Chapter 3. Group Management

3.1. Manage Keystone Groups

3.1.1. Using the Command-line

You can use Identity Service (keystone) groups to assign consistent permissions to multiple user accounts. This example creates a group and then assigns permissions to the group. As a result, members of the group will inherit the same permissions that were assigned to the group:

Note

The openstack group subcommands require keystone v3.

  1. Create the group grp-Auditors:

    $ openstack group create grp-Auditors
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description |                                  |
    | domain_id   | default                          |
    | id          | 2a4856fc242142a4aa7c02d28edfdfff |
    | name        | grp-Auditors                     |
    +-------------+----------------------------------+
  2. View a list of keystone groups:

    $ openstack group list --long
    +----------------------------------+--------------+-----------+-------------+
    | ID                               | Name         | Domain ID | Description |
    +----------------------------------+--------------+-----------+-------------+
    | 2a4856fc242142a4aa7c02d28edfdfff | grp-Auditors | default   |             |
    +----------------------------------+--------------+-----------+-------------+
  3. Grant the grp-Auditors group permission to access the demo project, while using the _member_ role:

    $ openstack role add _member_ --group grp-Auditors --project demo
  4. Add the existing user user1 to the grp-Auditors group:

    $ openstack group add user grp-Auditors user1
    user1 added to group grp-Auditors
  5. Confirm that user1 is a member of grp-Auditors:

    $ openstack group contains user grp-Auditors user1
    user1 in group grp-Auditors
  6. Review the effective permissions that have been assigned to user1:

    $ openstack role assignment list --effective --user user1
    +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
    | Role                             | User                             | Group | Project                          | Domain | Inherited |
    +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
    | 9fe2ff9ee4384b1894a90878d3e92bab | 3fefe5b4f6c948e6959d1feaef4822f2 |       | 0ce36252e2fb4ea8983bed2a568fa832 |        | False     |
    +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+

3.1.2. Using Dashboard

You can use the dashboard to manage the membership of keystone groups. You will need to use the command-line to assign role permissions to a group, as covered in the previous example.

3.1.2.1. Create a Group

  1. As an admin user in the dashboard, select Identity > Groups.
  2. Click +Create Group.
  3. Enter a name and description for the group.
  4. Click Create Group.

3.1.2.2. Manage Group Membership

You can use the dashboard to manage the membership of keystone groups.

  1. As an admin user in the dashboard, select Identity > Groups.
  2. Click Manage Members for the group you need to edit.
  3. Use Add users to add a user to the group. If you need to remove a user, mark its checkbox and click or Remove users.