MyPage is a personalized page based on your interests.The page is customized to help you to find content that matters you the most.

I'm not curious

Configuring OpenStack Keystone user & Role Management

Published on 22 March 18
Configuring OpenStack roles

A role is a nothing but a personality that a user assumes while performing a specific set of operations. A role includes a set of rights and privileges. A user assumes that role inherits those rights and privileges in it. One can create, edit and delete a OpenStack role.

Roles are the permissions given to the users within a tenant, Openstack uses Role based access control (RBAC). Here we will configure two roles, an admin role that allows for administration of our environment and a Member role that is given to ordinary users who will be using the cloud environment.
In a default OpenStack setup, the two roles are created:

1. The Member role, which, when granted to a user on a project, allows him to manage resources (instances, volumes, …) in the project.
2. The admin role, which, when granted to a user on any project, offers to this user a total control over the whole OpenStack platform. Although this is the current behavior, it has been marked as a bug.

Getting started

To begin with, ensure that you’re logged into our OpenStack Controller host— where OpenStack Identity service has been installed— or an appropriate Ubuntu client that has access to where OpenStack Identity service is installed.

To log on to our OpenStack Controller host that was created using Vagrant, issue the following command:

vagrant ssh controller

If the keystone client tool isn’t available, this can be installed on any Ubuntu client that has access to manage our OpenStack Identity service by issuing the following commands:

sudo apt-get update
sudo apt-get -y install python-keystoneclient

To configure the OpenStack Identity service, we use super-user privileges in the form of a permanently set admin token set in the /etc/ keystone/ keystone.conf file, along with setting the correct environment variables for this purpose as shown:
export ENDPOINT =
SERVICE_ENDPOINT = https:// $ { ENDPOINT}: 35357/v2.0

How to achieve it…

To create the required roles in our OpenStack environment, perform the following steps:
1. Create of the admin role is as follows:
# admin role
keystone role-create –name admin

When successful, it results in an output as:

Configuring OpenStack Keystone user & Role Management - Image 1

2. To create the Member role we repeat the step, specifying the Member role:

# Member role

keystone role-create –name Member

How it works…

Creation of the roles is simply achieved by using the keystone client, specifying the role-create option with the following syntax:

keystone role-create –name role_name

The role_name attributes can’t be arbitrary. The admin role has been set in /etc/ keystone/ policy.json has its own administrative rights. Any roles that you create must map to roles specified in the policy.json file in the configuration file directory of each OpenStack service. The default policy for most services grants administrative access to the admin role.


admin_required: [[ role:admin],

[ is_admin: 1″]]


And when we configure the OpenStack Dashboard, Horizon, it has the Member role configured as default when users are created in that interface.

On creation of the role, this returns an ID associated with it that we use when assigning roles to users. To see a list of roles and the associated IDs in our environment, we can issue the following command:

keystone role-list

This blog is listed under Open Source and Cloud Computing Community

Related Posts:
View Comment (1)
Post a Comment

Please notify me the replies via email.

  • We hope the conversations that take place on will be constructive and thought-provoking.
  • To ensure the quality of the discussion, our moderators may review/edit the comments for clarity and relevance.
  • Comments that are promotional, mean-spirited, or off-topic may be deleted per the moderators' judgment.
  1. 06 April 18

    Thanks for sharing.I hope you continue to have such quality articles to share with everyone! I believe there will be many people who share my views when they read this article from you. - roll the ball

You may also be interested in
Awards & Accolades for MyTechLogy
Winner of
Top 100 Asia
Finalist at SiTF Awards 2014 under the category Best Social & Community Product
Finalist at HR Vendor of the Year 2015 Awards under the category Best Learning Management System
Finalist at HR Vendor of the Year 2015 Awards under the category Best Talent Management Software
Hidden Image Url