OpenStack Add Project and Users
Projects (formerly called tenants) are the fundamental organizational unit in OpenStack. Every resource—VMs, networks, volumes—belongs to a project. Users are granted roles within projects to control access. This guide covers creating projects and users with Keystone in OpenStack 2024.2 Dalmatian.
Keystone Concepts
| Concept | Description |
|---|---|
| Domain | Top-level grouping (default domain is default) |
| Project | Resource container; all quotas and billing apply here |
| User | An individual identity |
| Role | Permission set (admin, member, reader) |
| Group | Collection of users for bulk role assignment |
Prerequisites
- OpenStack 2024.2 Dalmatian with Keystone operational
- Admin credentials sourced (
source openrc admin admin)
Step 1: Create a Project
openstack project create \
--domain default \
--description "Web application team" \
webapp-team
Verify:
openstack project show webapp-team
Step 2: Create Users
openstack user create \
--domain default \
--project webapp-team \
--password SecurePass123 \
--email alice@example.com \
alice
openstack user create \
--domain default \
--project webapp-team \
--password SecurePass456 \
--email bob@example.com \
bob
Step 3: Assign Roles
OpenStack uses three built-in roles:
| Role | Permissions |
|---|---|
admin |
Full access to all resources across all projects |
member |
Create, modify, and delete resources in the assigned project |
reader |
Read-only access to resources in the assigned project |
Assign roles to users within the project:
# Alice as project admin
openstack role add --project webapp-team --user alice admin
# Bob as regular member
openstack role add --project webapp-team --user bob member
Verify assignments:
openstack role assignment list --project webapp-team --names
Step 4: Set Project Quotas
Limit the resources the project can consume:
# Compute quotas
openstack quota set --instances 20 --cores 40 --ram 81920 webapp-team
# Network quotas
openstack quota set --floating-ips 5 --networks 5 --routers 3 webapp-team
# Storage quotas
openstack quota set --volumes 50 --gigabytes 1000 webapp-team
View current quotas:
openstack quota show webapp-team
Step 5: Create an openrc File for the Project
Create a credential file for project users:
cat > webapp-openrc.sh <<EOF
export OS_AUTH_URL=http://controller:5000/v3
export OS_PROJECT_NAME=webapp-team
export OS_PROJECT_DOMAIN_NAME=default
export OS_USERNAME=alice
export OS_PASSWORD=SecurePass123
export OS_USER_DOMAIN_NAME=default
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF
Test it:
source webapp-openrc.sh
openstack token issue
openstack server list
Step 6: Use Groups for Bulk Management
Groups simplify role management when you have many users:
# Create a group
openstack group create --domain default webapp-developers
# Add users to the group
openstack group add user webapp-developers alice
openstack group add user webapp-developers bob
# Assign role to the entire group
openstack role add --project webapp-team --group webapp-developers member
Step 7: Enable LDAP or Federation (Optional)
For enterprise environments, Keystone supports LDAP and federated identity:
# /etc/keystone/keystone.conf
[identity]
driver = ldap
[ldap]
url = ldap://ldap.example.com
user = cn=admin,dc=example,dc=com
password = ldap-password
user_tree_dn = ou=users,dc=example,dc=com
user_objectclass = inetOrgPerson
Managing Multiple Projects
List all projects and their status:
openstack project list --long
Disable a project (prevents all resource operations):
openstack project set --disable webapp-team
Re-enable:
openstack project set --enable webapp-team
Troubleshooting
| Issue | Fix |
|---|---|
| User cannot create VMs | Check role assignment and project quotas |
Not authorized error |
Verify the user has the correct role in the project |
| Token issue fails | Check auth URL, credentials, and Keystone service |
| Quota exceeded | Increase quota or clean up unused resources |
Summary
Projects and users are the foundation of OpenStack multi-tenancy. Create projects for each team or application, assign users with appropriate roles, and set quotas to control resource consumption.