The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of domains, projects (tenants), users, and roles. For simplicity, this guide implicitly uses the default domain. The packages can automatically create the service entity and API endpoint. Create an administrative project, user, and role for administrative operations in your environment: Create the admin project: $ openstack project create --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | enabled | True | | id | cf12a15c5ea84b019aec3dc45580896b | | name | admin | +-------------+----------------------------------+ OpenStack generates IDs dynamically, so you will see different values in the example command output. Create the admin user: $ openstack user create --password-prompt admin User Password: Repeat User Password: +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | email | None | | enabled | True | | id | 4d411f2291f34941b30eef9bd797505a | | name | admin | | username | admin | +------------+----------------------------------+ Create the admin role: $ openstack role create admin +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | cd2cb9a39e874ea69e5d4b896eb16128 | | name | admin | +-------+----------------------------------+ Add the admin role to the admin project and user: $ openstack role add --project admin --user admin admin +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | cd2cb9a39e874ea69e5d4b896eb16128 | | name | admin | +-------+----------------------------------+ Any roles that you create must map to roles specified in the policy.json file in the configuration file directory of each OpenStack service. The default policy for most services grants administrative access to the admin role. For more information, see the Operations Guide - Managing Projects and Users. This guide uses a service project that contains a unique user for each service that you add to your environment. Create the service project: $ openstack project create --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | enabled | True | | id | 55cbd79c0c014c8a95534ebd16213ca1 | | name | service | +-------------+----------------------------------+ Regular (non-admin) tasks should use an unprivileged project and user. As an example, this guide creates the demo project and user. Create the demo project: $ openstack project create --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | enabled | True | | id | ab8ea576c0574b6092bb99150449b2d3 | | name | demo | +-------------+----------------------------------+ Do not repeat this step when creating additional users for this project. Create the demo user: $ openstack user create --password-prompt demo User Password: Repeat User Password: +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | email | None | | enabled | True | | id | 3a81e6c8103b46709ef8d141308d4c72 | | name | demo | | project_id | ab8ea576c0574b6092bb99150449b2d3 | | username | demo | +------------+----------------------------------+ Create the user role: $ openstack role create user +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | 9fe2ff9ee4384b1894a90878d3e92bab | | name | user | +-------+----------------------------------+ Add the user role to the demo project and user: $ openstack role add --project demo --user demo user +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | 9fe2ff9ee4384b1894a90878d3e92bab | | name | user | +-------+----------------------------------+ You can repeat this procedure to create additional projects and users.