Configuring OpenStack Keystone user & Role Management - OPENSTACK

Configuring OpenStack roles

A role is a nothing but a personality that a user assumes while performing a specific set of operations. A role includes a set of rights and privileges. A user assumes that role inherits those rights and privileges in it. One can create, edit and delete a OpenStack role.

Roles are the permissions given to the users within a tenant, Openstack uses Role based access control (RBAC). Here we will configure two roles, an admin role that allows for administration of our environment and a Member role that is given to ordinary users who will be using the cloud environment.
In a default OpenStack setup, the two roles are created:

1. The Member role, which, when granted to a user on a project, allows him to manage resources (instances, volumes, …) in the project.
2. The admin role, which, when granted to a user on any project, offers to this user a total control over the whole OpenStack platform. Although this is the current behavior, it has been marked as a bug.

Getting started

To begin with, ensure that you’re logged into our OpenStack Controller host— where OpenStack Identity service has been installed— or an appropriate Ubuntu client that has access to where OpenStack Identity service is installed.
To log on to our OpenStack Controller host that was created using Vagrant, issue the following command:

vagrant ssh controller

If the keystone client tool isn’t available, this can be installed on any Ubuntu client that has access to manage our OpenStack Identity service by issuing the following commands:

sudo apt-get update
sudo apt-get -y install python-keystoneclient

To configure the OpenStack Identity service, we use super-user privileges in the form of a permanently set admin token set in the  /etc/ keystone/ keystone.conf file, along with setting the correct environment variables for this purpose as shown:
export ENDPOINT =
SERVICE_ENDPOINT = http:// $ { ENDPOINT}: 35357/v2.0

How to achieve it…

To create the required roles in our OpenStack environment, perform the following steps:
1. Create of the admin role is as follows:
# admin role
keystone role-create –name admin
When successful, it results in an output as:

2. To create the Member role we repeat the step, specifying the Member role:
# Member role
keystone role-create –name Member

How it works…

Creation of the roles is simply achieved by using the keystone client, specifying the role-create option with the following syntax:

keystone role-create –name role_name

The role_name attributes can’t be arbitrary. The admin role has been set in /etc/ keystone/ policy.json has its own administrative rights. Any roles that you create must map to roles specified in the policy.json file in the configuration file directory of each OpenStack service. The default policy for most services grants administrative access to the admin role. 
“admin_required”: [[” role:admin”],
[” is_admin: 1″]]
And when we configure the OpenStack Dashboard, Horizon, it has the Member role configured as default when users are created in that interface.

On creation of the role, this returns an ID associated with it that we use when assigning roles to users. To see a list of roles and the associated IDs in our environment, we can issue the following command:

keystone role-list


Get Updates on Tech posts, Interview & Certification questions and training schedules