Red Hat SummitChapter 2. Role Management
2.1. Role Management
OpenStack uses a role-based access control (RBAC) mechanism to manage access to its resources. Roles define which actions users can perform. By default, there are two predefined roles: a member role that gets attached to a tenant, and an administrative role to enable non-admin users to administer the environment. Note that there are abstract levels of permission, and it is possible to create the roles the administrator needs, and configure services adequately.
2.1.1. View Roles
Use the following command to list the available predefined roles.
keystone role-list
$ keystone role-list
+----------------------------------+---------------+
| id | name |
+----------------------------------+---------------+
| 71ccc37d41c8491c975ae72676db687f | Member |
| 149f50a1fe684bfa88dae76a48d26ef7 | ResellerAdmin |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| 6ecf391421604da985db2f141e46a7c8 | admin |
+----------------------------------+---------------+To get details for a specified role, run:
keystone role-get [ROLE]
$ keystone role-get [ROLE]Example
keystone role-get admin
$ keystone role-get admin
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | 6ecf391421604da985db2f141e46a7c8 |
| name | admin |
+----------+----------------------------------+2.1.2. Create and Assign a Role
As a cloud administrator, you can create and manage roles on the Keystone client using the following set of commands. Each OpenStack deployment must include at least one project, one user, and one role, linked together. However, users can be members of multiple projects. To assign users to multiple projects, create a role and assign that role to a user-project pair. Note that you can create a user and assign a primary project and default role in the dashboard.
Either the name or ID can be used to specify users, roles, or projects.
Create the
new-rolerole:Copy to Clipboard Copied! Toggle word wrap Toggle overflow keystone role-create --name [ROLE_NAME]
$ keystone role-create --name [ROLE_NAME]Example
Copy to Clipboard Copied! Toggle word wrap Toggle overflow keystone role-create --name new-role
$ keystone role-create --name new-role +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 61013e7aa4ba4e00a0a1ab4b14bc6b2a | | name | new-role | +----------+----------------------------------+To assign a user to a project, you must assign the role to a user-project pair. To do this, obtain the user, role, and project names or IDs:
List users:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow keystone user-list
$ keystone user-listList roles:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow keystone role-list
$ keystone role-listList projects:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow keystone tenant-list
$ keystone tenant-list
Assign a role to a user-project pair.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow keystone user-role-add --user [USER_NAME] --role [ROLE_NAME] --tenant [TENANT_NAME]
$ keystone user-role-add --user [USER_NAME] --role [ROLE_NAME] --tenant [TENANT_NAME]Example
In this example, you assign the
new-rolerole to thedemo-demopair:Copy to Clipboard Copied! Toggle word wrap Toggle overflow keystone user-role-add --user demo --role new-role --tenant demo
$ keystone user-role-add --user demo --role new-role --tenant demoVerify the role assignment for the user
demo:Copy to Clipboard Copied! Toggle word wrap Toggle overflow keystone user-role-list --user [USER_NAME] --tenant [TENANT_NAME]
$ keystone user-role-list --user [USER_NAME] --tenant [TENANT_NAME]Example
Copy to Clipboard Copied! Toggle word wrap Toggle overflow keystone user-role-list --user demo --tenant demo
$ keystone user-role-list --user demo --tenant demo
2.1.3. Delete a Role
Use the following command to delete a role from a user-project pair. Deleting a role ensures the associated user-project pairing is lost.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow keystone user-role-remove --user [USER_NAME] --role [ROLE] --tenant [TENANT_NAME]
$ keystone user-role-remove --user [USER_NAME] --role [ROLE] --tenant [TENANT_NAME]Verify the role removal:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow keystone user-role-list --user [USER_NAME] --tenant [TENANT_NAME]
$ keystone user-role-list --user [USER_NAME] --tenant [TENANT_NAME]If the role was removed, the command output omits the removed role.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}