Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Use the concept of domains, roles, users and groups to manage identities

1. Overview

Before you get started!

Welcome to OpenStack!

In this series of tutorials, we will walk you through all the necessary steps to install, configure and get started with OpenStack. Using just your workstation, you will learn how to use OpenStack for cloud infrastructure implementation purposes, from a single-node installation to large-scale clusters.

This tutorial is the sixth in the “Phase I - Single-node OpenStack on your workstation” series.

Explore other tutorials >

What is OpenStack?

OpenStack is the most popular open source cloud platform that aggregates distributed compute, network and storage resources in the data centre and enables on-demand provisioning of virtual machines through a self-service portal. OpenStack powers thousands of public and private clouds all over the world, providing rapid access for greater innovation and better economics.

Learn more about OpenStack >

What is MicroStack?

MicroStack is a micro cloud platform based on OpenStack, designed for the edge and small-scale data centre deployments, that can be installed and maintained with minimal effort. MicroStack eliminates the complexity behind OpenStack, providing an opinionated approach to OpenStack architecture design and a straightforward installation method.

Learn more about MicroStack >

What is Charmed OpenStack?

Charmed OpenStack is an enterprise cloud platform based on OpenStack, designed for large-scale data centre deployments, that provides full automation around the initial installation and day-2 operations. Charmed OpenStack abstracts the complexity behind OpenStack, using a composable approach to OpenStack architecture design with model-driven operators (charms).

Learn more about Charmed OpenStack >

In this tutorial, you will learn how to:

  • Distinguish between the various OpenStack identities

  • Manage domains

  • Manage roles

  • Manage projects

  • Manage users and groups

  • Manage membership and assignments

You will only need:

One physical machine with:

MicroStack

These instructions use MicroStack - OpenStack in a snap. MicroStack is also available on other Linux distros, Windows and macOS. Refer to the MicroStack website for more information on how to install MicroStack on an OS other than Ubuntu.

2. Manage domains

Domains are high-level collections of projects, groups and users. They limit the visibility of those identities to other domains. As a result, domains serve as a basis for implementing multi-tenancy in OpenStack.

To create a new domain called mydomain, execute the following command:


$ openstack --insecure domain create --description "My domain" mydomain

To list all domains, execute the following command:


$ openstack --insecure domain list

Sample output:


+----------------------------------+----------+---------+--------------------+

| ID | Name | Enabled | Description |

+----------------------------------+----------+---------+--------------------+

| 6009e1ab2fed473480ce2cd7d32d435e | mydomain | True | My domain |

| default | Default | True | The default domain |

+----------------------------------+----------+---------+--------------------+

In this new domain, we have to create the admin user to be able to manage its identities through the OpenStack dashboard. We’ll explain all those concepts in a later part of this tutorial, but for now, simply execute the following commands:


$ openstack --insecure user create --domain mydomain --password admin admin

$ openstack --insecure role add --domain mydomain --user-domain mydomain --user admin admin

Multi-domain support is disabled in the OpenStack dashboard in MicroStack by default. In order to enable it, execute the following commands:


$ sudo bash -c 'cat > /var/snap/microstack/common/etc/horizon/local_settings.d/_10_enable_multidomain_support.py' << EOF

OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True

EOF

$ sudo snap restart microstack.horizon-uwsgi

One the commands finish, you will be able to see the Domain field on the OpenStack dashboard login screen:

1.6.1

You can log in using the following credentials:

  • Domain - Type mydomain

  • User Name - Type admin

  • Password - Type admin

Since no projects have been created in the mydomain domain yet, you can ignore any error messages in the top right corner of the screen.

Note that, until the end of this tutorial, we’re going to use the admin user account in the mydomain domain when running actions through the OpenStack dashboards. We’ll continue using the admin user account in the default domain when running them through the OpenStack client.

3. Manage roles

Roles implement role-based access control (RBAC) mechanisms in OpenStack and define the authorisation level users or groups have inside of domains and projects. They are globally unique, meaning they are shared across all existing domains.

In the following steps, we’ll create a new role called member, which is a default role that enables creation of new projects in OpenStack, but is not created in MicroStack by default.

Manage roles through the OpenStack client

To create the member role, execute the following command:


$ openstack --insecure role create _member_

To list all roles, execute the following command:


$ openstack --insecure role list

Sample output:


+----------------------------------+----------+

| ID | Name |

+----------------------------------+----------+

| 0cc5489e6ca046de8d769471e5e605fe | admin |

| 21e5e1d86de34d3985b7376f753de2aa | reader |

| 60524922880b472085a79d236ab2c071 | _member_ |

| 84de297b82a741bc8d69ebaa75c456fc | member |

+----------------------------------+----------+

Manage roles through the OpenStack dashboard

Navigate to Identity -> Roles and click the Create Role button on the right:

1.6.2

To create the role, fill in the form as follows:

  • Name - Type _member_

Then click the Submit button:

1.6.3

You are now able to see all four roles in Keystone’s database:

1.6.4

Note that role IDs may be different in your environment.

4. Manage projects

Projects are an abstraction used by other OpenStack services to group and isolate various types of resources (instances, volumes, and so on). One domain can have multiple projects created inside.

In the following steps, we’ll create a new project called myproject under the mydomain domain.

