Book Image

OpenStack Cloud Computing Cookbook

By : Egle Sigler, Kevin Jackson, Cody Bunch
Book Image

OpenStack Cloud Computing Cookbook

By: Egle Sigler, Kevin Jackson, Cody Bunch

Overview of this book

Table of Contents (19 chapters)
OpenStack Cloud Computing Cookbook Third Edition
About the Authors
About the Reviewers

Configuring roles in Keystone

Roles are the permissions given to users within a tenant. Here, we will configure two roles: an admin role that allows for the administration of our environment, and a member role that is given to ordinary users who will be using the cloud environment.

Getting ready

We will be using the keystone client to operate Keystone. If the python-keystoneclient tool isn't available, follow the steps described at

Ensure that we have our environment set correctly to access our OpenStack environment for administrative purposes:

export OS_TENANT_NAME=cookbook
export OS_USERNAME=admin
export OS_PASSWORD=openstack
export OS_AUTH_URL=
export OS_NO_CACHE=1
export OS_KEY=/vagrant/cakey.pem
export OS_CACERT=/vagrant/ca.pem


You can use the controller node if no other machines are available on your network, as this has the python-keystoneclient and the relevant access to the OpenStack environment. If you are using the Vagrant environment, issue the following command to get access to the Controller:

vagrant ssh controller

How to do it...

To create the required roles in our OpenStack environment, perform the following steps:

  1. Create the admin role as follows:

    # admin role
    keystone role-create --name admin
    You will get an output like this:
    | Property |              Value               |
    |    id    | 625b81ae9f024366bbe023a62ab8a18d |
    |   name   |              admin               |
  2. To create the Member role, we repeat the step and specify the Member role:

    # Member role
    keystone role-create --name Member

How it works...

Creation of the roles is simply achieved by using the keystone client and specifying the role-create option with the following syntax:

keystone role-create --name role_name

The role_name attribute can't be arbitrary for admin and Member roles. The admin role has been set by default in /etc/keystone/policy.json as having administrative rights:

    "admin_required": [["role:admin"], ["is_admin:1"]]

The Member role is also configured by default in the OpenStack Dashboard, Horizon, for a non-admin user created through the web interface.

On creation of the role, the ID associated with is returned, and we can use it when assigning roles to users. To see a list of roles and the associated IDs in our environment, we can issue the following command:

keystone role-list