The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of DOMAINS, PROJECTS (tenants), USERS, and ROLES. After you install the Identity service, create TENANTS (projects), USERS, and ROLES for your environment.An OpenStack cloud does not have much value without users.
OpenStack ‘Add user’ for Identity service requires that the user has a tenant they can exist in, and have a role defined that can be assigned to them. In this section, we will create two users.
1. The first user will be named admin and will have the admin role assigned to them in the cookbook tenant.
2. The second user will be named demo and will have the Member role assigned to them in the same cookbook tenant.
To begin with, ensure that you’re logged into our OpenStack Controller host— where OpenStack Identity service has been installed— or an appropriate Ubuntu client that has access to the place where OpenStack Identity service is installed.
To log on to our OpenStack Controller host that was created using Vagrant, issue the following command:
vagrant ssh controller
If the keystone client tool isn’t available, this can be installed on an Ubuntu client— to manage our OpenStack Identity service— by issuing the following commands:
sudo apt-get update
sudo apt-get -y install python-keystoneclient
Ensure that we have our environment set correctly to access our OpenStack environment for administrative purposes:
How to achieve it…
To create the required users in our OpenStack environment, perform the following steps:
1) To create a user in the cookbook tenant, we first need to get the cookbook tenant ID. To do this, issue the following command, which we conveniently store in a variable named TENANT_ID with the tenant-list option:
2) Now that we have the tenant ID, creation of the admin user in the cookbook tenant is done as follows, using the user-create option, choosing a password for the user:
PASSWORD = openstack
–tenant_id $ TENANT_ID
–pass $ PASSWORD
–email root@ localhost
This will produce the following output:
3) As we are creating the admin user, to which we are assigning the admin role, we need the admin role ID. In a similar way to the discovery of the tenant ID in step 1, we pick out the ID of the admin role and conveniently store it in a variable to use it while assigning the role to the user with the role-list option:
4) To assign the role to our user, we need to use the user ID that was returned back when we created that user. To get this, we can list the users and pick out the ID for that particular user with the following user-list option:
5) Finally, with the tenant ID, user ID, and an appropriate role ID available, we can assign that role to the user, with the following user-role-add option:
Note that there is no output produced while successfully running this command.
6) The admin user also needs to be in the admin tenant for us to be able to administer the complete environment. To accomplish this we need to get the admin tenant ID and then repeat the previous step, using this new tenant ID, as follows:
7) To create the demo user in the cookbook tenant with the Member role assigned, we repeat the process as defined in steps 1 to 5:
How it works…
Adding users in OpenStack Identity service require that the tenant and roles for that user must be created first. Once these are available, in order to use the keystone command-line client, we need the IDs for the tenants and IDs of the roles that are to be assigned to the user in that tenant. Note that a user can be a member of many tenants and can have different roles assigned to each.
To create a user with the user-create option, the syntax is as follows:
The user_name attributes is an arbitrary name but should not have any spaces. A password attribute must be present. In the previous examples, these were set to openstack. The email_address attribute must also be present.
To assign a role to a user with the user-role-add option, the syntax is as follows:
This means we need to have the ID of the user, the ID of the role, and the ID of the tenant in order to assign roles to users. These IDs can be found using the following commands: