User management
The main components of Identity user management are:
User. Represents a
human user. Has associated information such as user
name, password, and email. This example creates a user
named alice:
$ keystone user-create --name alice --pass mypassword123 --email alice@example.com
Tenant. A project,
group, or organization. When you make requests to
OpenStack services, you must specify a tenant. For
example, if you query the Compute service for a list
of running instances, you get a list of all running
instances in the tenant that you specified in your
query. This example creates a tenant named
acme:
$ keystone tenant-create --name acme
Because the term project
was used instead of tenant in
earlier versions of OpenStack Compute, some
command-line tools use
--project_id instead of
--tenant-id or
--os-tenant-id to refer to
a tenant ID.
Role. Captures the
operations that a user can perform in a given tenant.
This example creates a role named
compute-user:
$ keystone role-create --name compute-user
Individual services, such as Compute and the
Image Service, assign meaning to roles. In the
Identity Service, a role is simply a name.
The Identity Service assigns a tenant and a role to a user.
You might assign the compute-user role to
the alice user in the
acme tenant:
$ keystone user-list
+--------+---------+-------------------+--------+
| id | enabled | email | name |
+--------+---------+-------------------+--------+
| 892585 | True | alice@example.com | alice |
+--------+---------+-------------------+--------+
$ keystone role-list
+--------+--------------+
| id | name |
+--------+--------------+
| 9a764e | compute-user |
+--------+--------------+
$ keystone tenant-list
+--------+------+---------+
| id | name | enabled |
+--------+------+---------+
| 6b8fd2 | acme | True |
+--------+------+---------+
$ keystone user-role-add --user 892585 --role 9a764e --tenant-id 6b8fd2
A user can have different roles in different tenants. For
example, Alice might also have the admin
role in the Cyberdyne tenant. A user can
also have multiple roles in the same tenant.
The
/etc/[SERVICE_CODENAME]/policy.json
file controls the tasks that users can perform for a given
service. For example,
/etc/nova/policy.json specifies the
access policy for the Compute service,
/etc/glance/policy.json specifies the
access policy for the Image Service, and
/etc/keystone/policy.json specifies
the access policy for the Identity Service.
The default policy.json files in the
Compute, Identity, and Image Service recognize only the
admin role: all operations that do not
require the admin role are accessible by
any user that has any role in a tenant.
If you wish to restrict users from performing operations in,
say, the Compute service, you need to create a role in the
Identity Service and then modify
/etc/nova/policy.json so that this
role is required for Compute operations.
For example, this line in
/etc/nova/policy.json specifies that
there are no restrictions on which users can create volumes:
if the user has any role in a tenant, they can create volumes
in that tenant.
"volume:create": [],
To restrict creation of volumes to users who had the
compute-user role in a particular
tenant, you would add "role:compute-user",
like so:
"volume:create": ["role:compute-user"],
To restrict all Compute service requests to require this
role, the resulting file would look like: