Define users, tenants, and roles

After you install the Identity Service, set up users, tenants, and roles to authenticate against. These are used to allow access to services and endpoints, described in the next section.

Typically, you would indicate a user and password to authenticate with the Identity Service. At this point, however, you have not created any users, so you have to use the authorization token created in an earlier step, see the section called “Install the Identity Service” for further details. You can pass this with the --os-token option to the keystone command or set the OS_SERVICE_TOKEN environment variable. Set OS_SERVICE_TOKEN, as well as OS_SERVICE_ENDPOINT to specify where the Identity Service is running. Replace ADMIN_TOKEN with your authorization token.

$ export OS_SERVICE_TOKEN=ADMIN_TOKEN
$ export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0

Create an administrative user

Follow these steps to create an administrative user, role, and tenant. You will use this account for administrative interaction with the OpenStack cloud.

By default, the Identity Service creates a special _member_ role. The OpenStack dashboard automatically grants access to users with this role. You will give the admin user access to this role in addition to the admin role.

	Note
	Any role that you create must map to roles specified in the `policy.json` file included with each OpenStack service. The default policy file for most services grants administrative access to the `admin` role.

Create the admin user:
```
$ keystone user-create --name=admin --pass=ADMIN_PASS --email=ADMIN_EMAIL
```
Replace ADMIN_PASS with a secure password and replace ADMIN_EMAIL with an email address to associate with the account.
Create the admin role:
```
$ keystone role-create --name=admin
```

Create the admin tenant:

$ keystone tenant-create --name=admin --description="Admin Tenant"

You must now link the admin user, admin role, and admin tenant together using the user-role-add option:
```
$ keystone user-role-add --user=admin --tenant=admin --role=admin
```

Link the admin user, _member_ role, and admin tenant:

$ keystone user-role-add --user=admin --role=_member_ --tenant=admin

Create a normal user

Follow these steps to create a normal user and tenant, and link them to the special _member_ role. You will use this account for daily non-administrative interaction with the OpenStack cloud. You can also repeat this procedure to create additional cloud users with different usernames and passwords. Skip the tenant creation step when creating these users.

Create the demo user:
```
$ keystone user-create --name=demo --pass=DEMO_PASS --email=DEMO_EMAIL
```
Replace DEMO_PASS with a secure password and replace DEMO_EMAIL with an email address to associate with the account.
Create the demo tenant:
```
$ keystone tenant-create --name=demo --description="Demo Tenant"
```
Note
Do not repeat this step when adding additional users.

Link the demo user, _member_ role, and demo tenant:

$ keystone user-role-add --user=demo --role=_member_ --tenant=demo

Create a service tenant

OpenStack services also require a username, tenant, and role to access other OpenStack services. In a basic installation, OpenStack services typically share a single tenant named service.

You will create additional usernames and roles under this tenant as you install and configure each service.

Create the service tenant:

$ keystone tenant-create --name=service --description="Service Tenant"

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

Legal notices