As an OpenStack Cloud Administrator you’re often tasked with the management of projects, users, and roles. These are the key building blocks of OpenStack resources, prior to deploying applications of any sort. Projects in OpenStack, also known as Accounts, are organizational units in the cloud to which you can assign users. A user can be a member of one or more projects.

Roles are used to define which actions a user can perform on one or more projects. Actions for OpenStack service roles can be defined in the /etc/PROJECT/policy.json files. If you consider actions definition for Computer(Nova) service roles, this will be done in the /etc/nova/policy.json file.

In this article our focus will be on adding, updating, and deleting projects and users in an OpenStack cloud platform. Additionally, we’ll assign users to one or more projects, and demonstrate how you can change or remove the assignment for users.

#1: Download OpenStack RC file

Before you can start running client commands, OpenStack RC must be downloaded and sourced in the current SHELL environment.

To download OpenStack RC file, log in to the OpenStack dashboard and go to Project > API Access

On the API Access section, use the “Download OpenStack RC File” link to pull and save the file:

As a security mechanism the file won’t contain the user password. You’ll be asked to set the password when sourcing the file.

$ source ~/Downloads/admin-openrc.sh
Please enter your OpenStack Password for project admin as user admin:

Run OpenStack client commands to list services just to confirm it is working:

$ openstack service list
+----------------------------------+------------+-----------------+
| ID                               | Name       | Type            |
+----------------------------------+------------+-----------------+
| 09972fea37f443b0af160465e78cd469 | gnocchi    | metric          |
| 0e0d846b425241a683eca5986fc1f299 | glance     | image           |
| 380af34ae5c94bb2b54cb296e9ef0637 | ceilometer | metering        |
| 52804283a69645ffb22f1dad172c4cd3 | nova       | compute         |
| 5619393b45b0420e9f571f02ec186e76 | neutron    | network         |
| 596d02eff54c444bb8a7716de9a2af1d | swift      | object-store    |
| 5c6e2d94251e46b4b18f08cf535531e1 | heat       | orchestration   |
| 641c62c0db494f1e9ab84839b38f7658 | manila     | share           |
| 6c66a4a0d9d646d09df37d57df5f89a5 | octavia    | load-balancer   |
| 80c0fdfa48bf4585854d0673a06cebbd | cinderv3   | volumev3        |
| 8e7ffcc885344747a753df6a24f09796 | keystone   | identity        |
| 99f57f4de8694a28955a08bdae75b466 | magnum     | container-infra |
| 9c8f4b8436344713948ce6223cb113d2 | heat-cfn   | cloudformation  |
| c2c717ae28f04a439a72963dcdade907 | manilav2   | sharev2         |
| dc067b35750147a7a0215b52e8bbc333 | cinderv2   | volumev2        |
| ed462c9cdaf2493fbf59c426a028b84a | aodh       | alarming        |
| f457381341214ffc93ad8dec8d2f176c | placement  | placement       |
+----------------------------------+------------+-----------------+

You can optionally comment out the lines that prompts you to set the password and provide it statically:

$ vim ~/Downloads/admin-openrc.sh
# With Keystone you pass the keystone password.
#echo "Please enter your OpenStack Password for project $OS_PROJECT_NAME as user $OS_USERNAME: "
#read -sr OS_PASSWORD_INPUT
#export OS_PASSWORD=$OS_PASSWORD_INPUT
export OS_PASSWORD='AdminUserPassword'

$ mv ~/Downloads/admin-openrc.sh ~/keystonerc_admin
$ source ~/keystonerc_admin

You can further enable automatic source of the file in ~/.bashrc file.

$ vim ~/.bashrc
source ~/keystonerc_admin

# or in .bash_profile
$ vim ~/.bash_profile
source ~/keystonerc_admin

#2: Manage Projects in OpenStack from CLI

With the Client configured you can start creation of Projects. In this example we create a project called “Web-Services

$ openstack project create --domain default --description 'Web Hosting Services' Web-Services
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Web Hosting Services             |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 57d04dc644ec4b09ae619d873d17d002 |
| is_domain   | False                            |
| name        | Web-Services                     |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

You can adjust domain name, project name, and project description accordingly.

To verify Project creation, show information about the project using the commands below:

$ openstack project show Web-Services
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Web Hosting Services             |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 57d04dc644ec4b09ae619d873d17d002 |
| is_domain   | False                            |
| name        | Web-Services                     |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

To update the name of a project you’ll run:

$ openstack project set <PROJECT_NAME_OR_ID> --name <new-project-name>

# Example
$ openstack project set Web-Services --name WebServices
$ openstack project list
+----------------------------------+-------------+
| ID                               | Name        |
+----------------------------------+-------------+
| 57d04dc644ec4b09ae619d873d17d002 | WebServices |
| cd220eebeb374ea3af57b7b6395dee34 | services    |
| d8dbf1834d364dadb644d4f648c08f99 | admin       |
+----------------------------------+-------------+

