Managing object users, roles, and projects
IBM Spectrum Scale for object storage uses the keystone service for identity management. Keystone provides user authentication and authorization processes.
You can use an external Microsoft Active Directory or LDAP server or a local database as the back-end to store and manage user credentials for user authentication. The authorization details such as relation of users with projects and roles are maintained locally by the keystone server. The customer can select the authentication server to be used. For example, if AD is already configured in the environment and the users who need access to the object store are part of AD, then the customer can configure Keystone with AD as the authentication and authorization back-end.
When the back-end authentication server is AD or LDAP, the user management operations such as creating or deleting a user are the responsibility of the AD/LDAP administrator, who can optionally also be the Keystone server administrator. When local authentication is used for object access, the user management operations are done by the Keystone administrator. In case of authorization, the management tasks such as creating roles, projects, and associating the user with them is done by the Keystone Administrator. The Keystone administration can be done through the Keystone V3 REST API or by using an OpenStack python-based client.
Before you start creating object users, and projects, ensure that
Keystone server is configured and the authentication servers are set
up properly.
Note:
- If the cluster is reachable from the system, the OpenStack command can be issued from any system.
- If the OpenStack command is run from any of the protocol nodes, then you can use the openrc file to set the required environment that is used by OpenStack commands to manage the Keystone server. The advantage of using the openrc file is that you are not required to enter the following details every time you enter the commands: --os-identity-api-version, --os-username, --os-password, --os-project-domain-name, --os-user-domain-name, --os-domain-id, and --os-auth-url.
- The user create, update, and delete operations are only applicable when local authentication method is used for object access.
- For more information on the Keystone V3 REST API, see the OpenStack API Documentation (developer.openstack.org/api-ref-identity-v3.html).
Creating a new user
When creating a new user in the local database to support local authentication for object access,
activate the openrc file located under /root/openrc by default. You can load
the openrc profile by running: 'source /root/openrc' and this will
automatically load the required environmental variables into your current location. The results will
look similar to
this:
export OS_AUTH_URL="http://cesobjnode:35357/v3"
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_VERSION=3
export OS_USERNAME="admin"
export OS_PASSWORD="Passw0rd"
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_PROJECT_DOMAIN_NAME=DefaultUse the openstack user create command and manually enter the parameters as
shown in the following example to create new user in the local database to support local
authentication for object
access.
# openstack --os-identity-api-version 3 --os-username admin --os-password
Passw0rd --os-project-domain-name Default --os-user-domain-name Default --osdomain-
id default --os-auth-url http://specscaleswift.example.com:35357/v3 user create --password-prompt
--email newuser1@localdomain.com --domain default newuser1
User Password:
Repeat User Password:
+-----------+------------------------------------------------------------------------------+
| Field | Value |
+-----------+------------------------------------------------------------------------------+
| domain_id | default |
| email | newuser1@localdomain.com |
| enabled | True |
| id | 2a3ef8031359457292274bcd70e34d00 |
| name | newuser1 |
+-----------+------------------------------------------------------------------------------+GUI navigation
To work with this function in the IBM Spectrum Scale GUI, log on to the GUI and select .
Listing users
Use the openstack
user list command as shown in the following example to list
users who are created in the local database:
# source $HOME/openrc
# openstack user list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 2a3ef8031359457292274bcd70e34d00 | newuser1 |
| a95783144edd414aa236a3d1582a3067 | admin |
+----------------------------------+----------+Changing the password of a user
Use the openstack user set command to update the object user details.
The following example shows how to change the password:
# openstack user set --password Passw0rd newuser2Deleting a user
Use the openstack
user delete command as shown in the following example to
delete the users who are created in the local database:
# openstack user delete newuser2Listing user roles
Use the openstack
role list command as shown in the following example to list
the user roles:
# openstack role list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| ed38022b46094a51918e6e46f87e7290 | admin |
+----------------------------------+-------+Creating a new role
Perform the following
steps to create a new user role:
- Issue the openstack role create command to create a new user
role:
#openstack role create member +-----------+----------------------------------------------------------+ | Field | Value | +-----------+----------------------------------------------------------+ | domain_id | None | | id | 1f14f95826fe4c8590760b3d3e4ce7e0 | | name | member | +-------+--------------------------------------------------------------+ - Verify the newly created role by using the openstack role list
command:
# openstack role list +----------------------------------+--------+ | ID | Name | +----------------------------------+--------+ | 1f14f95826fe4c8590760b3d3e4ce7e0 | member | | ed38022b46094a51918e6e46f87e7290 | admin | +----------------------------------+--------+
GUI navigation
To work with this function in the IBM Spectrum Scale GUI, log on to the GUI and select .
Assigning a role to a user
Perform the following
steps to assign a user role to a user:
- Issue the openstack role add command to assign
role to a user as shown in the following example:
# openstack role add --user newuser1 --domain default member - Submit the openstack role list command to verify
the user role of the user as shown in the following example:
# openstack role list --user newuser1 +----------------------------------+--------+ | ID | Name | +----------------------------------+--------+ | 1f14f95826fe4c8590760b3d3e4ce7e0 | member | +----------------------------------+--------+
Creating a new project, adding a user, and assigning a role to the user
Perform the following steps to create
a new project and add a user to the project with a specified role:
- Submit the openstack project create command to create a new
project:
# openstack project create newproject +-------------+--------------------------------------------------------------------------+ | Field | Value | +-------------+--------------------------------------------------------------------------+ | description | | | domain_id | default | | enabled | True | | id | 2dfcbdb70b75435fb2015c86d46ffc0b | | is_domain | False | | name | newproject | | parent_id | None | +-------------+--------------------------------------------------------------------------+ - Submit the openstack role add command to add
a role to the user as shown in the following example:
# openstack role add --user newuser1 -- project newproject member # openstack role add --user newuser1 --project newproject admin - Submit the openstack role list command to list
the user roles as shown in the following example:
# openstack role list --user newuser1 -- project newproject +----------------------------------+--------+------------+----------+ | ID | Name | Project | User | +----------------------------------+--------+------------+----------+ | 1f14f95826fe4c8590760b3d3e4ce7e0 | member | newproject | newuser1 | | ed38022b46094a51918e6e46f87e7290 | admin | newproject | newuser1 | +----------------------------------+--------+------------+----------+
Listing endpoints
Use the openstack endpoint list command as shown in the following example to
view the endpoints that are
available:
# openstack endpoint list
+------------+-----------+--------------+--------------+---------+-----------+---------------------------------------------------------------|
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+------------+-----------+--------------+--------------+---------+-----------+---------------------------------------------------------------|
| c36e..9da5 | RegionOne | keystone | identity | True | public | http://specscaleswift.example.com:5000 |
| f4d6..b040 | RegionOne | keystone | identity | True | internal | http://specscaleswift.example.com:35357 |
| d390..0bf6 | RegionOne | keystone | identity | True | admin | http://specscaleswift.example.com:35357 |
| 2e63..f023 | RegionOne | swift | object-store | True | public | http://specscaleswift.example.com:8080/v1/AUTH_%(tenant_id)s |
| cd37..9597 | RegionOne | swift | object-store | True | internal | http://specscaleswift.example.com:8080/v1/AUTH_%(tenant_id)s |
| a349..58ef | RegionOne | swift | object-store | True | admin | http://specscaleswift.example.com:8080 |
+------------+--------+--------------+--------------+---------+-----------+------------------------------------------------------------------|