The OpenStack Compute system is designed to be used by many different cloud computing
consumers or customers, basically tenants on a shared system, using role-based access
assignments. Roles control the actions that a user is allowed to perform. In the default
configuration, most actions do not require a particular role, but this is configurable
by the system administrator editing the appropriate policy.json
file that maintains the rules. For example, a rule can be defined so that a user cannot
allocate a public IP without the admin role. A user's access to particular images is
limited by tenant, but the username and password are assigned per user. Key pairs
granting access to an instance are enabled per user, but quotas to control resource
consumption across available hardware resources are per tenant.
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
Earlier versions of OpenStack used the term "project" instead of "tenant".
Because of this legacy terminology, some command-line tools use
|
While the original EC2 API supports users, OpenStack Compute adds the concept of tenants.
Tenants are isolated resource containers forming the principal organizational structure
within the Compute service. They consist of a separate VLAN, volumes, instances, images,
keys, and users. A user can specify which tenant he or she wishes to be known as by
appending :project_id to his or her access key. If no tenant is
specified in the API request, Compute attempts to use a tenant with the same ID as the
user.
For tenants, quota controls are available to limit the:
Number of volumes which may be created
Total size of all volumes within a project as measured in GB
Number of instances which may be launched
Number of processor cores which may be allocated
Floating IP addresses (assigned to any instance when it launches so the instance has the same publicly accessible IP addresses)
Fixed IP addresses (assigned to the same instance each time it boots, publicly or privately accessible, typically private for management purposes)
