Managing Users and Groups:
Openstack Users:
- OpenStack provides three default roles: admin, _member_, and reader:
- The admin role provides full access at the given scope. For example, at the system scope, the admin role allows a user to perform any operation on the OpenStack platform.
- The _member_ role provides users with the ability to create objects. For example, the member role allows a user to create instances at the project scope.
- The reader role only allows users to list objects at the given scope.
- OpenStack Platform provides a default user named admin with the admin role who has full privileges to access all projects and domains.
- to create users we can use the openstack user create command by default users will be created in the current domain and current project
- we can use --domain <domain name > to specify the user domain
- we can use --project <project name > to specify the user project
openstack user create telco_user1 --password P@ssw0rd
- we can use user set to change any parameters related to user account
- openstack user set [--name <name>] [--domain <domain>] [--project <project>] [--project-domain <project-domain>] [--password <password>] [--password-prompt] [--email <email-address>] [--description <description>] [--enable | --disable]
- we may have users with same name in different domains or projects so we can specify the domain and the project that user belongs to by using --user-domain , --user-project
- to give user a privilege on project or domain use openstack role add command
EX: give telco_user1 admin privilege on Example domain
openstack role add --domain Example --user telco_user1 admin
EX: give telco_user2 _member_ privilege on both Example domain and telcocloud_hub1 project
openstack role add --user telco_user2 --project-domain Example --project telcocloud_hub1 _member_
openstack role add --user telco_user2 --domain Example _member_
- to check the current user roles assigned to each user or related to project or domain we will use openstack role assignment list command we can use multiple options with it to display roles related to specific user or project or domain
- by default the command output will be by the UUIDs not names so we need to use --names option to display names in output
Openstack Groups:
- Groups are collections of users within a domain. Privileges can be assigned to all the users in a group by assigning a role to a group.
- These privileges and the association of a user to a project or domain can be revoked by removing the user from the group. Groups are supported in version 3 of the identity service API.
- to create group we can use openstack group create command also we can use --domain option to create group in specific domain.
openstack group create cloud_grp1 --domain Example
- now we can assign role to group and all users in this group will have same privilege
IDENTITY SERVICE TOKENS
- To enhance security, OpenStack uses a unique access code, or token, to authenticate requests to OpenStack services APIs.
- User authentication and authorization is controlled by the Identity service (keystone).
- This service securely checks the user's identity and generates a unique authorization token that is trusted by other OpenStack services.
- The token is valid for a limited period of time.
- With the authorization token, users can use a service's REST API to request other service tasks.
- When a user wants to perform a task in Red Hat OpenStack Platform, the task service requests the user's token.
- If the token does not exist or is expired, the user obtains a token from the identity service by authenticating.
- The task service validates the token and checks the contained privileges. The client then performs the requested task, or the request is rejected due to insufficient token privileges.
- The openstack token issue command can be used to generate a new token.
Token Authorization Scopes
Unscoped
- An unscoped token contains no authorization information at all; it can only be used to prove your identity. Unscoped tokens are not normally used.
- This only occurs if a user attempts to authenticate but has not been assigned a default project.
Project
- This authorization scope defines your access to resources such as instances or storage within a single project.
Domain
- Domain scope defines your ability to manage users, groups, and projects, within a specific domain. A domain operator does not automatically have access to any project that they create.
System
- System scope defines your ability to manage the OpenStack platform itself, including the nodes and their services.
we can manually issue token using openstack token issue command, also we can revoke the issued token using openstack token revoke command