Create a domain, projects, users, and roles

The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of domains, projects, users, and roles.

  1. Although the “default” domain already exists from the keystone-manage bootstrap step in this guide, a formal way to create a new domain would be:

    $ openstack domain create --description "An Example Domain" example
    
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | An Example Domain                |
    | enabled     | True                             |
    | id          | 2f4f80574fd84fe6ba9067228ae0a50c |
    | name        | example                          |
    | tags        | []                               |
    +-------------+----------------------------------+
    
  2. This guide uses a service project that contains a unique user for each service that you add to your environment. Create the service project:

    $ openstack project create --domain default \
      --description "Service Project" service
    
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | Service Project                  |
    | domain_id   | default                          |
    | enabled     | True                             |
    | id          | 24ac7f19cd944f4cba1d77469b2a73ed |
    | is_domain   | False                            |
    | name        | service                          |
    | parent_id   | default                          |
    | tags        | []                               |
    +-------------+----------------------------------+
    
  3. Regular (non-admin) tasks should use an unprivileged project and user. As an example, this guide creates the myproject project and myuser user.

    • Create the myproject project:

      $ openstack project create --domain default \
        --description "Demo Project" myproject
      
      +-------------+----------------------------------+
      | Field       | Value                            |
      +-------------+----------------------------------+
      | description | Demo Project                     |
      | domain_id   | default                          |
      | enabled     | True                             |
      | id          | 231ad6e7ebba47d6a1e57e1cc07ae446 |
      | is_domain   | False                            |
      | name        | myproject                        |
      | parent_id   | default                          |
      | tags        | []                               |
      +-------------+----------------------------------+
      

      Note

      Do not repeat this step when creating additional users for this project.

    • Create the myuser user:

      $ openstack user create --domain default \
        --password-prompt myuser
      
      User Password:
      Repeat User Password:
      +---------------------+----------------------------------+
      | Field               | Value                            |
      +---------------------+----------------------------------+
      | domain_id           | default                          |
      | enabled             | True                             |
      | id                  | aeda23aa78f44e859900e22c24817832 |
      | name                | myuser                           |
      | options             | {}                               |
      | password_expires_at | None                             |
      +---------------------+----------------------------------+
      
    • Create the myrole role:

      $ openstack role create myrole
      
      +-----------+----------------------------------+
      | Field     | Value                            |
      +-----------+----------------------------------+
      | domain_id | None                             |
      | id        | 997ce8d05fc143ac97d83fdfb5998552 |
      | name      | myrole                           |
      +-----------+----------------------------------+
      
    • Add the myrole role to the myproject project and myuser user:

      $ openstack role add --project myproject --user myuser myrole
      

      Note

      This command provides no output.

Note

You can repeat this procedure to create additional projects and users.