Organizing openstack Domains and Projects

Manage openstack domains and projects

THE IDENTITY SERVICE in Brief

  • In OpenStack, the authentication and authorization services are provided by the OpenStack identity service, code-named Keystone.
  • OpenStack Platform uses domains, projects, groups, and users to organize OpenStack resources.
  • Admin user is similar to the root user in the Linux operating system. 
  • Users authenticate via the identity service API endpoint before they request other OpenStack services.

Some Identity service Terminologies:

Domains

  • Domains are collections of projects and users that can be defined as a single identity realm. 
  • Resources are not shared or moved between domains. 
  • If no domains are created, all projects and users use the default domain.

Projects

  • A project is a collection of resources, such as networks, images, and instances. 
  • Projects can represent a customer, an account, an organizational unit, or a development project. 
  • OpenStack Platform installs with two default projects named admin and service. These projects exist in the default domain named default.

Users

  • Users represent the end user, operator, or administrator who uses the OpenStack services. 
  • OpenStack Platform installs with a default admin user with an admin role assigned in the admin project.
  • OpenStack users are self-service users they can create and manage :
    • instances
    • Volumes
    • Networks
    • images

Roles

  • Roles define a set of user privileges to perform specific actions on OpenStack services. 
  • OpenStack Platform installs with several default roles, including admin and _member_. 
  • The _member_ role provides normal user access to all of a project's resources. 
  • The admin role provides additional administrative privileges throughout the user's domain.

Groups

  • Groups are collections of users within a domain. Privileges can be assigned to all the users in a group by assigning a role to a group. 
  • These privileges and the association of a user to a project or domain can be revoked by removing the user from the group.

Managing Domains using Openstack CLI:

  • To create a domain, the user must have the system-scope admin role.
  • Create the domain using the openstack domain create command.
    • the command takes the domain name as an argument
            openstack domain create telcocloud_domain
            
openstack domain create command

  • The domain is enabled by default to start with the domain disabled use the --disable option
  • to show the list of domains we can use the openstack domain list command
            openstack domain list
            
openstack domain list command
  • to delete a domain we can use the openstack domain delete command.
    • we can use domain name or domain ID as argument for the command
  • before delete we need to disable the domain 
            openstack domain set --disable telcocloud_domain
  •  to show domain ditails 
            openstack domain show telcocloud_domain

            openstack domain delete telcocloud_domain
            
openstack domain delete command

Managing Projects using Openstack CLI:

  • Projects can be created by any user assigned the admin role. 
  • Projects are configured with resource quotas that can be edited when creating the project or modified later.
  • All user associations to a project, and all project resources, are removed when the project is deleted.
  • to create a project we can use the openstack project create command with the project name as an argument and 
    • we can use --domain <domain_name> to specify a domain name if not specified will create the project in the default domain.
            openstack project create demo-project

openstack project create

  • to show the list of projects we can use the openstack project list command
            openstack project list
openstack project list
  • to show details about specific project
            openstack project show demo-project
openstack project show
  • to delete a project we can use the openstack project delete command.
    • we can use the project name or project ID as an argument for the command
            openstack project delete demo-project
openstack project delete