Create projects, users, and roles ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of :term:`domains `, :term:`projects` (tenants), :term:`users`, and :term:`roles`. .. note:: For simplicity, this guide uses the ``default`` domain. #. Create an administrative project, user, and role for administrative operations in your environment: * Create the ``admin`` project: .. code-block:: console $ openstack project create --domain default \ --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | default | | enabled | True | | id | 343d245e850143a096806dfaefa9afdc | | is_domain | False | | name | admin | | parent_id | None | +-------------+----------------------------------+ .. note:: OpenStack generates IDs dynamically, so you will see different values in the example command output. * Create the ``admin`` user: .. code-block:: console $ openstack user create --domain default \ --password-prompt admin User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | default | | enabled | True | | id | ac3377633149401296f6c0d92d79dc16 | | name | admin | +-----------+----------------------------------+ * Create the ``admin`` role: .. code-block:: console $ openstack role create admin +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | cd2cb9a39e874ea69e5d4b896eb16128 | | name | admin | +-------+----------------------------------+ * Add the ``admin`` role to the ``admin`` project and user: .. code-block:: console $ openstack role add --project admin --user admin admin .. note:: This command provides no output. .. note:: Any roles that you create must map to roles specified in the ``policy.json`` file in the configuration file directory of each OpenStack service. The default policy for most services grants administrative access to the ``admin`` role. For more information, see the `Operations Guide - Managing Projects and Users `__. #. This guide uses a service project that contains a unique user for each service that you add to your environment. Create the ``service`` project: .. code-block:: console $ openstack project create --domain default \ --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 894cdfa366d34e9d835d3de01e752262 | | is_domain | False | | name | service | | parent_id | None | +-------------+----------------------------------+ #. Regular (non-admin) tasks should use an unprivileged project and user. As an example, this guide creates the ``demo`` project and user. * Create the ``demo`` project: .. code-block:: console $ openstack project create --domain default \ --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | ed0b60bf607743088218b0a533d5943f | | is_domain | False | | name | demo | | parent_id | None | +-------------+----------------------------------+ .. note:: Do not repeat this step when creating additional users for this project. * Create the ``demo`` user: .. code-block:: console $ openstack user create --domain default \ --password-prompt demo User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | default | | enabled | True | | id | 58126687cbcc4888bfa9ab73a2256f27 | | name | demo | +-----------+----------------------------------+ * Create the ``user`` role: .. code-block:: console $ openstack role create user +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | 997ce8d05fc143ac97d83fdfb5998552 | | name | user | +-------+----------------------------------+ * Add the ``user`` role to the ``demo`` project and user: .. code-block:: console $ openstack role add --project demo --user demo user .. note:: This command provides no output. .. note:: You can repeat this procedure to create additional projects and users.