How to temporarily disable a project in OpenStack:

$ openstack project set <PROJECT_NAME_OR_ID> 

# Example
$ openstack project set WebServices --disable
$ openstack project show WebServices
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Web Hosting Services             |
| domain_id   | default                          |
| enabled     | False                            |
| id          | 57d04dc644ec4b09ae619d873d17d002 |
| is_domain   | False                            |
| name        | WebServices                      |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

Re-enable the Project:

$ openstack project set <PROJECT_NAME_OR_ID>  --enable

# Example
$ openstack project set WebServices --enable
$ openstack project show WebServices
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Web Hosting Services             |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 57d04dc644ec4b09ae619d873d17d002 |
| is_domain   | False                            |
| name        | WebServices                      |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

To delete a project you’ll use:

$ openstack project delete <PROJECT_NAME_OR_ID>

#3: Managing Users in OpenStack Cloud

To list all users in the cloud run:

$ openstack user list

Creating a user in OpenStack

To create a user you’ll specify below information:

  • name
  • project ID or Name
  • Password
  • Email address

It is recommended to pass all the information even though some are optional:

$ openstack user create \
  --project <project-name> \
  --password <USER-PASSWORD> \
  --email <USER-EMAIL> \
  <user-name>

See below example:

$ openstack user create \
  --project WebServices \
  --password 'StrongPassword' \
  --email [email protected] \
  jmutai
  
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| default_project_id  | 57d04dc644ec4b09ae619d873d17d002 |
| domain_id           | default                          |
| email               | [email protected]           |
| enabled             | True                             |
| id                  | f92df7d8d25e47378fa713a71bb60065 |
| name                | jmutai                           |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

Show user info:

$ openstack user show  jmutai
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| default_project_id  | 57d04dc644ec4b09ae619d873d17d002 |
| domain_id           | default                          |
| email               | [email protected]           |
| enabled             | True                             |
| id                  | f92df7d8d25e47378fa713a71bb60065 |
| name                | jmutai                           |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

Update a user information

Change user’s name and description:

$ openstack user set <user-name> \
  --name <new-user-name> \
  --email [email protected]

Temporarily disable user account:

$  openstack user set <user-name> --disable

Re-enable user account to change status from disabled:

$ openstack user set <user-name> --enable

Deleting an OpenStack user account:

$ openstack user delete <user-name>

#4: Managing Roles and assignments in OpenStack

  • Listing all available roles:
$ openstack role list
+----------------------------------+------------------+
| ID                               | Name             |
+----------------------------------+------------------+
| 045e5c3f17274a878fe494ffd925641b | admin            |
| 28b74c1b2fbf4cfdb0aee43181a9ae10 | _member_         |
| 3046bbfbc0a64c36ab34bb9d84fcd85f | reader           |
| 58ecfb527dbd49b78c6277b831ab3bbd | heat_stack_user  |
| 73a9ff93c2724d67aa51246abdd26a4a | ResellerAdmin    |
| 78dbd885db7341c786f61cc70a07b9cc | heat_stack_owner |
| 8ca33f366bcb4ea5a5a065e4af6b52c0 | SwiftOperator    |
| e5849adc2b764523887a273dc07ac864 | member           |
+----------------------------------+------------------+
  • Create the new-role role:
$ openstack role create <role-name>

# Example
$ openstack role create web_services_srole
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | None                             |
| domain_id   | None                             |
| id          | 52bc8904ad9d4f5e91b1ade913d3cdfa |
| name        | web_services_srole               |
| options     | {}                               |
+-------------+----------------------------------+

View role details:

$ openstack role show <role-name>
  • Assign role to a user

As stated earlier in the article, users can be members of multiple projects. We must assign the role to a user-project pair.

# List projects
$ openstack project list

# List users
$ openstack user list

# List roles
$ openstack role list

To Assign a role to a user-project pair, use:

$ openstack role add --user <user-name> --project <project_name_or_id> <role-name>

# Example that assigns the web_services_srole role to jmutai and WebServices pair:
$  openstack role add --user  jmutai --project WebServices web_services_srole

Verify role assignment with the command:

$ openstack role assignment list --user <user-name> --project <project-name> --names

# Example
$ openstack role assignment list --user jmutai --project WebServices --names
+--------------------+----------------+-------+---------------------+--------+--------+-----------+
| Role               | User           | Group | Project             | Domain | System | Inherited |
+--------------------+----------------+-------+---------------------+--------+--------+-----------+
| web_services_srole | [email protected] |       | [email protected] |        |        | False     |
+--------------------+----------------+-------+---------------------+--------+--------+-----------+
  • Remove a role from a user-project pair:

Use commands below:

$ openstack role remove --user <user-name> --project <project-name>
$ openstack role list --user <user-name> --project <project-name>

With the user created and has role assigned to project, login to Horizon dashboard should be possible:

Confirm project is same as one assigned earlier:

We’ll be posting more articles on OpenStack:

Provision VMs on Openstack with Terraform