Command syntax for reference: openstack role <action> <–parameters values> <role-name>
<action>: list, add, remove…
<parameters>: user, project, help…
To check the list of user roles that are already created / defined
cumulus@server01:~$ openstack role list
+———————————-+——-+
| ID | Name |
+———————————-+——-+
| be19db9b354f46a98a3ec2ae5818267f | admin |
| e35ba09a6bca43e4866a0cc2f3c32ebd | user |
+———————————-+——-+
To add the user ‘firstUser’ with role ‘user’ to the project ‘firstProject’
cumulus@server01:~$ openstack role add –user firstUser –project firstProject user
The user should now show up in the project
cumulus@server01:~$ openstack user list –project firstProject
+———————————-+———–+
| ID | Name |
+———————————-+———–+
| 9684ca0673544c4680ed074b69a831bb | firstUser |
+———————————-+———–+
To see the list assigned to each user, in a project
the –names flag is handy to identify based on names, as otherwise we may only see the lengthy IDs associated with the users/projects
cumulus@server01:~$ openstack role assignment list –names
+——-+———————–+——-+————————–+——–+———–+
| Role | User | Group | Project | Domain | Inherited |
+——-+———————–+——-+————————–+——–+———–+
| user | firstUser@firstDomain | | firstProject@firstDomain | | False |
| admin | placement@default | | service@default | | False |
| admin | neutron@default | | service@default | | False |
| admin | admin@default | | admin@default | | False |
| user | demo@default | | demo@default | | False |
| admin | glance@default | | service@default | | False |
| admin | nova@default | | service@default | | False |
+——-+———————–+——-+————————–+——–+———–+
A user, can have a single default project, however it can be added to multiple projects in the domain, with different/similar roles with each project
Let’s create a user for this purpose in firstDomain
cumulus@server01:~$ openstack user create –password firstPassword –domain firstDomain multiProjectUser
+———————+———————————-+
| Field | Value |
+———————+———————————-+
| domain_id | f0bb69245afe41eb9aba9873421c3595 |
| enabled | True |
| id | 630204c2d68f43be925805dc72560c4b |
| name | multiProjectUser |
| options | {} |
| password_expires_at | None |
+———————+———————————-+
This user ‘multiProjectUser’ would be assigned with ‘user’ role in firstProject and ‘admin’ role in secondProject
cumulus@server01:~$ openstack role add –user multiProjectUser –project firstProject user
cumulus@server01:~$ openstack role add –user multiProjectUser –project secondProject admin
Let’s verify what we just configured
cumulus@server01:~$ openstack role assignment list –names | grep multiProjectUser
| admin | multiProjectUser@firstDomain | | secondProject@firstDomain | | False |
| user | multiProjectUser@firstDomain | | firstProject@firstDomain | | False |
It’s also possible to grant a role to a user created in one domain, to a project in different domain, the following commands should illustrate this
cumulus@server01:~$ openstack user create –password multiDomainPassword –domain firstDomain multiDomainUser
+———————+———————————-+
| Field | Value |
+———————+———————————-+
| domain_id | f0bb69245afe41eb9aba9873421c3595 |
| enabled | True |
| id | a8d9490da3e84025ac5482b20f7cedc0 |
| name | multiDomainUser |
| options | {} |
| password_expires_at | None |
+———————+———————————-+
cumulus@server01:~$ openstack role add –project-domain default –project demo –user multiDomainUser user
cumulus@server01:~$ openstack role assignment list –names | grep multiDomainUser
| user | multiDomainUser@firstDomain | | demo@default | | False |
cumulus@server01:~$
–end-of-post–
network blog 