Ask Your Question

Default Domain ID must be "default"

asked 2016-10-28 03:27:16 -0500

theque42 gravatar image

I've run into conflicting information about the creation of the Default domain, whether it should be manually created with the openstack domain create command, or wether it is created by keystone-manage bootstrap to ensure that the ID becomes default, instead of a normal UUID.

But even the latest newtons docs indicate that you should use the openstack command, even though I have run into problems where the CLI complains on not finding the domain "default".

My default domain's name is Default(with a UUID), so the name/id 'default' seems to be hard-coded in there somewhere, anyway...?

It would be kind of helpful if the manuals or bootstrap commands created TWO admins. One domain-wide, and one domain-native administrator, since it's not exactly clear how to create a domain wide admin, and/or if it can be the same user?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2016-10-31 14:34:08 -0500

volenbovsky gravatar image

Hi, -you should not be creating default domain and your service users should belonging to this one -Well, 'default' you can perceive hardcoded because likely in your Keystone policy file and then you will see something else "cloud_admin": "rule:admin_required and domain_id:default" Use ( ".... If you want to use your new users domain, use the domain id value from when you created that domain, which is usually a long base-16 string of hexadecimal digits, something like this: { "admin_required": "role:admin", "cloud_admin": "rule:admin_required and domain_id:ad8d0d5fd7e84273a9c1024083743480", "service_role": "role:service",

You will need to restart Keystone for the policy changes to take effect."

See also (

edit flag offensive delete link more


I dont think you understood my question. When you install your cloud, your default domain can be created either by the command keystone-manage bootstrap, which will create the Default domain, with the id set to the string "default" not a UUID. OR you can use plain "openstack domain create".

theque42 gravatar imagetheque42 ( 2016-11-05 03:41:36 -0500 )edit

The latter creates the domain with a normal UUID. In the past, I am fairly certain that the id for the Default domain was set to "default", and I am suspecting that there are code somewhere which still believes this. But current documentation for installing does NOT indicate the bootstrap command.

theque42 gravatar imagetheque42 ( 2016-11-05 03:43:18 -0500 )edit

By the way, I am quite certain that you do NOT need restart the keystone service for policies to take effect.

theque42 gravatar imagetheque42 ( 2016-11-05 03:45:55 -0500 )edit

Thanks for the links btw, but unfortunately they dont help much in 2016, when one of them is a year old. Openstack is moving way to fast to believe that those instructions are up2date. The RDO-link is worse. Their "Create a project as a domain admin", ends with: You are not authorized to perform...

theque42 gravatar imagetheque42 ( 2016-11-05 06:45:09 -0500 )edit

It is not clear what your question is. anyway maybe some comments will be helpful: -current documentation does not indicate keystone-manage bootstrap command because that is command is for upgrade cases Otherwise it just there after install

volenbovsky gravatar imagevolenbovsky ( 2016-11-07 15:23:23 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2016-10-28 03:27:16 -0500

Seen: 1,999 times

Last updated: Oct 31 '16