Ask Your Question

Exclude giving access to selected tenants??

asked 2015-11-05 01:54:24 -0500

RHK gravatar image

updated 2015-11-09 03:05:16 -0500

Hi All,

I have a 20 Tenants in cloud1, Now i am creating a user with member role. while creating we are giving tenant,

ex: keystone user-create --name <user_name> --email <mail-id> --tenant-id <tenant_id> --pass <password>

above command will create a user for that tenant with member role.

I want to create user with member role for only 10 tenants (selected tenants). How can i do that with above command.


edit retag flag offensive close merge delete


If you are the cloud admin i.e the admin user you can create a user and assign him to as many as projects(tenants) you want, it's simple from the dashboard you can achieve that.

soumitrakarmakar gravatar imagesoumitrakarmakar ( 2015-11-09 03:44:30 -0500 )edit

You are right, but i wan't to do it on CLI. I don't want to give admin tenant to that user. only some selected tenants.

RHK gravatar imageRHK ( 2015-11-09 04:38:05 -0500 )edit

What do you mean by admin tenant? I guess you are confusing yourself. Just for your knowledge am giving a brief description of the roles of the tenants one can create in OpenStack. The roles are as follows: 1. admin --> cloud admin 2. demo --> just a demo tenant 3. user 4. _member_ --> same as user

soumitrakarmakar gravatar imagesoumitrakarmakar ( 2015-11-09 05:00:33 -0500 )edit

You can create other roles for that you need to edit your policy.json file which requires high level understanding of what the parameters do.

soumitrakarmakar gravatar imagesoumitrakarmakar ( 2015-11-09 05:01:53 -0500 )edit

An user can be given admin role, in that case that user would again become the cloud admin which is not suggested.

soumitrakarmakar gravatar imagesoumitrakarmakar ( 2015-11-09 05:03:02 -0500 )edit

2 answers

Sort by ยป oldest newest most voted

answered 2015-11-05 05:13:58 -0500

soumitrakarmakar gravatar image

If you could properly describe your use case, maybe we can throw some light on it. 1. Exclude access to selected tenants? what do you want to exclude from the tenants? 2. By default when we create a tenant it is assigned the _member_ role. So what is this role you are talking about?

edit flag offensive delete link more


Rephrased the question.

RHK gravatar imageRHK ( 2015-11-09 03:08:18 -0500 )edit

answered 2015-11-05 17:15:16 -0500

capsali gravatar image

updated 2015-11-09 04:31:21 -0500

Firstly for the answer above, tenants/projects do not posses roles. Roles are given to users in a specific tenant/project.

If you are asking how to have user xyz be part of 7 out of 10 tenants, then you assign member/user role to the user just in the tenants you need to! (although i think you know that already)

If not, please try to rephrase your question!


Based on your rephrase: Whne you create a user with keystone it won't automaticly assign a role into that tenant as far as i know. You must specifically assign a role for the user in a given tenant. After you create a user you assing a role to it in a given tenant like this keystone user-role-add --user=xxx --role=_member_ --tenant=xyz

As far as i know there is no way of assigning a role to multiple tenants in one command. You must issue a command for every tenant you want that user to be a part of!

What version of openstack are you using. Based on your input it must be Juno or earlier because since kilo keystone client is deprecated in favor of openstack client.

An easier way of assigning a user to multiple tenants is to use the groups future in keystone v3. So first you enable keystone v3 with v3 api, update keytone endpoints to /v3 and update services to use keystone v3 including horizon. Then you will have the option to create groups. You create a group, assign a role to as many tenants as you like to.

At this stage, for example, you have group xyz assigned the role member to 7 tenants out of 10. A group acts like a container for users. You than create a user and add it to the group.

Now the user has member role to the tenants that the group is part of!

Hope i was clear enough!

edit flag offensive delete link more


Thanks for your response. Rephrased the question

RHK gravatar imageRHK ( 2015-11-09 03:07:53 -0500 )edit

Thanks, I would like to do it from CLI not through horizon. i am using Juno version. I will check with group feature.

RHK gravatar imageRHK ( 2015-11-09 04:45:05 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-11-05 01:54:24 -0500

Seen: 91 times

Last updated: Nov 09 '15