Managing OpenStack Users, Groups and Projects using the Command Line


Introduction

In OpenStack, you can create users, groups, and projects. Users have access to projects that you specify. Groups are collections of users. Projects are a way to create isolated OpenStack environments, in which cloud components can be created and yet be separate from one another. These concepts may be useful to those who wish to control access to their cloud and are a way to tightly control and organize an OpenStack cloud.

In this guide, we will demonstrate how to create users, add those users to groups, and create and assign users and groups to a project using the command line with OpenStackClient.


Create and Manage Users

When you start using OpenStack there is only the administrator user. You can think of this as the user “root” in a Linux environment. It has full privileges to the system. Due to this user having full privileges and that there is a chance to cause harm to a system with this user, it is suggested additional users be created as needed. The administrator user should typically be used only for tasks where that level of access is needed.


The base command to create a user using OpenStackClient is:

$ openstack user create

Generally, when making a user using OpenStackClient, you will need to know the username, email address, and project to assign the user to.

Use $ openstack project list to list the project IDs.

List projects:

$ openstack project list
+----------------------------------+------------------------------------------------------------------+
| ID                               | Name                                                             |
+----------------------------------+------------------------------------------------------------------+
| 0d55c1cd820d4a5d9424456e1384ab73 | Engineering                                                      |
| 6a654535b8f04445bbc4974b2e4802cd | service                                                          |
| 80eb7814893a414296ec1464d4a753b1 | b9e8639372014c0b85cbfaffa6e1b5a8-a66df7d2-6e70-493f-9220-83bb066 |
| b9e8639372014c0b85cbfaffa6e1b5a8 | admin                                                            |
| c4006f982a2c4f63a2fabeeed6bc9f16 | Project 1                                                        |
+----------------------------------+------------------------------------------------------------------+

This example will create a user called demo_user_cli and associate its default project to Project 1.

NOTE! — Entering passwords over the command line is generally considered insecure. You can pass the flag --password-prompt to interactively enter in the password.

Procedure:

The following demonstrates creating the demo_user_cli user:

$ openstack user create --project c4006f982a2c4f63a2fabeeed6bc9f16 
--email [email protected] --password-prompt demo_user_cli
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| default_project_id  | c4006f982a2c4f63a2fabeeed6bc9f16 |
| domain_id           | default                          |
| email               | [email protected]                 |
| enabled             | True                             |
| id                  | d88a89208d344cb4930761dd55a194d1 |
| name                | demo_user_cli                    |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

List OpenStack users:

$ openstack user list
+----------------------------------+-------------------+
| ID                               | Name              |
+----------------------------------+-------------------+
| af82ee40927c4b72ad3011e7fab03f9e | admin             |
| 05697a00ff2242d39890621f33e81fbb | glance            |
| 30c2e20a7c1141dc9fda9d405f1d6db3 | cinder            |
| ec64a60b1c6a4b64a559597417dd3ae2 | placement         |
| 70b677b5fa4b4b8ca55699c8670f7993 | nova              |
| 508ef9606a3a4048a86ec48e542020b4 | neutron           |
| 5fce77bfae1a440d872d96982715af9e | heat              |
| 2da9eb178ee140c7aad2016f8d23ca9e | heat_domain_admin |
| e37f4e048f5e44c69305b6cec9ef2165 | watcher           |
| 012b00425e9e4db289f2d71f6441d835 | swift             |
| b7e2423b016b4defbe5f09ff1b23f468 | demo_user         |
| d88a89208d344cb4930761dd55a194d1 | demo_user_cli     |
+----------------------------------+-------------------+

From the above output, the demo_user_cli user is listed now.


Assign Role to a User

NOTE! — This section still needs to be filled out completely.

In OpenStack, there are roles that can be assigned to users and groups.

To view the current roles, use:

$ openstack role list
+----------------------------------+------------------+
| ID                               | Name             |
+----------------------------------+------------------+
| 3e5d1f2c2c014bf0bfa929b0e31eb2b1 | heat_stack_owner |
| 764cb7fcf8214515860c628fcfb855d2 | admin            |
| aa2689853f7b42038afcdb797b54ef11 | heat_stack_user  |
| be24b48c21554b75849c66b9b710df84 | reader           |
| ccc32facd900440bb01a046db5c4096d | member           |
| f5c0b887144d462bbd3bc35e9a0a9309 | _member_         |
+----------------------------------+------------------+

Create and Manage Groups

Groups in OpenStack are collections of Users. These can be assigned to projects and make it easier to assign a grouping of users.


The base command to create a group using OpenStackClient is:

$ openstack group create

This section will demonstrate creating a group called demo_group.

Procedure

Use $ openstack group create demo_group to create the group:

$ openstack group create demo_group
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| id          | 5d1177ede33b4cddadab6579408da7d7 |
| name        | demo_group                       |
+-------------+----------------------------------+

List groups:

$ openstack group list
+----------------------------------+-----------------+
| ID                               | Name            |
+----------------------------------+-----------------+
| 5d1177ede33b4cddadab6579408da7d7 | demo_group      |
| 7085430cdf734bae8c54e384f79300f0 | Managed Hosting |
| f77cec4a5aad4453ad28b8fba6562744 | Development     |
+----------------------------------+-----------------+

Add Users to a Group Using the Command Line

Users can be added to groups using OpenStackClient. This will show an example where the user demo_user_cli is added to the group demo_group.

The base command to add a user to a group is:

$ openstack group add user

Procedure

Add the user demo_user_cli to the group demo_group:

$ openstack group add user demo_group demo_user

Confirm the user was added successfully using openstack group contains user:

$ openstack group contains user demo_group demo_user
demo_user in group demo_group

Create and Manage Projects

As an OpenStack administrator, it is typically advised that projects be created for specific uses. For example, you may want a project for development purposes, or need one for a specific department in your organization.

NOTE! — Projects can only be created by OpenStack accounts with administrator access.

This section will demonstrate how to create and manage projects using Horizon and the command line.


The base command to create a project using OpenStackClient is:

$ openstack project create

This section will details the steps needed to create a project called demo_project.

Procedure

Create a project called demo_project:

$ openstack project create demo_project
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | a7873c1cbbe14607b5c5e797ef8d56ba |
| is_domain   | False                            |
| name        | demo_project                     |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

Confirm the project was created successfully using openstack project show demo_project:

$ openstack project show demo_project
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | a7873c1cbbe14607b5c5e797ef8d56ba |
| is_domain   | False                            |
| name        | demo_project                     |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

Add Group to Project Using the Command Line

Now that a group and project have been made, the group can be added to the project.

This section will demonstrate adding the group demo_group to the project called demo_project.

The base command to add a group to a project is:

$ openstack role add

Procedure

Add group demo_group to the project demo_project:

$ openstack role add --project demo_project --group demo_group 
f5c0b887144d462bbd3bc35e9a0a9309

Verify the group was added to the project using openstack role assignment list:

$ openstack role assignment list --group demo_group --project demo_project --names
+----------+------+--------------------+----------------------+--------+--------+-----------+
| Role     | User | Group              | Project              | Domain | System | Inherited |
+----------+------+--------------------+----------------------+--------+--------+-----------+
| _member_ |      | [email protected] | [email protected] |        |        | False     |
+----------+------+--------------------+----------------------+--------+--------+-----------+

Next Steps

The next guide is Create a Network and explains how to create a private network.

NW
Nick West Systems Engineer

Nick is an avid aggressive inline skater, nature enthusiast, and loves working with open source software in a Linux environment.

More Articles by Nick

Was this article helpful? Let us know!