Openstack tenant (project), user, and role concept and management
This is the 14th day of my participation in the August Text Challenge.More challenges in August
Openstack tenant (project), user, and role concept and management
0 x00. Concept
1. User
A natural person who has a user name, password, email address and other account information. Create a user named “hui” as follows:
$keystone user-create - name=hui - pass=password - [email protected]Copy the codeOpenstack official website defines User as “In openstack Identity, entities represent individual API consumers and are owned by a specific domain. In OpenStack Compute, A user can be associated with roles, projects, or both.
1) A user is an API consuming entity with authentication information;
2) A user can belong to multiple tenants/projects/organizations and roles;
2. Tenant
A tenant can be understood as a project, team, or organization. You must specify a tenant to apply for an OpenStack service. For example, if you specify a tenant to apply for the Compute service to query the list of running instances, you will receive the list of running instances of this tenant, but you will not see the list of running instances of other tenants. After version M, the concept of tenant is less mentioned, which can be understood as a project: it can be understood as a user resource group. This user resource group contains a user group composed of multiple users and some accessible resource sets, and the corresponding resource sets are only accessible to this user group.
To create a tenant named ACM, run the following command:
$keystone tenant - create - name = acmCopy the codeTenant is defined as “A group of users; Used to isolate access to Compute resources. An alternative term for a project”
The following points need to be understood about tenants:
1) [Before modification] A tenant is a user group that contains multiple users.
** Updated on 2016/07/25:
2) [Modified] Tenant can also be understood as a Project. Tenant was used in releases prior to API 3, and project was used more in releases after API 3. The current version of openstack (Mitaka (April 2016)) uses peoject more than tenatn. Tenant is a collection of accessible resources within individual services. These collections of resources can be used by multiple users, which is why users are always bound to some tenant by default.
3) Users can access computing management resources through tenants (computing management resources can be understood as openstack services), that is, a corresponding tenant must be specified to apply for openstack services.
4) Tenants are independent from each other. You cannot view information about other tenants under the current tenant.
3. Roles
Represents a user in a specific tenant. You can run the following command to create a role:
$keystone role - the create - name = compute - userCopy the codeIt can be understood that tenants are customers who use your cloud environment. These customers can be a project team, a working group, or a company. Different accounts (users) and their corresponding permissions (roles) will be established among these customers.
Openstack official website defines role as “A personality that A user assumes to perform A specific set of operations. A role includes A set of Rights and privileges. A user assuming that role inherits those rights and privileges.”
Understand the following about roles: 1) A role is a user feature that can perform a specific series of operations. A role defines a series of rights and privileges of a user in a tenant. 2) Generally, the default super administrator admin and common administrator member.
0x01.Web Page Management
Log in to the dashboard management page. The admin account is used to log in to OpenStack Dashboard.
1. Create a new tenant (project)
Identity Management Project creates a project
Click Create project. On the page that is displayed, set project information (mandatory), project member, project group, and quota information (mandatory). Non-mandatory items are project member, and project group can be modified as required.
(1) Project information
(2) Quotas
Now refresh,Identity Management projectAfter the list, a newly created project will be added.
2. Create a user
Identity Management project create users 
(1) User information
Here we select the main project as the project created in the previous step, and select Member on the role. After filling in, click the Create user button in the lower right corner of the page.
Refresh the identity Management user list at this time, you will see a newly created user added.
(2) Update users
If you want to change the user, you can modify the user in the user edit box of the user list to update the user.
(3) View project members
In the project list, in the new project, click Manage Members to find that the new user is in the project.
3. Create a role
[Create a role asoptionalNon-essential operationThe Identity Management project creates roles
4. Follow-up steps
This completes the initial project environment for a new tenant, and the next step is to set up the Intranet network environment for the tenant. It is not described here.
