OpenStack Add User to Tenant – KeyStone User

Adding users

The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of domains, projects (tenants), users, and roles. After you install the Identity service, create tenants (projects), users, and roles for your environment.An OpenStack cloud does not have much value without users.

OpenStack ‘Add user’ for Identity service requires that the user has a tenant they can exist in, and have a role defined that can be assigned to them. In this section, we will create two users.

  • The first user will be named admin and will have the admin role assigned to them in the cookbook tenant.
  • The second user will be named demo and will have the Member role assigned to them in the same cookbook tenant.

Getting started

To begin with, ensure that you’re logged into our OpenStack Controller host— where OpenStack Identity service has been installed— or an appropriate Ubuntu client that has access to the place where OpenStack Identity service is installed.

To log on to our OpenStack Controller host that was created using Vagrant, issue the following command:

vagrant ssh controller

If the keystone client tool isn’t available, this can be installed on an Ubuntu client— to manage our OpenStack Identity service— by issuing the following commands:

sudo apt-get update

sudo apt-get -y install python-keystoneclient

Ensure that we have our environment set correctly to access our OpenStack environment for administrative purposes:

export ENDPOINT =
SERVICE_ENDPOINT = http:// ${ ENDPOINT}: 35357/v2.0

How to achieve it…

To create the required users in our OpenStack environment, perform the following steps:

1) To create a user in the cookbook tenant, we first need to get the cookbook tenant ID. To do this, issue the following command, which we conveniently store in a variable named TENANT_ID with the tenant-list option:

TENANT_ID = $( keystone tenant-list \ | awk ‘/\ cookbook\ / {print $ 2}’)

2) Now that we have the tenant ID, creation of the admin user in the cookbook tenant is done as follows, using the user-create option, choosing a password for the user:

PASSWORD = openstack

keystone user-create \

–name admin \

–tenant_id $ TENANT_ID \

 –pass $ PASSWORD \

–email root@ localhost \

–enabled true

This will produce the following output:


3) As we are creating the admin user, to which we are assigning the admin role, we need the admin role ID. In a similar way to the discovery of the tenant ID in step 1, we pick out the ID of the admin role and conveniently store it in a variable to use it while assigning the role to the user with the role-list option:

ROLE_ID = $( keystone role-list \ | awk ‘/\ admin\ / {print $ 2}’)

4) To assign the role to our user, we need to use the user ID that was returned back when we created that user. To get this, we can list the users and pick out the ID for that particular user with the following user-list option:

USER_ID = $( keystone user-list \ | awk ‘/\ admin\ / {print $ 2}’)

5) Finally, with the tenant ID, user ID, and an appropriate role ID available, we can assign that role to the user, with the following user-role-add option:

keystone user-role-add \

 –user $ USER_ID \

–role $ ROLE_ID \

–tenant_id $ TENANT_ID


Note that there is no output produced while successfully running this command.

6) The admin user also needs to be in the admin tenant for us to be able to administer the complete environment. To accomplish this we need to get the admin tenant ID and then repeat the previous step, using this new tenant ID, as follows:

ADMIN_TENANT_ID = $( keystone tenant-list \ | awk ‘/\ admin\ / {print $ 2}’)

keystone user-role-add \

–user $ USER_ID \

–role $ ROLE_ID \

–tenant_id $ ADMIN_TENANT_ID

7) To create the demo user in the cookbook tenant with the Member role assigned, we repeat the process as defined in steps 1 to 5:

# Get the cookbook tenant ID

TENANT_ID = $( keystone tenant-list \  | awk ‘/\ cookbook\ / {print $ 2}’)

# Create the user

PASSWORD = openstack

keystone user-create \

–name demo \

–tenant_id $ TENANT_ID \

–pass $ PASSWORD \

–email demo@ localhost \

–enabled true

# Get the Member role ID

ROLE_ID = $( keystone role-list \  | awk ‘/\ Member\ / {print $ 2}’)

# Get the demo user ID

USER_ID = $( keystone user-list \ | awk ‘/\ demo\ / {print $ 2}’)

# Assign the Member role to the demo user in cookbook

 keystone user-role-add \

–user $ USER_ID \

-– role $ ROLE_ID \

–tenant_id $ TENANT_ID

How it works…

Adding users in OpenStack Identity service require that the tenant and roles for that user must be created first. Once these are available, in order to use the keystone command-line client, we need the IDs for the tenants and IDs of the roles that are to be assigned to the user in that tenant. Note that a user can be a member of many tenants and can have different roles assigned to each.

To create a user with the user-create option, the syntax is as follows:

 keystone user-create \

–name user_name \

–tenant_id TENANT_ID \

–pass PASSWORD \

–email email_address \

–enabled true

The user_name attributes is an arbitrary name but should not have any spaces. A password attribute must be present. In the previous examples, these were set to openstack. The email_address attribute must also be present.

To assign a role to a user with the user-role-add option, the syntax is as follows:

keystone user-role-add \

–user USER_ID \

–role ROLE_ID \

–tenant_id TENANT_ID

This means we need to have the ID of the user, the ID of the role, and the ID of the tenant in order to assign roles to users. These IDs can be found using the following commands:

keystone tenant-list

keystone role-list

keystone user-list


0 Responses on OpenStack Add User to Tenant – KeyStone User"

Leave a Message

Your email address will not be published. Required fields are marked *

Copy Rights Reserved © Mindmajix.com All rights reserved. Disclaimer.