The main components of Identity user management are:
User. Represents a human user. Has associated information such as user name, password, and email. This example creates a user named
alice
:$ keystone user-create --name=alice --pass=mypassword123 [email protected]
Tenant. A project, group, or organization. When you make requests to OpenStack services, you must specify a tenant. For example, if you query the Compute service for a list of running instances, you get a list of all running instances in the tenant that you specified in your query. This example creates a tenant named
acme
:$ keystone tenant-create --name=acme
Note Because the term project was used instead of tenant in earlier versions of OpenStack Compute, some command-line tools use
--project_id
instead of--tenant-id
or--os-tenant-id
to refer to a tenant ID.Role. Captures the operations that a user can perform in a given tenant.
This example creates a role named
compute-user
:$ keystone role-create --name=compute-user
Note Individual services, such as Compute and the Image Service, assign meaning to roles. In the Identity Service, a role is simply a name.
The Identity Service assigns a tenant and a role to a user.
You might assign the compute-user
role to
the alice
user in the
acme
tenant:
$ keystone user-list +--------+---------+-------------------+--------+ | id | enabled | email | name | +--------+---------+-------------------+--------+ | 892585 | True | [email protected] | alice | +--------+---------+-------------------+--------+
$ keystone role-list +--------+--------------+ | id | name | +--------+--------------+ | 9a764e | compute-user | +--------+--------------+
$ keystone tenant-list +--------+------+---------+ | id | name | enabled | +--------+------+---------+ | 6b8fd2 | acme | True | +--------+------+---------+
$ keystone user-role-add --user=892585 --role=9a764e --tenant-id=6b8fd2
A user can have different roles in different tenants. For
example, Alice might also have the admin
role in the Cyberdyne
tenant. A user can
also have multiple roles in the same tenant.
The
/etc/
file controls the tasks that users can perform for a given
service. For example,
[SERVICE_CODENAME]
/policy.json/etc/nova/policy.json
specifies the
access policy for the Compute service,
/etc/glance/policy.json
specifies the
access policy for the Image Service, and
/etc/keystone/policy.json
specifies
the access policy for the Identity Service.
The default policy.json
files in the
Compute, Identity, and Image Service recognize only the
admin
role: all operations that do not
require the admin
role are accessible by
any user that has any role in a tenant.
If you wish to restrict users from performing operations in,
say, the Compute service, you need to create a role in the
Identity Service and then modify
/etc/nova/policy.json
so that this
role is required for Compute operations.
For example, this line in
/etc/nova/policy.json
specifies that
there are no restrictions on which users can create volumes:
if the user has any role in a tenant, they can create volumes
in that tenant.
"volume:create": [],
To restrict creation of volumes to users who had the
compute-user
role in a particular
tenant, you would add "role:compute-user"
,
like so:
"volume:create": ["role:compute-user"],
To restrict all Compute service requests to require this role, the resulting file would look like:
{ "admin_or_owner":[ [ "role:admin" ], [ "project_id:%(project_id)s" ] ], "default":[ [ "rule:admin_or_owner" ] ], "compute:create":[ "role:compute-user" ], "compute:create:attach_network":[ "role:compute-user" ], "compute:create:attach_volume":[ "role:compute-user" ], "compute:get_all":[ "role:compute-user" ], "compute:unlock_override":[ "rule:admin_api" ], "admin_api":[ [ "role:admin" ] ], "compute_extension:accounts":[ [ "rule:admin_api" ] ], "compute_extension:admin_actions":[ [ "rule:admin_api" ] ], "compute_extension:admin_actions:pause":[ [ "rule:admin_or_owner" ] ], "compute_extension:admin_actions:unpause":[ [ "rule:admin_or_owner" ] ], "compute_extension:admin_actions:suspend":[ [ "rule:admin_or_owner" ] ], "compute_extension:admin_actions:resume":[ [ "rule:admin_or_owner" ] ], "compute_extension:admin_actions:lock":[ [ "rule:admin_or_owner" ] ], "compute_extension:admin_actions:unlock":[ [ "rule:admin_or_owner" ] ], "compute_extension:admin_actions:resetNetwork":[ [ "rule:admin_api" ] ], "compute_extension:admin_actions:injectNetworkInfo":[ [ "rule:admin_api" ] ], "compute_extension:admin_actions:createBackup":[ [ "rule:admin_or_owner" ] ], "compute_extension:admin_actions:migrateLive":[ [ "rule:admin_api" ] ], "compute_extension:admin_actions:migrate":[ [ "rule:admin_api" ] ], "compute_extension:aggregates":[ [ "rule:admin_api" ] ], "compute_extension:certificates":[ "role:compute-user" ], "compute_extension:cloudpipe":[ [ "rule:admin_api" ] ], "compute_extension:console_output":[ "role:compute-user" ], "compute_extension:consoles":[ "role:compute-user" ], "compute_extension:createserverext":[ "role:compute-user" ], "compute_extension:deferred_delete":[ "role:compute-user" ], "compute_extension:disk_config":[ "role:compute-user" ], "compute_extension:evacuate":[ [ "rule:admin_api" ] ], "compute_extension:extended_server_attributes":[ [ "rule:admin_api" ] ], "compute_extension:extended_status":[ "role:compute-user" ], "compute_extension:flavorextradata":[ "role:compute-user" ], "compute_extension:flavorextraspecs":[ "role:compute-user" ], "compute_extension:flavormanage":[ [ "rule:admin_api" ] ], "compute_extension:floating_ip_dns":[ "role:compute-user" ], "compute_extension:floating_ip_pools":[ "role:compute-user" ], "compute_extension:floating_ips":[ "role:compute-user" ], "compute_extension:hosts":[ [ "rule:admin_api" ] ], "compute_extension:keypairs":[ "role:compute-user" ], "compute_extension:multinic":[ "role:compute-user" ], "compute_extension:networks":[ [ "rule:admin_api" ] ], "compute_extension:quotas":[ "role:compute-user" ], "compute_extension:rescue":[ "role:compute-user" ], "compute_extension:security_groups":[ "role:compute-user" ], "compute_extension:server_action_list":[ [ "rule:admin_api" ] ], "compute_extension:server_diagnostics":[ [ "rule:admin_api" ] ], "compute_extension:simple_tenant_usage:show":[ [ "rule:admin_or_owner" ] ], "compute_extension:simple_tenant_usage:list":[ [ "rule:admin_api" ] ], "compute_extension:users":[ [ "rule:admin_api" ] ], "compute_extension:virtual_interfaces":[ "role:compute-user" ], "compute_extension:virtual_storage_arrays":[ "role:compute-user" ], "compute_extension:volumes":[ "role:compute-user" ], "compute_extension:volume_attachments:index":[ "role:compute-user" ], "compute_extension:volume_attachments:show":[ "role:compute-user" ], "compute_extension:volume_attachments:create":[ "role:compute-user" ], "compute_extension:volume_attachments:delete":[ "role:compute-user" ], "compute_extension:volumetypes":[ "role:compute-user" ], "volume:create":[ "role:compute-user" ], "volume:get_all":[ "role:compute-user" ], "volume:get_volume_metadata":[ "role:compute-user" ], "volume:get_snapshot":[ "role:compute-user" ], "volume:get_all_snapshots":[ "role:compute-user" ], "network:get_all_networks":[ "role:compute-user" ], "network:get_network":[ "role:compute-user" ], "network:delete_network":[ "role:compute-user" ], "network:disassociate_network":[ "role:compute-user" ], "network:get_vifs_by_instance":[ "role:compute-user" ], "network:allocate_for_instance":[ "role:compute-user" ], "network:deallocate_for_instance":[ "role:compute-user" ], "network:validate_networks":[ "role:compute-user" ], "network:get_instance_uuids_by_ip_filter":[ "role:compute-user" ], "network:get_floating_ip":[ "role:compute-user" ], "network:get_floating_ip_pools":[ "role:compute-user" ], "network:get_floating_ip_by_address":[ "role:compute-user" ], "network:get_floating_ips_by_project":[ "role:compute-user" ], "network:get_floating_ips_by_fixed_address":[ "role:compute-user" ], "network:allocate_floating_ip":[ "role:compute-user" ], "network:deallocate_floating_ip":[ "role:compute-user" ], "network:associate_floating_ip":[ "role:compute-user" ], "network:disassociate_floating_ip":[ "role:compute-user" ], "network:get_fixed_ip":[ "role:compute-user" ], "network:add_fixed_ip_to_instance":[ "role:compute-user" ], "network:remove_fixed_ip_from_instance":[ "role:compute-user" ], "network:add_network_to_project":[ "role:compute-user" ], "network:get_instance_nw_info":[ "role:compute-user" ], "network:get_dns_domains":[ "role:compute-user" ], "network:add_dns_entry":[ "role:compute-user" ], "network:modify_dns_entry":[ "role:compute-user" ], "network:delete_dns_entry":[ "role:compute-user" ], "network:get_dns_entries_by_address":[ "role:compute-user" ], "network:get_dns_entries_by_name":[ "role:compute-user" ], "network:create_private_dns_domain":[ "role:compute-user" ], "network:create_public_dns_domain":[ "role:compute-user" ], "network:delete_dns_domain":[ "role:compute-user" ] }