As an OpenStack cloud administrator, you can create, delete or modify projects, users, and roles in the Horizon dashboard or OpenStack CLI. OpenStack users can be members of one or more projects. In OpenStack, a role-based access control (RBAC) mechanism is used to manage access to Cloud resources. This enforces authorization to be granted if a user has the necessary role to perform an action. Roles define which actions users can perform.

There are three main predefined roles in OpenStack:

  • admin : This is an administrative role that enables non-admin users to administer the environment.
  • member: Default role assigned to new users. This gets attached to a tenant.
  • reader: Mostly used for read-only APIs and operations.

Use the following command to list the available predefined roles in OpenStack:

$ openstack role list
+----------------------------------+--------+
| ID                               | Name   |
+----------------------------------+--------+
| 1d07e8e4730e453f88fb14c5d342a7cd | member |
| 69952e0bf4bb44feaed4fd4f892eb424 | admin  |
| d638006a45cf49a7823cfcda5bf0c429 | reader |
+----------------------------------+--------+

To get details for a specified role, use the command:

$ openstack role show reader
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | None                             |
| domain_id   | None                             |
| id          | d638006a45cf49a7823cfcda5bf0c429 |
| name        | reader                           |
+-------------+----------------------------------+

In this tutorial, we’ll create a project, users and assign roles to users.

1: Create OpenStack Project

A project is a group of zero or more users who consume cloud resources. We’ll use OpenStack CLI for all operations. If you’re new to it, check our previous guide:

How To Install and Configure OpenStack Client on Linux

To create an OpenStack project from CLI, run the command:

$ openstack  project create --description "Development Project" dev
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Development Project              |
| domain_id   | default                          |
| enabled     | True                             |
| id          | be1444931c0949b49db107b893017379 |
| is_domain   | False                            |
| name        | dev                              |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

If you have multiple Domains, specify a domain for new project with –domain option. I have only one domain.

$ openstack domain list
+---------+---------+---------+--------------------+
| ID      | Name    | Enabled | Description        |
+---------+---------+---------+--------------------+
| default | Default | True    | The default domain |
+---------+---------+---------+--------------------+

List created projects.

$ openstack project list
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 06bcc3c56ab1489282b65681e782d7f6 | admin   |
| 0766331616c7429a9b459d0d642cc4db | service |
| 587cfc85df274629a2d7a7b33b52446c | lab     |
| be1444931c0949b49db107b893017379 | dev     |
+----------------------------------+---------+

To show Project information, run:

$ openstack project show dev
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Development Project              |
| domain_id   | default                          |
| enabled     | True                             |
| id          | be1444931c0949b49db107b893017379 |
| is_domain   | False                            |
| name        | dev                              |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

Common Project Operations

  • Rename Project:
$ openstack project set PROJECT_ID --name newprojectname
  • Temporarily disable a project:
$ openstack project set PROJECT_ID --disable
  • Enable a disabled project:
$ openstack project set PROJECT_ID --enable
  • Delete a project
$ openstack project delete PROJECT_ID

2: Create OpenStack Users

We’ll add two users – user1 and user2. The default project for both users is dev we created earlier.

$ openstack user create --email "[email protected]" \
--description "Dev User1" --project dev --password-prompt user1

User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| default_project_id  | be1444931c0949b49db107b893017379 |
| description         | Dev User1                        |
| domain_id           | default                          |
| email               | [email protected]                |
| enabled             | True                             |
| id                  | eb0f38e04c124288bc1f3a6c8c9b265f |
| name                | user1                            |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

By using --password-prompt argument, you’ll get an interactive prompt for password.

Create user2:

$ openstack user create --email "[email protected]" \
--description "Dev User2" --project dev --password "StrongUserPass" user2

+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| default_project_id  | be1444931c0949b49db107b893017379 |
| description         | Dev User2                        |
| domain_id           | default                          |
| email               | [email protected]                |
| enabled             | True                             |
| id                  | 7322efdb32da4b2d9ee695d63f60c930 |
| name                | user2                            |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

The user will be created with password provided through --password argument.

