Configuring OpenStack Keystone user & Role Management
Published on 22 March 18
Gracy1
Configuring OpenStack roles
Roles are the permissions given to the users within a tenant, Openstack uses Role based access control (RBAC). Here we will configure two roles, an admin role that allows for administration of our environment and a Member role that is given to ordinary users who will be using the cloud environment.
In a default OpenStack setup, the two roles are created:
1. The Member role, which, when granted to a user on a project, allows him to manage resources (instances, volumes, …) in the project.
2. The admin role, which, when granted to a user on any project, offers to this user a total control over the whole OpenStack platform. Although this is the current behavior, it has been marked as a bug.
Getting started
To begin with, ensure that you’re logged into our OpenStack Controller host— where OpenStack Identity service has been installed— or an appropriate Ubuntu client that has access to where OpenStack Identity service is installed.
To log on to our OpenStack Controller host that was created using Vagrant, issue the following command:
vagrant ssh controller
If the keystone client tool isn’t available, this can be installed on any Ubuntu client that has access to manage our OpenStack Identity service by issuing the following commands:
sudo apt-get update
sudo apt-get -y install python-keystoneclient
To configure the OpenStack Identity service, we use super-user privileges in the form of a permanently set admin token set in the /etc/ keystone/ keystone.conf file, along with setting the correct environment variables for this purpose as shown:
export ENDPOINT = 172.16.0.200
export SERVICE_TOKEN = ADMIN
export
SERVICE_ENDPOINT = https:// $ { ENDPOINT}: 35357/v2.0
How to achieve it…
To create the required roles in our OpenStack environment, perform the following steps:
1. Create of the admin role is as follows:
# admin role
keystone role-create –name admin
When successful, it results in an output as:
.png)
2. To create the Member role we repeat the step, specifying the Member role:
# Member role
keystone role-create –name Member
How it works…
Creation of the roles is simply achieved by using the keystone client, specifying the role-create option with the following syntax:
keystone role-create –name role_name
The role_name attributes can’t be arbitrary. The admin role has been set in /etc/ keystone/ policy.json has its own administrative rights. Any roles that you create must map to roles specified in the policy.json file in the configuration file directory of each OpenStack service. The default policy for most services grants administrative access to the admin role.
{
admin_required: [[ role:admin],
[ is_admin: 1″]]
}
And when we configure the OpenStack Dashboard, Horizon, it has the Member role configured as default when users are created in that interface.
On creation of the role, this returns an ID associated with it that we use when assigning roles to users. To see a list of roles and the associated IDs in our environment, we can issue the following command:
keystone role-list
This blog is listed under
Open Source
and Cloud Computing
Community
Related Posts:
Thanks for sharing.I hope you continue to have such quality articles to share with everyone! I believe there will be many people who share my views when they read this article from you. - roll the ball