In OpenStack, managing your users, groups and projects is an important part of setting up the cloud. Projects are an organizational concept that allows a cloud to be subdivided. Users can be created and associated with a single or multiple projects. Groups are sets of users that can be assigned to projects.

Before getting into creating OpenStack components such as networks, instances, and the like, it is suggested you make use of projects so the cloud is organized as needed. In addition, you can create new user accounts and assign them to particular projects so your userbase has the appropriate access to the cloud.

This guide will explain how to create projects, additional user accounts, and groups.


Create and Manage Users

When you start using OpenStack there is only the administrator user. You can think of this as the user “root” in a Linux environment. It has full privileges to the system. Due to this user having full privileges and that there is a chance to cause harm to a system with this user, it is suggested additional users be created as needed. The administrator user should typically be used only for tasks where that level of access is needed.

Create Users Using Horizon

New OpenStack users can be created using Horizon. To create a new user, first ensure you are logged in as an administrator user. Typically, this is the user admin if you are just getting started.

Once logged in to Horizon, look for the section called Identity, then locate and click the Users link under that. This will bring up the page where users can be created.

OpenStack Users:

 

To make a new user, first click the Create User button near the top right to bring up the user creation form.

At minimum, you will need to enter a User Name and Password to create the user. In addition, an Email should be set as well.

All users have to be associated with a project, so choose the Primary Project this user will be assigned to.

Finally, select an appropriate Role for this user. Typically, the role of member is sufficient, however you can also assign the admin role. The admin role gives a user administrator access. In addition, custom roles can be created and assigned.

Create a User form:

 

With the user created, you should see it in the listing of users now.

User listing:


Create Users Using the Command Line

The base command to create a user using OpenStackClient is:

$ openstack user create

Generally, when making a user using OpenStackClient, you will need to know the username, email address, and project to assign the user to.

Use $ openstack project list to list the project IDs.

List projects:

$ openstack project list
+----------------------------------+------------------------------------------------------------------+
| ID                               | Name                                                             |
+----------------------------------+------------------------------------------------------------------+
| 0d55c1cd820d4a5d9424456e1384ab73 | Engineering                                                      |
| 6a654535b8f04445bbc4974b2e4802cd | service                                                          |
| 80eb7814893a414296ec1464d4a753b1 | b9e8639372014c0b85cbfaffa6e1b5a8-a66df7d2-6e70-493f-9220-83bb066 |
| b9e8639372014c0b85cbfaffa6e1b5a8 | admin                                                            |
| c4006f982a2c4f63a2fabeeed6bc9f16 | Project 1                                                        |
+----------------------------------+------------------------------------------------------------------+

This example will create a user called demo_user_cli and associate its default project to Project 1.

NOTE! — Entering passwords over the command line is generally considered insecure. You can pass the flag --password-prompt to interactively enter in the password.

Procedure:

The following demonstrates creating the demo_user_cli user:

$ openstack user create --project c4006f982a2c4f63a2fabeeed6bc9f16 
--email demo@example.com --password-prompt demo_user_cli
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| default_project_id  | c4006f982a2c4f63a2fabeeed6bc9f16 |
| domain_id           | default                          |
| email               | demo@example.com                 |
| enabled             | True                             |
| id                  | d88a89208d344cb4930761dd55a194d1 |
| name                | demo_user_cli                    |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

List OpenStack users:

$ openstack user list
+----------------------------------+-------------------+
| ID                               | Name              |
+----------------------------------+-------------------+
| af82ee40927c4b72ad3011e7fab03f9e | admin             |
| 05697a00ff2242d39890621f33e81fbb | glance            |
| 30c2e20a7c1141dc9fda9d405f1d6db3 | cinder            |
| ec64a60b1c6a4b64a559597417dd3ae2 | placement         |
| 70b677b5fa4b4b8ca55699c8670f7993 | nova              |
| 508ef9606a3a4048a86ec48e542020b4 | neutron           |
| 5fce77bfae1a440d872d96982715af9e | heat              |
| 2da9eb178ee140c7aad2016f8d23ca9e | heat_domain_admin |
| e37f4e048f5e44c69305b6cec9ef2165 | watcher           |
| 012b00425e9e4db289f2d71f6441d835 | swift             |
| b7e2423b016b4defbe5f09ff1b23f468 | demo_user         |
| d88a89208d344cb4930761dd55a194d1 | demo_user_cli     |
+----------------------------------+-------------------+

From the above output, the demo_user_cli user is listed now.


Assign Role to a User

NOTE! — This section still needs to be filled out completely.

In OpenStack, there are roles that can be assigned to users and groups.

To view the current roles, use:

$ openstack role list
+----------------------------------+------------------+
| ID                               | Name             |
+----------------------------------+------------------+
| 3e5d1f2c2c014bf0bfa929b0e31eb2b1 | heat_stack_owner |
| 764cb7fcf8214515860c628fcfb855d2 | admin            |
| aa2689853f7b42038afcdb797b54ef11 | heat_stack_user  |
| be24b48c21554b75849c66b9b710df84 | reader           |
| ccc32facd900440bb01a046db5c4096d | member           |
| f5c0b887144d462bbd3bc35e9a0a9309 | _member_         |
+----------------------------------+------------------+

 

Create and Manage Groups

Groups in OpenStack are collections of Users. These can be assigned to projects and make it easier to assign a grouping of users.

