2.2. Manage Users
2.2.1. Create a User
- As an admin user in the dashboard, select Identity > Users.
- Click Create User.
- Enter a user name, email, and preliminary password for the user.
- Select a project from the Primary Project list.
- Select a role for the user from the Role list (the default role is
_member_). - Click Create User.
2.2.2. Enable or Disable a User
You can disable or enable only one user at a time.
- As an admin user in the dashboard, select Identity > Users.
- In the Actions column, click the arrow, and select Enable User or Disable User. In the Enabled column, the value then updates to either
TrueorFalse.
2.2.3. Delete a User
- As an admin user in the dashboard, select Identity > Users.
- Select the users that to delete.
- Click Delete Users.
- Click .
Note
You cannot undo the delete action.
2.2.4. Manage Roles
2.2.4.1. View Roles
To list the available roles:
$keystone role-list+----------------------------------+---------------+ | id | name | +----------------------------------+---------------+ | 71ccc37d41c8491c975ae72676db687f | Member | | 149f50a1fe684bfa88dae76a48d26ef7 | ResellerAdmin | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | 6ecf391421604da985db2f141e46a7c8 | admin | +----------------------------------+---------------+
To get details for a specified role:
$keystone role-get ROLE
Example 2.1.
$keystone role-get admin+----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 6ecf391421604da985db2f141e46a7c8 | | name | admin | +----------+----------------------------------+
2.2.4.2. Create and Assign a Role
Users can be members of multiple projects. To assign users to multiple projects, create a role and assign that role to a user-project pair.
Note
Either the name or ID can be used to specify users, roles, or projects.
- Create the
new-rolerole:$keystone role-create --name ROLE_NAMEExample 2.2.
$keystone role-create --name new-role+----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 61013e7aa4ba4e00a0a1ab4b14bc6b2a | | name | new-role | +----------+----------------------------------+ - To assign a user to a project, you must assign the role to a user-project pair. To do this, you need the user, role, and project names or IDs.
- List users:
$keystone user-list - List roles:
$keystone role-list - List projects:
$keystone tenant-list
- Assign a role to a user-project pair.
$keystone user-role-add --user USER_NAME --role ROLE_NAME --tenant TENANT_NAMEExample 2.3.
In this example, you assign thenew-rolerole to thedemo-demopair:$keystone user-role-add --user demo --role new-role --tenant demo - Verify the role assignment for the user
demo:$keystone user-role-list --user USER_NAME --tenant TENANT_NAMEExample 2.4.
$keystone user-role-list --user demo --tenant demo
2.2.4.3. Delete a Role
- Remove a role from a user-project pair:
$keystone user-role-remove --user USER_NAME --role ROLE --tenant TENANT_NAME - Verify the role removal:
$keystone user-role-list --user USER_NAME --tenant TENANT_NAMEIf the role was removed, the command output omits the removed role.
2.2.5. View Compute Quotas for a Project User
To list the currently set quota values for a project user (tenant user), run:
$nova quota-show --user USER --tenant TENANT
Example 2.5.
$nova quota-show --user demoUser --tenant demo+-----------------------------+-------+ | Quota | Limit | +-----------------------------+-------+ | instances | 10 | | cores | 20 | | ram | 51200 | | floating_ips | 5 | | fixed_ips | -1 | | metadata_items | 128 | | injected_files | 5 | | injected_file_content_bytes | 10240 | | injected_file_path_bytes | 255 | | key_pairs | 100 | | security_groups | 10 | | security_group_rules | 20 | | server_groups | 10 | | server_group_members | 10 | +-----------------------------+-------+
2.2.6. Update Compute Quotas for a Project User
Procedure 2.1. Update Compute Quotas for User
To update a particular quota value, run:
$nova quota-update --user USER --QUOTA_NAME QUOTA_VALUE TENANT
Example 2.6.
$nova quota-update --user demoUser --floating-ips 10 demo$nova quota-show --user demoUser --tenant demo+-----------------------------+-------+ | Quota | Limit | +-----------------------------+-------+ | instances | 10 | | cores | 20 | | ram | 51200 | | floating_ips | 10 | | ... | | +-----------------------------+-------+
Note
To view a list of options for the quota-update command, run:
$nova help quota-update
2.2.7. Configure Role Access Control
A user can have different roles in different tenants. A user can also have multiple roles in the same tenant.
The
/etc/[SERVICE_CODENAME]/policy.json file controls the tasks that users can perform for a given service. For example:
/etc/nova/policy.jsonspecifies the access policy for the Compute service./etc/glance/policy.jsonspecifies the access policy for the Image Service/etc/keystone/policy.jsonspecifies the access policy for the Identity Service.
The default
policy.json files for the Compute, Identity, and Image services recognize only the admin role; all operations that do not require the admin role are accessible by any user that has any role in a tenant.
For example, if you wish to restrict users from performing operations in the Compute service, you must create a role in the Identity service, give users that role, and then modify
/etc/nova/policy.json so that the role is required for Compute operations.
Example 2.7.
The following line in
/etc/nova/policy.json specifies that there are no restrictions on which users can create volumes; if the user has any role in a tenant, they can create volumes in that tenant.
"volume:create": [],
Example 2.8.
To restrict creation of volumes to users who had the compute-user role in a particular tenant, you would add "role:compute-user" to the Compute policy:
"volume:create": ["role:compute-user"],
Example 2.9.
To restrict all Compute service requests to require this role, values in the file might look like the following (not a complete example):
{"admin_or_owner": [["role:admin"], ["project_id:%(project_id)s"]],
"default": [["rule:admin_or_owner"]],
"compute:create": ["role:compute-user"],
"compute:create:attach_network": ["role:compute-user"],
"compute:create:attach_volume": ["role:compute-user"],
"compute:get_all": ["role:compute-user"],
"compute:unlock_override": ["rule:admin_api"],
"admin_api": [["role:admin"]],
"compute_extension:accounts": [["rule:admin_api"]],
"compute_extension:admin_actions": [["rule:admin_api"]],
"compute_extension:admin_actions:pause": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:unpause": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:suspend": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:resume": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:lock": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:unlock": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:resetNetwork": [["rule:admin_api"]],
"compute_extension:admin_actions:injectNetworkInfo": [["rule:admin_api"]],
"compute_extension:admin_actions:createBackup": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:migrateLive": [["rule:admin_api"]],
"compute_extension:admin_actions:migrate": [["rule:admin_api"]],
"compute_extension:aggregates": [["rule:admin_api"]],
"compute_extension:certificates": ["role:compute-user"],
"compute_extension:cloudpipe": [["rule:admin_api"]],
"compute_extension:console_output": ["role:compute-user"],
"compute_extension:consoles": ["role:compute-user"],
"compute_extension:createserverext": ["role:compute-user"],
"compute_extension:deferred_delete": ["role:compute-user"],
"compute_extension:disk_config": ["role:compute-user"],
"compute_extension:evacuate": [["rule:admin_api"]],
"compute_extension:extended_server_attributes": [["rule:admin_api"]],
...