openstack-manuals/doc/install-guide/source/keystone-users.rst

Create a domain, projects, users, and roles

The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of domains <domain>, projects<project>, users<user>, and roles<role>.

1. This guide uses a service project that contains a unique user for each service that you add to your environment. Create the service project:

   $ openstack project create --domain default \
     --description "Service Project" service
   
   +-------------+----------------------------------+
   | Field       | Value                            |
   +-------------+----------------------------------+
   | description | Service Project                  |
   | domain_id   | default                          |
   | enabled     | True                             |
   | id          | 24ac7f19cd944f4cba1d77469b2a73ed |
   | is_domain   | False                            |
   | name        | service                          |
   | parent_id   | default                          |
   +-------------+----------------------------------+

2. Regular (non-admin) tasks should use an unprivileged project and user. As an example, this guide creates the demo project and user.

   • Create the demo project:

     $ openstack project create --domain default \
       --description "Demo Project" demo
     
     +-------------+----------------------------------+
     | Field       | Value                            |
     +-------------+----------------------------------+
     | description | Demo Project                     |
     | domain_id   | default                          |
     | enabled     | True                             |
     | id          | 231ad6e7ebba47d6a1e57e1cc07ae446 |
     | is_domain   | False                            |
     | name        | demo                             |
     | parent_id   | default                          |
     +-------------+----------------------------------+

     Note

     Do not repeat this step when creating additional users for this project.

   • Create the demo user:

     $ openstack user create --domain default \
       --password-prompt demo
     
     User Password:
     Repeat User Password:
     +---------------------+----------------------------------+
     | Field               | Value                            |
     +---------------------+----------------------------------+
     | domain_id           | default                          |
     | enabled             | True                             |
     | id                  | aeda23aa78f44e859900e22c24817832 |
     | name                | demo                             |
     | password_expires_at | None                             |
     +---------------------+----------------------------------+

   • Create the user role:

     $ openstack role create user
     
     +-----------+----------------------------------+
     | Field     | Value                            |
     +-----------+----------------------------------+
     | domain_id | None                             |
     | id        | 997ce8d05fc143ac97d83fdfb5998552 |
     | name      | user                             |
     +-----------+----------------------------------+

   • Add the user role to the demo project and user:

     $ openstack role add --project demo --user demo user

     Note

     This command provides no output.

Note

You can repeat this procedure to create additional projects and users.