Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Create admin user within single tenant

Is there a way to create admin users that have privileges only within their tenants, not global? The documentation has mentions about global admin and tenant admin.

OpenStack operation guide states:

Typical use is to only create administrative users in a single project, by convention the "admin" project which is created by default during cloud setup. If your administrative users also use the cloud to launch and manage instances it is strongly recommended that you use separate user accounts for administrative access and normal operations and that they be in distinct projects.

However the paragraph above says:

It is extremely important to note that the "admin" is global not per project so granting a user the admin role in any project gives the administrative rights across the whole cloud.

In my understanding those statements are somewhat contradictory and do not make clear if the only possibility is to have global admin, or if tenant admins with elevated permissions only within specific tenant is also possible?

Thank you.

Create admin user within single tenant

Is there a way to create admin users that have privileges only within their tenants, not global? The documentation has mentions about global admin and tenant admin.

OpenStack operation operations guide states:

Typical use is to only create administrative users in a single project, by convention the "admin" project which is created by default during cloud setup. If your administrative users also use the cloud to launch and manage instances it is strongly recommended that you use separate user accounts for administrative access and normal operations and that they be in distinct projects.

However the paragraph above says:

It is extremely important to note that the "admin" is global not per project so granting a user the admin role in any project gives the administrative rights across the whole cloud.

In my understanding those statements are somewhat contradictory and do not make clear if the only possibility is to have global admin, or if tenant admins with elevated permissions only within specific tenant is also possible?

Thank you.