Manage projects through the OpenStack client

To create the project, execute the following command:


$ openstack --insecure project create --domain mydomain myproject

To list all projects, execute the following command:


$ openstack --insecure project list --domain mydomain

Sample output:


+----------------------------------+-----------+

| ID | Name |

+----------------------------------+-----------+

| f96f3e26d98e4455ade809116da49689 | myproject |

+----------------------------------+-----------+

Manage projects through the OpenStack dashboard

Navigate to Identity -> Projects and click the Create Project button on the right:

1.6.5

To create the project, fill in the form as follows:

  • Name - Type myproject

Then click the Create Project button:

1.6.6

Note that the domain ID (here 673c82067e4c4054b02583d41f6f8804) may be different in your environment.

You are now able to see the new project in Keystone’s database:

1.6.7

Note that the project ID (here 5a7bfd26f2cf4470b6a0f5f591195bfb) may be different in your environment.

5. Manage users and groups

Users and groups represent entities that are given access to resources inside of projects and domains through the assigned roles. One domain can have multiple users and groups created inside.

In the following steps, we’ll create a new user called myuser with the password mypassword, and a new group called mygroup under the mydomain domain.

Manage users and groups through the OpenStack client

To create the user, execute the following command:


$ openstack --insecure user create --domain mydomain --password mypassword myuser

To list all users, execute the following command:


$ openstack --insecure user list --domain mydomain

Sample output:


+----------------------------------+--------+

| ID | Name |

+----------------------------------+--------+

| 1e98932254dc49a9b07c71d17a188e95 | admin |

| 143d87467cb040c28baeda8466a373b3 | myuser |

+----------------------------------+--------+

To create the group, execute the following command:


$ openstack --insecure group create --domain mydomain mygroup

To list all groups, execute the following command:


$ openstack --insecure group list --domain mydomain

Sample output:


+----------------------------------+---------+

| ID | Name |

+----------------------------------+---------+

| a3f6c066557a4890a0d3b45737a609b6 | mygroup |

+----------------------------------+---------+

Manage users and groups through the OpenStack dashboard

Navigate to Identity -> Users and click the Create User button on the right:

1.6.8

To create the user, fill in the form as follows:

  • User Name - Type myuser

  • Password - Type mypassword

  • Confirm Password - Type mypassword

Then click the Create User button:

1.6.9

You are now able to see the new user in Keystone’s database:

1.6.10

Note that the user ID (here 4d57cc863b034f87847c04f668035819) may be different in your environment.

Navigate to Identity -> Groups and click the Create Group button on the right:

1.6.11

To create the group, fill in the form as follows:

  • Name - Type mygroup

Then click the Create Group button:

1.6.12

You are now able to see the new group in Keystone’s database:

1.6.13

Note that the group ID (here 32b49b169bfd4531b4dab4ed351e45b0) may be different in your environment.

6. Manage membership and assignments

In the following steps, we’ll add the myuser user to the mygroup group and assign the member role to the mygroup group on the myproject project under the mydomain domain.

Manage membership and assignments through the OpenStack client

To add the myuser user to the mygroup group, execute the following command:


$ openstack --insecure group add user --group-domain mydomain --user-domain mydomain mygroup myuser

To assign the member role to the mygroup group on the myproject project, execute the following command:


$ openstack --insecure role add --project myproject --project-domain mydomain --group mygroup member

Manage membership and assignments through the OpenStack dashboard

Navigate to Identity -> Groups. Then, under the Actions column beside mygroup, click the Manage Members button:

1.6.14

Click the Add Users button on the right:

1.6.15

Select myuser from the list by checking the checkbox on the left and click the Add Users button:

1.6.16

You are now able to see the myuser user as a member of the mygroup group:

1.6.17

Navigate to Identity -> Projects. Then, under the Actions column beside myproject, click the Manage Members button:

1.6.18

Select the Project Groups tab:

1.6.19

Click the + button beside mygroup:

1.6.20

Deselect member and select member from the drop-down menu beside mygroup and press the Save button:

1.6.21

7. Finish setting up admin user

In order to finish setting up the admin user in the mydomain domain, we’re going to assign member and admin roles to this user on the myproject project, download the RC file and set up the OpenStack client.

To assign roles, execute the following commands:


$ openstack --insecure role add --project myproject --project-domain mydomain --user admin --user-domain mydomain member

$ openstack --insecure role add --project myproject --project-domain mydomain --user admin --user-domain mydomain admin

Log out and log in again to the OpenStack dashboard. You are now able to see the Project tab in the menu on the left:

1.6.22

To download the RC file, navigate to the admin drop-down menu on the top right, click it, and select OpenStack RC File to download the RC file:

1.6.23

Depending on your browser, you may also need to accept the file:

1.6.24

Then change the name of the file:


$ mv ~/Downloads/myproject-openrc.sh ~/Downloads/admin-openrc.sh

To set up the OpenStack client, open a new terminal window, execute the following command and type admin when asked for the password:


$ source ~/Downloads/admin-openrc.sh

You can now use the OpenStack client to interact with the OpenStack cloud as the admin user from the mydomain domain. For example, to list all launched instances, run:


$ openstack --insecure server list

Note that the admin user from the mydomain domain cannot see the test instance we launched in the tutorial 1. Install.

8. Next steps

Congratulations! You have reached the end of this tutorial.

You can now move to the next tutorial - “7. Tenants” - or explore other tutorials.

Take a survey!

Your feedback is very important for us and the entire OpenStack community. We want to understand how you use MicroStack and your pain points. Your feedback helps guide future MicroStack development.

Please fill in a short 5-question anonymous survey.

In this tutorial, you have learnt how to:

  • Distinguish between the various OpenStack identities

  • Manage domains

  • Manage roles

  • Manage projects

  • Manage users and groups

  • Manage membership and assignments

Where to go from here?

© 2023 Canonical Ltd. Ubuntu and Canonical are registered trademarks of Canonical Ltd.