OpenStack | Roles
Command syntax for reference: openstack role <action> <--parameters values> <role-name>
<action>: list, add, remove...
<parameters>: user, project, help...
To check the list of user roles that are already created / defined
cumulus@server01:~$ openstack role list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| be19db9b354f46a98a3ec2ae5818267f | admin |
| e35ba09a6bca43e4866a0cc2f3c32ebd | user |
+----------------------------------+-------+
To add the user 'firstUser' with role 'user' to the project 'firstProject'
cumulus@server01:~$ openstack role add --user firstUser --project firstProject user
The user should now show up in the project
cumulus@server01:~$ openstack user list --project firstProject
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| 9684ca0673544c4680ed074b69a831bb | firstUser |
+----------------------------------+-----------+
To see the list assigned to each user, in a project
the --names flag is handy to identify based on names, as otherwise we may only see the lengthy IDs associated with the users/projects
cumulus@server01:~$ openstack role assignment list --names
+-------+-----------------------+-------+--------------------------+--------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+-------+-----------------------+-------+--------------------------+--------+-----------+
| user | firstUser@firstDomain | | firstProject@firstDomain | | False |
| admin | placement@default | | service@default | | False |
| admin | neutron@default | | service@default | | False |
| admin | admin@default | | admin@default | | False |
| user | demo@default | | demo@default | | False |
| admin | glance@default | | service@default | | False |
| admin | nova@default | | service@default | | False |
+-------+-----------------------+-------+--------------------------+--------+-----------+
A user, can have a single default project, however it can be added to multiple projects in the domain, with different/similar roles with each project
Let's create a user for this purpose in firstDomain
cumulus@server01:~$ openstack user create --password firstPassword --domain firstDomain multiProjectUser
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | f0bb69245afe41eb9aba9873421c3595 |
| enabled | True |
| id | 630204c2d68f43be925805dc72560c4b |
| name | multiProjectUser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
This user 'multiProjectUser' would be assigned with 'user' role in firstProject and 'admin' role in secondProject
cumulus@server01:~$ openstack role add --user multiProjectUser --project firstProject user
cumulus@server01:~$ openstack role add --user multiProjectUser --project secondProject admin
Let's verify what we just configured
cumulus@server01:~$ openstack role assignment list --names | grep multiProjectUser
| admin | multiProjectUser@firstDomain | | secondProject@firstDomain | | False |
| user | multiProjectUser@firstDomain | | firstProject@firstDomain | | False |
It's also possible to grant a role to a user created in one domain, to a project in different domain, the following commands should illustrate this
cumulus@server01:~$ openstack user create --password multiDomainPassword --domain firstDomain multiDomainUser
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | f0bb69245afe41eb9aba9873421c3595 |
| enabled | True |
| id | a8d9490da3e84025ac5482b20f7cedc0 |
| name | multiDomainUser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
cumulus@server01:~$ openstack role add --project-domain default --project demo --user multiDomainUser user
cumulus@server01:~$ openstack role assignment list --names | grep multiDomainUser
| user | multiDomainUser@firstDomain | | demo@default | | False |
cumulus@server01:~$
--end-of-post--