1. Relationship between project (tenant), user and role
Focus on understanding the relationship between project (project/tenant), user (user), and role (role). First of all, these three can be created separately, but the binding relationship is through the openstack role add command.
project (project/tenant)
There is a concept of tenants in lower versions of openstack, but tenants are gradually replaced by projects in new versions. Simply understand, a tenant is a project, and a project is a tenant. I will not mention tenants in the future. The same use project call.
user
Users and projects have a many-to-many relationship. A project can have multiple users, and a user can also exist in multiple projects at the same time.
role
The role role is a collection of permissions. A project can have multiple users, but the permissions of each user can be inconsistent. A project can have multiple admin roles or multiple _members. The difference in permissions is determined by the role, and, a Users own multiple projects at the same time, and the permissions in the projects are not necessarily the same. For example, user Z is admin in project A, but user Z is _member_ in project B; openstack has 4 default role types (different versions It may be different, but there are at least 2, admin, member), and the default is 4 in the q version, SwiftOperator, admin, _member_ ResellerAdmin.
2. Create project (tenant), user, binding
Create projects (tenants), create users, assign bound projects and users
[root@localhost ~(keystone_admin)]# openstack project create --domain default --description "learn to ues Openstack" test
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | learn to ues Openstack |
| domain_id | default |
| enabled | True |
| id | 2dd4545690d849dd881c454f472524c7 |
| is_domain | False |
| name | test |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
[root@localhost ~(keystone_admin)]# openstack user create --domain default --password-prompt lgb
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | ea90a34c00ef45b4a2b83d1ea69a0b91 |
| name | lgb |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
###新建lgb用户角色为_menber_ 并绑定项目test
[root@localhost ~(keystone_admin)]# openstack role add --project test --user lgb _member_The newly created lgb user role is _menber_ and is bound to the project test. The ordinary members of _menber_ can only operate the bound project (including creating a new network and creating a new instance), and cannot manage members in this project (only the password can be changed).
openstack role list to view the list of role types, and openstack role show _member_ to display the detailed information of the role.
[root@localhost ~(keystone_admin)]# openstack role list
+----------------------------------+---------------+
| ID | Name |
+----------------------------------+---------------+
| 53d1711053f74530950e45a8a2f75ed2 | SwiftOperator |
| 904ccc9da08f4cb9bd9cb49f0d01b8a2 | admin |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| b69b66c9e9144633a7330d2bc5f0f38f | ResellerAdmin |
+----------------------------------+---------------+
[root@localhost ~(keystone_admin)]# openstack role show _member_
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 9fe2ff9ee4384b1894a90878d3e92bab |
| name | _member_ |
+-----------+----------------------------------+The newly created lgb0 user role _menber_ is bound to the project admin, and the newly created lgb0 user role is bound to the admin project to test.
[root@localhost ~(keystone_admin)]# openstack role add --project admin --user lgb0 _member_
[root@localhost ~(keystone_admin)]# openstack role add --project test --user lgb0 adminAfter logging in to lgb0, you can find that lgb0 can freely switch between the two projects (test/admin), but when you select the "admin" project, the "admin (administrator)" option is missing from the left function bar, because in the admin project lgb0 Just _member_ ordinary members.
Identity management permissions are also different, admin users can edit "groups" and "role types".
At this time, the lgb0 user owns two projects at the same time, and has different roles in different projects, but it must be noted that if the user's role in a project is admin, then the user's permissions are equivalent to the admin user of the openstack system , both have equal permissions.
