The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of domains, projects, users, and roles.
- Although the “default” domain already exists from the keystone-manage bootstrap step in this guide, a formal way to create a new domain would be:
$ openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 2f4f80574fd84fe6ba9067228ae0a50c |
| name | example |
| tags | [] |
+-------------+----------------------------------+2. This guide uses a service project that contains a unique user for each service that you add to your environment. Create the service project:
$ openstack project create --domain default \
--description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 24ac7f19cd944f4cba1d77469b2a73ed |
| is_domain | False |
| name | service |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+3.
Regular (non-admin) tasks should use an unprivileged project and user. As an example, this guide creates the myproject project and myuser user.
- Create the
myprojectproject:
$ openstack project create --domain default \
--description "Demo Project" myproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 231ad6e7ebba47d6a1e57e1cc07ae446 |
| is_domain | False |
| name | myproject |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+Note
Do not repeat this step when creating additional users for this project.
Create the myuser user:
$ openstack user create --domain default \
--password-prompt myuser
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | aeda23aa78f44e859900e22c24817832 |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+Create the myrole role:
$ openstack role create myrole
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 997ce8d05fc143ac97d83fdfb5998552 |
| name | myrole |
+-----------+----------------------------------+Add the myrole role to the myproject project and myuser user:
$ openstack role add --project myproject --user myuser myroleNote
This command provides no output.
Note
You can repeat this procedure to create additional projects and users.