Create a domain, projects, users, and roles

Create a domain, projects, users, and roles

The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of domains, projects, users, and roles.

  1. Although the “default” domain already exists from the keystone-manage bootstrap step in this guide, a formal way to create a new domain would be:

    $ openstack domain create --description "An Example Domain" example
    
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | An Example Domain                |
    | enabled     | True                             |
    | id          | 2f4f80574fd84fe6ba9067228ae0a50c |
    | name        | example                          |
    | tags        | []                               |
    +-------------+----------------------------------+
    
  2. This guide uses a service project that contains a unique user for each service that you add to your environment. Create the service project:

    $ openstack project create --domain default \
      --description "Service Project" service
    
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | Service Project                  |
    | domain_id   | default                          |
    | enabled     | True                             |
    | id          | 24ac7f19cd944f4cba1d77469b2a73ed |
    | is_domain   | False                            |
    | name        | service                          |
    | parent_id   | default                          |
    | tags        | []                               |
    +-------------+----------------------------------+
    
  3. Regular (non-admin) tasks should use an unprivileged project and user. As an example, this guide creates the myproject project and myuser user.

    • Create the myproject project:

      $ openstack project create --domain default \
        --description "Demo Project" myproject
      
      +-------------+----------------------------------+
      | Field       | Value                            |
      +-------------+----------------------------------+
      | description | Demo Project                     |
      | domain_id   | default                          |
      | enabled     | True                             |
      | id          | 231ad6e7ebba47d6a1e57e1cc07ae446 |
      | is_domain   | False                            |
      | name        | myproject                        |
      | parent_id   | default                          |
      | tags        | []                               |
      +-------------+----------------------------------+
      

      Note

      Do not repeat this step when creating additional users for this project.

    • Create the myuser user:

      $ openstack user create --domain default \
        --password-prompt myuser
      
      User Password:
      Repeat User Password:
      +---------------------+----------------------------------+
      | Field               | Value                            |
      +---------------------+----------------------------------+
      | domain_id           | default                          |
      | enabled             | True                             |
      | id                  | aeda23aa78f44e859900e22c24817832 |
      | name                | myuser                           |
      | options             | {}                               |
      | password_expires_at | None                             |
      +---------------------+----------------------------------+
      
    • Create the myrole role:

      $ openstack role create myrole
      
      +-----------+----------------------------------+
      | Field     | Value                            |
      +-----------+----------------------------------+
      | domain_id | None                             |
      | id        | 997ce8d05fc143ac97d83fdfb5998552 |
      | name      | myrole                           |
      +-----------+----------------------------------+
      
    • Add the myrole role to the myproject project and myuser user:

      $ openstack role add --project myproject --user myuser myrole
      

      Note

      This command provides no output.

Note

You can repeat this procedure to create additional projects and users.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.