Assigning users to multiple domains
By using the vinfra
tool, system administrators are able to create special service users that can be used by third-party applications to access the compute API with administrator privileges. These users cannot log in to the admin or self-service panels. Service users are similar to system administrators with the Compute permission: they exist only within the Default domain and can view and manage all objects in the compute cluster, including compute nodes. You can assign service users to domains, thus giving them ability to create compute objects in projects of these assigned domains (for example, to create a VM from a backup).
Service users can view virtual machines in all existing projects by specifying the all_tenants
query parameter for the GET /servers
request (refer to the OpenStack API documentation).
Prerequisites
- To authorize further OpenStack commands, the OpenStack command-line client must be configured, as outlined in Connecting to OpenStack command-line interface.
To assign a service user to a domain
Use the following command:
vinfra domain user create --domain default --assign-domain <domain> compute <username>
--assign-domain <domain>
- ID or name of the domain to assign the service user to
<username>
- Service user name
For example, to create the service user my-service-user
and assign it to the domains mydomain
and mydomain2
, run:
# vinfra domain user create my-service-user --domain default --assign-domain mydomain compute \ --assign-domain mydomain2 compute
To check that the created service user is successfully assigned to the two domains, use the OpenStack client. For example, if the management node IP address is 10.136.16.227, run:
# openstack --insecure --os-username my-service-user --os-user-domain-name \ Default --os-auth-url=https://10.136.16.227:5000/v3 federation domain list Password: +----------------------------------+---------+-----------+-------------+ | ID | Enabled | Name | Description | +----------------------------------+---------+-----------+-------------+ | 2929ff42b1e64884a05dea3011862aed | True | mydomain | | | 7e0d54797152424a9331ae904e220b88 | True | mydomain2 | | +----------------------------------+---------+-----------+-------------+
You can also view the list of all projects within the assigned domains by using this command:
openstack --insecure --os-username <username> --os-user-domain-name Default --os-auth-url=https://<MN_IP_address>:5000/v3 federation project list
To unassign a service user from a domain
Use the --unassign-domain <domain>
option for the vinfra domain user set
command.
vinfra domain user set --domain default --unassign-domain <domain> <username>
--unassign-domain <domain>
- ID or name of the domain to unassign the service user from
<username>
- Service user name
For example, to unassign the service user my-service-user
from the domain mydomain
, run:
# vinfra domain user set my-service-user --domain default --unassign-domain mydomain