How to Create the Service Tenant and Service Users - Openstack

Creating the Service Tenant and Users

After you install the Identity service, create tenants (projects), users and roles for your environment to authenticate against. Without users, OpenStack cloud does not have much value as they allow access to services and endpoints.
With the service endpoints already created, we can now configure them so that our OpenStack services can utilize them. To do this, each service is configured with a username and password within a special service tenant. Configuring each service to have their own username and password allows for greater security, troubleshooting and, auditing within our environment. For each service that uses an OpenStack Identity service for authentication and authorization, we specify these details in their relevant configuration file, when setting up that service. Each service itself has to authenticate with keystone in order for it to be available within OpenStack. The configuration of that service is then done using these credentials. For example, for ‘glance’ we specify the following in /etc/ glance/glance-registry-api.ini, when used with OpenStack Identity service, which matches what we have created previously:
paste.filter_factory =
service_protocol = http
service_host =
service_port = 5000
auth_host =
auth_port = 35357
auth_protocol = http
auth_uri = https:// 5000/
admin_tenant_name = service
admin_user = glance
admin_password = glance

To gain in-depth knowledge and be on par with practical experience, then explore  OpenStack Training course.


Getting started with OpenStack Controller

To begin with, ensure you’re logged into our OpenStack Controller host— where OpenStack Identity service has been installed— or an appropriate Ubuntu client that has access to where OpenStack Identity service is installed.
To log on to our OpenStack Controller host that was created using Vagrant, issue the following command:

vagrant ssh controller

MindMajix Youtube Channel

If the keystone client tool isn’t available, this can be installed on an Ubuntu client to manage our OpenStack Identity service, by issuing the following command:

sudo apt-get update
sudo apt-get -y install python-keystoneclient

Ensure that we have our environment set correctly to access our OpenStack environment:

export ENDPOINT = 1172.16.0.200
SERVICE_ENDPOINT = https:// ${ ENDPOINT}: 35357/ v2.0

How to achieve Service tenant

To configure an appropriate service tenant, carry out the following steps:
1) Create the service tenant (these are the organizational units in cloud to which you can assign users) as follows:

keystone tenant-create
–name service
–description “Service Tenant”
–enabled true

This produces output similar to what is shown as follows:
enabled true output

2) Record the ID of the service tenant, so that we can assign service users to this ID, as follows:

SERVICE_TENANT_ID = $( keystone tenant-list | awk ‘/ service / {print $ 2}’)

3) For each of the services in this section, we will create the user accounts to be named the same as the services and set the password to be the same as the service name too. For example, we will add a user called nova, with a password nova in the service tenant, using the user-create option, as follows:

keystone user-create
–name nova –pass nova
–tenant_id $ SERVICE_TENANT_ID
–email nova@ localhost
–enabled true

This will produce output similar to what is shown as follows: 

user-create option

4) We then repeat this for each of our other services that will use OpenStack Identity service:

keystone user-create
–name glance
–pass glance
–tenant_id $ SERVICE_TENANT_ID
–email glance@ localhost
–enabled true
keystone user-create
–name keystone
–pass keystone
–tenant_id $ SERVICE_TENANT_ID
–emailkeystone@ localhost
–enabled true
keystone user-create
–name cinder
–pass cinder
–tenant_id $ SERVICE_TENANT_ID
–email cinder@ localhost
–enabled true

5) We can now assign these users the admin role in the service tenant. To do this, we use the user-role-add option after retrieving the user ID of the nova user. For example, to add the admin role to the nova user in the service tenant, we do the following:

# Get the nova user id
NOVA_USER_ID = $( keystone user-list  | awk ‘/ nova / {print $ 2}’)
# Get the admin role id
ADMIN_ROLE_ID = $( keystone role-list  | awk ‘/ admin / {print $ 2}’)
# Assign the nova user the admin role in service tenant
keystone user-role-add
–user $ NOVA_USER_ID
–tenant_id $ SERVICE_TENANT_ID

6) We then repeat this for our other service users, glance, keystone and cinder:

# Get the glance user id
GLANCE_USER_ID = $( keystone user-list  | awk ‘/ glance / {print $ 2}’)
# Assign the glance user the admin role in service tenant
keystone user-role-add
–tenant_id $ SERVICE_TENANT_ID
# Get the keystone user id
KEYSTONE_USER_ID = $ (keystone user-list  | awk ‘/ keystone / {print $ 2}’)
# Assign the keystone user the admin role in service tenant
keystone user-role-add
–tenant_id $ SERVICE_TENANT_ID
# Get the cinder user id
CINDER_USER_ID = $ (keystone user-list   | awk ‘/ cinder / {print $ 2}’)
# Assign the cinder user the admin role in service tenant
keystone user-role-add
–tenant_id $ SERVICE_TENANT_ID

Projects, roles and tenants can be managed independently from each other.

How To Authenticate with OpenStack Identity service

Creation of the service tenant, populated with the services required to run OpenStack, is no different from creating any other users on our system that requires the admin role. We create the usernames and passwords and ensure they exist in the service tenant with the admin role assigned to each user. We then use these credentials while configuring the services to authenticate with OpenStack Identity service.

Explore OpenStack Sample Resumes! Download & Edit, Get Noticed by Top Employers!  Download Now!


Related Pages:
Openstack Tutorial

Interview Questions:
Openstack Interview Questions



Course Schedule
OpenStack TrainingJul 23 to Aug 07View Details
OpenStack TrainingJul 27 to Aug 11View Details
OpenStack TrainingJul 30 to Aug 14View Details
OpenStack TrainingAug 03 to Aug 18View Details
Last updated: 03 Apr 2023
About Author

Ravindra Savaram is a Technical Lead at His passion lies in writing articles on the most popular IT platforms including Machine learning, DevOps, Data Science, Artificial Intelligence, RPA, Deep Learning, and so on. You can stay up to date on all these technologies by following him on LinkedIn and Twitter.

read less
  1. Share:
OpenStack Articles