Create Groups Using Horizon

To make a group, you will need to start with logging into to Horizon with an administrator account.

From there, on the left, find the Identity tab, then find the Groups tab within that. Following this will take you to the section where groups in OpenStack can be managed.

The following is a screenshot of how the Groups page will appear.

Group listing:

Next, find the Create Group button near the top right. This will load the form needed to create a group.

Create group:

Fill in the Name of the group and, optionally, a Description. Once the form has been submitted, the group will be created.

Add Users to a Group Using Horizon

Now that a group has been made, users can be added to it.

To add users, pull up the listing of Groups in OpenStack first.

From there, find the group you are working with, and click Manage Members in the far right Actions column.

Manage Members:

 

Clicking Manage Members will pull up another page.

Manage Members, page 2:

 

To add users, click the Add Users button near the top right.

A new form will appear providing a list of users that can be added.

Manage Members -> Add Users Form:

Create Groups Using the Command Line

The base command to create a group using OpenStackClient is:

$ openstack group create

This section will demonstrate creating a group called demo_group.

Procedure

Use $ openstack group create demo_group to create the group:

$ openstack group create demo_group
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| id          | 5d1177ede33b4cddadab6579408da7d7 |
| name        | demo_group                       |
+-------------+----------------------------------+

List groups:

$ openstack group list
+----------------------------------+-----------------+
| ID                               | Name            |
+----------------------------------+-----------------+
| 5d1177ede33b4cddadab6579408da7d7 | demo_group      |
| 7085430cdf734bae8c54e384f79300f0 | Managed Hosting |
| f77cec4a5aad4453ad28b8fba6562744 | Development     |
+----------------------------------+-----------------+

Add Users to a Group Using the Command Line

Users can be added to groups using OpenStackClient. This will show an example where the user demo_user_cli is added to the group demo_group.

The base command to add a user to a group is:

$ openstack group add user

Procedure

Add the user demo_user_cli to the group demo_group:

$ openstack group add user demo_group demo_user

Confirm the user was added successfully using openstack group contains user:

$ openstack group contains user demo_group demo_user
demo_user in group demo_group

 

Create and Manage Projects

As an OpenStack administrator, it is typically advised that projects be created for specific uses. For example, you may want a project for development purposes, or need one for a specific department in your organization.

NOTE! — Projects can only be created by OpenStack accounts with administrator access.

This section will demonstrate how to create and manage projects using Horizon and the command line.

Create Projects Using Horizon

To create a project, you will want to start with being logged into Horizon as an administrator account.

On the left, look for the section called Identity, then click on the Projects link under that. This page is where projects in OpenStack are managed.

To make a new project, say for the Engineering team in this example, find and click the Create Project button near the top right.

Create Project:

 

A form will display where the project’s details will be needed.

Create Project Form:

On the first tab, enter a Name and a Description for the project.

The second tab, Project Members, allows you to add and remove members to this project. Here is where you will add the needed users to this project.

Create Project Form, page 2:

 

Finally, the third tab has to do with adding groups to this project. If you have a group to add, this is where it will be done.

Create Project Form, page 3:

 

Once all the details are filled in, click the Create Project button to create the project.

You should see the newly created project listed under the Projects page.

Engineering project created:


Create Projects Using the Command Line

The base command to create a project using OpenStackClient is:

$ openstack project create

This section will details the steps needed to create a project called demo_project.

Procedure

Create a project called demo_project:

$ openstack project create demo_project
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | a7873c1cbbe14607b5c5e797ef8d56ba |
| is_domain   | False                            |
| name        | demo_project                     |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

Confirm the project was created successfully using openstack project show demo_project:

$ openstack project show demo_project
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | a7873c1cbbe14607b5c5e797ef8d56ba |
| is_domain   | False                            |
| name        | demo_project                     |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

Add Group to Project Using the Command Line

Now that a group and project have been made, the group can be added to the project.

This section will demonstrate adding the group demo_group to the project called demo_project.

The base command to add a group to a project is:

$ openstack role add

Procedure

Add group demo_group to the project demo_project:

$ openstack role add --project demo_project --group demo_group 
f5c0b887144d462bbd3bc35e9a0a9309

Verify the group was added to the project using openstack role assignment list:

$ openstack role assignment list --group demo_group --project demo_project --names
+----------+------+--------------------+----------------------+--------+--------+-----------+
| Role     | User | Group              | Project              | Domain | System | Inherited |
+----------+------+--------------------+----------------------+--------+--------+-----------+
| _member_ |      | demo_group@Default | demo_project@Default |        |        | False     |
+----------+------+--------------------+----------------------+--------+--------+-----------+

 

Next Steps

With this topic covered, the next guide will explain how to create networks using Horizon in OpenStack.

Alternatively, if prefer working over the command line, see the how to create networks using OpenStackClient guide.