THE IDENTITY SERVICE in Brief
- In OpenStack, the authentication and authorization services are provided by the OpenStack identity service, code-named Keystone.
- OpenStack Platform uses domains, projects, groups, and users to organize OpenStack resources.
- Admin user is similar to the root user in the Linux operating system.
- Users authenticate via the identity service API endpoint before they request other OpenStack services.
Some Identity service Terminologies:
Domains
- Domains are collections of projects and users that can be defined as a single identity realm.
- Resources are not shared or moved between domains.
- If no domains are created, all projects and users use the default domain.
Projects
- A project is a collection of resources, such as networks, images, and instances.
- Projects can represent a customer, an account, an organizational unit, or a development project.
- OpenStack Platform installs with two default projects named admin and service. These projects exist in the default domain named default.
Users
- Users represent the end user, operator, or administrator who uses the OpenStack services.
- OpenStack Platform installs with a default admin user with an admin role assigned in the admin project.
- OpenStack users are self-service users they can create and manage :
- instances
- Volumes
- Networks
- images
Roles
- Roles define a set of user privileges to perform specific actions on OpenStack services.
- OpenStack Platform installs with several default roles, including admin and _member_.
- The _member_ role provides normal user access to all of a project's resources.
- The admin role provides additional administrative privileges throughout the user's domain.
Groups
- Groups are collections of users within a domain. Privileges can be assigned to all the users in a group by assigning a role to a group.
- These privileges and the association of a user to a project or domain can be revoked by removing the user from the group.
Managing Domains using Openstack CLI:
- To create a domain, the user must have the system-scope admin role.
- Create the domain using the openstack domain create command.
- the command takes the domain name as an argument
- The domain is enabled by default to start with the domain disabled use the --disable option
- to show the list of domains we can use the openstack domain list command
openstack domain list
- to delete a domain we can use the openstack domain delete command.
- we can use domain name or domain ID as argument for the command
- before delete we need to disable the domain
- to show domain ditails
openstack domain delete telcocloud_domain
- Projects can be created by any user assigned the admin role.
- Projects are configured with resource quotas that can be edited when creating the project or modified later.
- All user associations to a project, and all project resources, are removed when the project is deleted.
- to create a project we can use the openstack project create command with the project name as an argument and
- we can use --domain <domain_name> to specify a domain name if not specified will create the project in the default domain.
- to show the list of projects we can use the openstack project list command
openstack project list