Chapter 4. Managing groups
You can use Identity Service (keystone) groups to assign consistent permissions to multiple user accounts.
4.1. Configuring groups with the CLI
Create a group and assign permissions to the group. Members of the group inherit the same permissions that you assign to the group:
Create the group
grp-Auditors
:$ openstack group create grp-Auditors +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | domain_id | default | | id | 2a4856fc242142a4aa7c02d28edfdfff | | name | grp-Auditors | +-------------+----------------------------------+
View a list of keystone groups:
$ openstack group list --long +----------------------------------+--------------+-----------+-------------+ | ID | Name | Domain ID | Description | +----------------------------------+--------------+-----------+-------------+ | 2a4856fc242142a4aa7c02d28edfdfff | grp-Auditors | default | | +----------------------------------+--------------+-----------+-------------+
Grant the
grp-Auditors
group permission to access thedemo
project, while using themember
role:$ openstack role add member --group grp-Auditors --project demo
Add the existing user
user1
to thegrp-Auditors
group:$ openstack group add user grp-Auditors user1 user1 added to group grp-Auditors
Confirm that
user1
is a member ofgrp-Auditors
:$ openstack group contains user grp-Auditors user1 user1 in group grp-Auditors
Review the effective permissions that have been assigned to
user1
:$ openstack role assignment list --effective --user user1 +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+ | Role | User | Group | Project | Domain | Inherited | +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+ | 9fe2ff9ee4384b1894a90878d3e92bab | 3fefe5b4f6c948e6959d1feaef4822f2 | | 0ce36252e2fb4ea8983bed2a568fa832 | | False | +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
4.2. Configuring groups with the Dashboard
You can use the dashboard to manage the membership of keystone groups. However, you must use the command-line to assign role permissions to a group. For more information, see Configuring groups with the CLI.
4.2.1. Creating a group
- Log in to the dashboard as a user with administrative privileges.
- Select Identity > Groups.
- Click +Create Group.
- Enter a name and description for the group.
- Click Create Group.
4.2.2. Managing Group membership
You can use the dashboard to manage the membership of keystone groups.
- Log in to the dashboard as a user with administrative privileges.
- Select Identity > Groups.
- Click Manage Members for the group that you want to edit.
- Use Add users to add a user to the group. If you want to remove a user, mark its checkbox and click Remove users.