8.16. Assigning users to multiple domainsΒΆ

Using the vinfra tool, system administrators are able to create special service users that can be used by third-party applications to access the compute API with administrator privileges. These users cannot log in to the admin or self-service panels. Service users are similar to system administrators with the Compute permission: they exist only within the Default domain and can view and manage all objects in the compute cluster, including compute nodes. You can assign service users to domains, thus giving them ability to create compute objects in projects of these assigned domains (for example, to create a VM from a backup).

Service users can view virtual machines in all existing projects by specifying the all_tenants query parameter for the GET /servers request (refer to the OpenStack API documentation).

To assign a service user to a domain, use the --assign-domain <domain> <roles> option for the vinfra domain user create or vinfra domain user set command. Specify Default for the --domain option and compute as a service account role. For example, to create the service user my-service-user and assign it to the mydomain and mydomain2 domains, execute:

# vinfra domain user create my-service-user --domain default --assign-domain mydomain \
compute --assign-domain mydomain2 compute
Password:
+--------------------+-----------------------------------------------+
| Field              | Value                                         |
+--------------------+-----------------------------------------------+
| assigned_domains   | - domain_id: 7e0d54797152424a9331ae904e220b88 |
|                    |   roles:                                      |
|                    |   - compute                                   |
|                    | - domain_id: 2929ff42b1e64884a05dea3011862aed |
|                    |   roles:                                      |
|                    |   - compute                                   |
| assigned_projects  | []                                            |
| description        |                                               |
| domain_id          | default                                       |
| domain_permissions | []                                            |
| email              |                                               |
| enabled            | True                                          |
| id                 | 91b185b711fb4f2b81b09a661df0dd27              |
| name               | my-service-user                               |
| role               | service_account                               |
| system_permissions | []                                            |
+--------------------+-----------------------------------------------+

To check that the created service user is successfully assigned to the two domains, use the OpenStack client. For example, if the management node IP address is 10.136.16.227, run:

# openstack --insecure --os-username my-service-user --os-user-domain-name Default \
--os-auth-url=https://10.136.16.227:5000/v3 federation domain list
Password:
+----------------------------------+---------+-----------+-------------+
| ID                               | Enabled | Name      | Description |
+----------------------------------+---------+-----------+-------------+
| 2929ff42b1e64884a05dea3011862aed | True    | mydomain  |             |
| 7e0d54797152424a9331ae904e220b88 | True    | mydomain2 |             |
+----------------------------------+---------+-----------+-------------+

You can also view the list of all projects within the assigned domains by using the command openstack --insecure --os-username <username> --os-user-domain-name Default --os-auth-url=https://<MN_IP_address>:5000/v3 federation project list.

To unassign a service user from a domain, use the --unassign-domain <domain> option for the vinfra domain user set command. For example:

# vinfra domain user set my-service-user --domain default --unassign-domain mydomain
+--------------------+-----------------------------------------------+
| Field              | Value                                         |
+--------------------+-----------------------------------------------+
| assigned_domains   | - domain_id: 7e0d54797152424a9331ae904e220b88 |
|                    |   roles:                                      |
|                    |   - compute                                   |
| assigned_projects  | []                                            |
| description        |                                               |
| domain_id          | default                                       |
| domain_permissions | []                                            |
| email              |                                               |
| enabled            | True                                          |
| id                 | 6c32d26d3674448c8b4f1bf9825a85cc              |
| name               | my-service-user                               |
| role               | service_account                               |
| system_permissions | []                                            |
+--------------------+-----------------------------------------------+