How to Create the Service Tenant and Service Users - Openstack

Creating the Service Tenant and Service Users

After you install the Identity service, create tenants (projects), users and roles for your environment to authenticate against. Without users, OpenStack cloud does not have much value as they allow access to services and endpoints.
With the service endpoints already created, we can now configure them so that our OpenStack services can utilize them. To do this, each service is configured with a username and password within a special service tenant. Configuring each service to have their own username and password allows for greater security, troubleshooting and, auditing within our environment. For each service that uses an OpenStack Identity service for authentication and authorization, we specify these details in their relevant configuration file, when setting up that service. Each service itself has to authenticate with keystone in order for it to be available within OpenStack. The configuration of that service is then done using these credentials. For example, for ‘glance’ we specify the following in /etc/ glance/glance-registry-api.ini, when used with OpenStack Identity service, which matches what we have created previously:
paste.filter_factory =
service_protocol = http
service_host =
service_port = 5000
auth_host =
auth_port = 35357
auth_protocol = http
auth_uri = http:// 5000/
admin_tenant_name = service
admin_user = glance
admin_password = glance

Getting started

To begin with, ensure you’re logged into our OpenStack Controller host— where OpenStack Identity service has been installed— or an appropriate Ubuntu client that has access to where OpenStack Identity service is installed.
To log on to our OpenStack Controller host that was created using Vagrant, issue the following command:

vagrant ssh controller

If the keystone client tool isn’t available, this can be installed on an Ubuntu client to manage our OpenStack Identity service, by issuing the following command:

sudo apt-get update
sudo apt-get -y install python-keystoneclient

Ensure that we have our environment set correctly to access our OpenStack environment:

export ENDPOINT = 1172.16.0.200
SERVICE_ENDPOINT = http:// ${ ENDPOINT}: 35357/ v2.0

How to achieve it…

To configure an appropriate service tenant, carry out the following steps:
1) Create the service tenant (these are the organizational units in cloud to which you can assign users) as follows:

keystone tenant-create
–name service
–description “Service Tenant”
–enabled true

This produces output similar to what is shown as follows:

2) Record the ID of the service tenant, so that we can assign service users to this ID, as follows:

SERVICE_TENANT_ID = $( keystone tenant-list | awk ‘/ service / {print $ 2}’)

3) For each of the services in this section, we will create the user accounts to be named the same as the services and set the password to be the same as the service name too. For example, we will add a user called nova, with a password nova in the service tenant, using the user-create option, as follows:

keystone user-create
–name nova –pass nova
–tenant_id $ SERVICE_TENANT_ID
–email nova@ localhost
–enabled true

This will produce output similar to what is shown as follows: 

4) We then repeat this for each of our other services that will use OpenStack Identity service:

keystone user-create
–name glance
–pass glance
–tenant_id $ SERVICE_TENANT_ID
–email glance@ localhost
–enabled true
keystone user-create
–name keystone
–pass keystone
–tenant_id $ SERVICE_TENANT_ID
–emailkeystone@ localhost
–enabled true
keystone user-create
–name cinder
–pass cinder
–tenant_id $ SERVICE_TENANT_ID
–email cinder@ localhost
–enabled true

5) We can now assign these users the admin role in the service tenant. To do this, we use the user-role-add option after retrieving the user ID of the nova user. For example, to add the admin role to the nova user in the service tenant, we do the following:

# Get the nova user id
NOVA_USER_ID = $( keystone user-list  | awk ‘/ nova / {print $ 2}’)
# Get the admin role id
ADMIN_ROLE_ID = $( keystone role-list  | awk ‘/ admin / {print $ 2}’)
# Assign the nova user the admin role in service tenant
keystone user-role-add
–user $ NOVA_USER_ID
–tenant_id $ SERVICE_TENANT_ID

6) We then repeat this for our other service users, glance, keystone and cinder:

# Get the glance user id
GLANCE_USER_ID = $( keystone user-list  | awk ‘/ glance / {print $ 2}’)
# Assign the glance user the admin role in service tenant
keystone user-role-add
–tenant_id $ SERVICE_TENANT_ID
# Get the keystone user id
KEYSTONE_USER_ID = $ (keystone user-list  | awk ‘/ keystone / {print $ 2}’)
# Assign the keystone user the admin role in service tenant
keystone user-role-add
–tenant_id $ SERVICE_TENANT_ID
# Get the cinder user id
CINDER_USER_ID = $ (keystone user-list   | awk ‘/ cinder / {print $ 2}’)
# Assign the cinder user the admin role in service tenant
keystone user-role-add
–tenant_id $ SERVICE_TENANT_ID

Projects, roles and tenants can be managed independently from each other.

How it works…

Creation of the service tenant, populated with the services required to run OpenStack, is no different from creating any other users on our system that requires the admin role. We create the usernames and passwords and ensure they exist in the service tenant with the admin role assigned to each user. We then use these credentials while configuring the services to authenticate with OpenStack Identity service.

Related Pages:
Openstack Training
Openstack Tutorial

Sample Resume:
Openstack Sample Resumes

Interview Questions:
Openstack Interview Questions


Get Updates on Tech posts, Interview & Certification questions and training schedules