List OpenStack users:

$ openstack user list
+----------------------------------+-----------+
| ID                               | Name      |
+----------------------------------+-----------+
| 10b837c94f3f47d0aeacd9a814af26d8 | nova      |
| 336acbb7421f47f8be4891eabf0c9cc8 | admin     |
| 3ee7a2ae291b48dba21c450f48fc6f75 | placement |
| 79bdacc586444278bc4e0e0a533227e7 | cinder    |
| 858dcd522daa4bffa71eef82246c81b1 | swift     |
| 97c71757453749948cc22dce0ffc5722 | neutron   |
| c6f7a4ae1cc041efb3e6653aefd02082 | glance    |
| eb0f38e04c124288bc1f3a6c8c9b265f | user1     |
| 7322efdb32da4b2d9ee695d63f60c930 | user2     |
+----------------------------------+-----------+

Common users operations

  • Change the name and description for a user account:
openstack user set USER_NAME --name new-name --email [email protected]
  • Temporarily disable a user account:
$ openstack user set USER_NAME --disable
  • Enable a disabled user account:
$ openstack user set USER_NAME --enable
  • Delete a specified user account:
$ openstack user delete USER_NAME

3: Assign Roles to Users

First list the available roles:

$ openstack role list
+----------------------------------+--------+
| ID                               | Name   |
+----------------------------------+--------+
| 1d07e8e4730e453f88fb14c5d342a7cd | member |
| 69952e0bf4bb44feaed4fd4f892eb424 | admin  |
| d638006a45cf49a7823cfcda5bf0c429 | reader |
+----------------------------------+--------+

Users can be members of multiple projects. To assign a user to a project, you must assign the role to a user-project pair. We’ll use the project and users we created earlier on.

Get a list users to assign roles – note the user ID/name.

$ openstack user list
+----------------------------------+-----------+
| ID                               | Name      |
+----------------------------------+-----------+
| 10b837c94f3f47d0aeacd9a814af26d8 | nova      |
| 336acbb7421f47f8be4891eabf0c9cc8 | admin     |
| 3ee7a2ae291b48dba21c450f48fc6f75 | placement |
| 7322efdb32da4b2d9ee695d63f60c930 | user2     |
| 79bdacc586444278bc4e0e0a533227e7 | cinder    |
| 858dcd522daa4bffa71eef82246c81b1 | swift     |
| 97c71757453749948cc22dce0ffc5722 | neutron   |
| c6f7a4ae1cc041efb3e6653aefd02082 | glance    |
| eb0f38e04c124288bc1f3a6c8c9b265f | user1     |
+----------------------------------+-----------+

List roles to assign – note the role ID/name.

$ openstack role list
+----------------------------------+--------+
| ID                               | Name   |
+----------------------------------+--------+
| 1d07e8e4730e453f88fb14c5d342a7cd | member |
| 69952e0bf4bb44feaed4fd4f892eb424 | admin  |
| d638006a45cf49a7823cfcda5bf0c429 | reader |
+----------------------------------+--------+

Get project name / ID.

$ openstack project list
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 06bcc3c56ab1489282b65681e782d7f6 | admin   |
| 0766331616c7429a9b459d0d642cc4db | service |
| 587cfc85df274629a2d7a7b33b52446c | lab     |
| be1444931c0949b49db107b893017379 | dev     |
+----------------------------------+---------+

The syntax to assign a role to a user-project pair is:

$ openstack role add --user USER_NAME --project TENANT_ID ROLE_NAME

Example 1:

Assign user1 admin role for dev project.

openstack role add --user user1 --project dev admin

Assign user2 member role in dev and lab project:

openstack role add --user user2 --project dev member
openstack role add --user user2 --project lab member

View users roles assignment.

$ openstack role assignment list --user user1
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role                             | User                             | Group | Project                          | Domain | System | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| 69952e0bf4bb44feaed4fd4f892eb424 | eb0f38e04c124288bc1f3a6c8c9b265f |       | be1444931c0949b49db107b893017379 |        |        | False     |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+

$ openstack role assignment list --user user2
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role                             | User                             | Group | Project                          | Domain | System | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| 1d07e8e4730e453f88fb14c5d342a7cd | 7322efdb32da4b2d9ee695d63f60c930 |       | 587cfc85df274629a2d7a7b33b52446c |        |        | False     |
| 1d07e8e4730e453f88fb14c5d342a7cd | 7322efdb32da4b2d9ee695d63f60c930 |       | be1444931c0949b49db107b893017379 |        |        | False     |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+

Removing a role from a user-project pair:

$ openstack role remove --user USER_NAME --project TENANT_ID ROLE_NAME
$ openstack role list   --user USER_NAME --project TENANT_ID

Testing User Roles

Login to OpenStack Dashboard and check view for user1:

Dashboard view for user with admin role.

Dashboard view for user2 – member of two projects.

More on OpenStack:

OpenStack Deployment on CentOS 7 With Packstack

OpenStack Deployment on Ubuntu 18.04 with DevStack

How To Configure OpenStack Instances / VMs to Autostart after Nova compute reboot

How To Resize OpenStack Instance / Virtual Machine

How To Migrate OpenStack Instance from one Compute Host to Another