0x03. Command mode
0. Create the domain first
[root@cc01 ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 011fbf8c04f1479ab1a4e49b019b22d1 |
| name | default |
+-------------+----------------------------------+
Copy the code1. Tenant management
(1) Create a tenant
[root@cc10 ~]# openstack project create --domain default --description "hzbtest Project" hzbtest+-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | hzbtest Project | | domain_id | default | | enabled | True | | id | a18a50c3e0204fd9841751f0dbe93d66 | | is_domain | False | | name | hzbtest | | parent_id | default | +-------------+----------------------------------+Copy the code(2) Modify tenant attributes
(For example, changing enabled and name)
openstack project set --disable --name=hzbtest2 hzbtest
Copy the code[root@cc10 ~]# openstack project show hzbtest2
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | hzbtest Project |
| domain_id | default |
| enabled | False |
| id | a18a50c3e0204fd9841751f0dbe93d66 |
| is_domain | False |
| name | hzbtest2 |
| parent_id | default |
+-------------+----------------------------------+
Copy the code(3) Delete the vstore
openstack project delete hzbtest2
Copy the code(4) Query the vstore list
[root@cc01 ~]# openstack project list
+----------------------------------+--------------------+
| ID | Name |
+----------------------------------+--------------------+ |
| 91550f3ddf5940ea9a9d17daaf6d1f5e | admin |
Copy the code(5) View tenant details
[root@cc01 ~]# openstack project show admin
+-------------+-----------------------------------------------+
| Field | Value |
+-------------+-----------------------------------------------+
| description | Bootstrap project for initializing the cloud. |
| domain_id | default |
| enabled | True |
| id | 91550f3ddf5940ea9a9d17daaf6d1f5e |
| is_domain | False |
| name | admin |
| parent_id | default |
+-------------+-----------------------------------------------+
Copy the code2. User management
(1) Create a user
[root@cc10 ~]# openstack user create --domain default --password-prompt hzbtest
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | a51a551644ed42ad84d7580be91f7fae |
| name | hzbtest |
+-----------+----------------------------------+
Copy the code(2) View user details
[root@cc10 ~]# openstack user show hzbtest
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | a51a551644ed42ad84d7580be91f7fae |
| name | hzbtest |
+-----------+----------------------------------+
Copy the code(3) Update user information
usage: openstack user set [-h] [--name <name>] [--project <project>]
[--project-domain <project-domain>]
[--password <password>] [--password-prompt]
[--email <email-address>]
[--description <description>] [--enable | --disable]
<user>
Copy the code[root@cc10 ~]# openstack user set [email protected] --description=xxx --password=12345678 hzbtest
[root@cc10 ~]# openstack user show hzbtest
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | xxx |
| domain_id | default |
| email | [email protected] |
| enabled | True |
| id | a51a551644ed42ad84d7580be91f7fae |
| name | hzbtest |
+-------------+----------------------------------+
Copy the code(4) Delete the user
openstack user delete hzbtest
Copy the code(5) Query the user list
[root@cc01 ~]# openstack user list
+----------------------------------+---------------------------+
| ID | Name |
+----------------------------------+---------------------------+
| 01eef5e310e141cc8a3687dabc643676 | test_user |
Copy the code(6) Query all users of a vstore
[root@cc01 ~]# openstack user list --project=admin
+----------------------------------+------------------+
| ID | Name |
+----------------------------------+------------------+
| f05b4e3b6585429e98f178934d71ae3e | admin |
| 99955f8cefeb4a6f945e06ec3f424b5d | [email protected] |
| 01eef5e310e141cc8a3687dabc643676 | test_user |
| 6e6d64905b0f419daaf424f678733dec | test123409 |
+----------------------------------+------------------+
Copy the code3. Role management
(1) Create roles
[root@cc10 ~]# openstack role create hzb-role
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 72744157e8ad4267ae7b8ffc4c00fb03 |
| name | hzb-role |
+-----------+----------------------------------+
Copy the code(2) Role-related operations
[root@cc10 ~]# openstack role --help
Command "role" matches:
role add
role assignment list
role create
role delete
role list
role remove
role set
role show
Copy the code(3) Add tenants and users to roles
openstack role add --project hzbtest --user hzbtest hzb-role
Copy the code(4) View the relationship between tenants and users
[root@cc10 ~]# openstack role assignment list --user=hzbtest+----------------------------------+----------------------------------+-------+----------------------------------+------ --+-----------+ | Role | User | Group | Project | Domain | Inherited | +----------------------------------+----------------------------------+-------+----------------------------------+------ --+-----------+ | 72744157e8ad4267ae7b8ffc4c00fb03 | a51a551644ed42ad84d7580be91f7fae | | a21daa122cb54ca68fdcfeaad843c081 | | False | +----------------------------------+----------------------------------+-------+----------------------------------+------ --+-----------+Copy the code(5) Remove roles from tenants and users
openstack role remove --user=hzbtest --project=hzbtest hzb-role
Copy the code0x04. Reference links
Openstack New Tenant Commissioning Guide Openstack Tenant and user Manage Openstack users, tenants, and roles