating_ip":[
      "role:compute-user"
   ],
   "network:get_floating_ip_pools":[
      "role:compute-user"
   ],
   "network:get_floating_ip_by_address":[
      "role:compute-user"
   ],
   "network:get_floating_ips_by_project":[
      "role:compute-user"
   ],
   "network:get_floating_ips_by_fixed_address":[
      "role:compute-user"
   ],
   "network:allocate_floating_ip":[
      "role:compute-user"
   ],
   "network:deallocate_floating_ip":[
      "role:compute-user"
   ],
   "network:associate_floating_ip":[
      "role:compute-user"
   ],
   "network:disassociate_floating_ip":[
      "role:compute-user"
   ],
   "network:get_fixed_ip":[
      "role:compute-user"
   ],
   "network:add_fixed_ip_to_instance":[
      "role:compute-user"
   ],
   "network:remove_fixed_ip_from_instance":[
      "role:compute-user"
   ],
   "network:add_network_to_project":[
      "role:compute-user"
   ],
   "network:get_instance_nw_info":[
      "role:compute-user"
   ],
   "network:get_dns_domains":[
      "role:compute-user"
   ],
   "network:add_dns_entry":[
      "role:compute-user"
   ],
   "network:modify_dns_entry":[
      "role:compute-user"
   ],
   "network:delete_dns_entry":[
      "role:compute-user"
   ],
   "network:get_dns_entries_by_address":[
      "role:compute-user"
   ],
   "network:get_dns_entries_by_name":[
      "role:compute-user"
   ],
   "network:create_private_dns_domain":[
      "role:compute-user"
   ],
   "network:create_public_dns_domain":[
      "role:compute-user"
   ],
   "network:delete_dns_domain":[
      "role:compute-user"
   ]
}
Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

loading table of contents...