Assigning users to multiple domains

By using the vinfra tool, system administrators are able to create special service users that can be used by third-party applications to access the compute API with administrator privileges. These users cannot log in to the admin or self-service panels. Service users are similar to system administrators with the Compute permission: they exist only within the Default domain and can view and manage all objects in the compute cluster, including compute nodes. You can assign service users to domains, thus giving them ability to create compute objects in projects of these assigned domains (for example, to create a VM from a backup).

Service users can view virtual machines in all existing projects by specifying the all_tenants query parameter for the GET /servers request (refer to the OpenStack API documentation).

Prerequisites

To assign a service user to a domain

Use the following command:

vinfra domain user create --domain default --assign-domain <domain> compute <username>
--assign-domain <domain>
ID or name of the domain to assign the service user to
<username>
Service user name

For example, to create the service user my-service-user and assign it to the domains mydomain and mydomain2, run:

# vinfra domain user create my-service-user --domain default --assign-domain mydomain compute \
--assign-domain mydomain2 compute

To check that the created service user is successfully assigned to the two domains, use the OpenStack client. For example, if the management node IP address is 10.136.16.227, run:

# openstack --insecure --os-username my-service-user --os-user-domain-name \
Default --os-auth-url=https://10.136.16.227:5000/v3 federation domain list
Password:
+----------------------------------+---------+-----------+-------------+
| ID                               | Enabled | Name      | Description |
+----------------------------------+---------+-----------+-------------+
| 2929ff42b1e64884a05dea3011862aed | True    | mydomain  |             |
| 7e0d54797152424a9331ae904e220b88 | True    | mydomain2 |             |
+----------------------------------+---------+-----------+-------------+

You can also view the list of all projects within the assigned domains by using this command:

openstack --insecure --os-username <username> --os-user-domain-name Default --os-auth-url=https://<MN_IP_address>:5000/v3 federation project list

To unassign a service user from a domain

Use the --unassign-domain <domain> option for the vinfra domain user set command.

vinfra domain user set --domain default --unassign-domain <domain> <username>
--unassign-domain <domain>
ID or name of the domain to unassign the service user from
<username>
Service user name

For example, to unassign the service user my-service-user from the domain mydomain, run:

# vinfra domain user set my-service-user --domain default --unassign-domain mydomain