Keystone Account Roles

In StarlingX, 3 different keystone roles are supported: admin, member and reader.

Users with an admin role in the admin project can execute any action in the system.

Users with a reader role in the admin project have read-only access. They cannot perform any changes in the system but can read any configuration. In the CLI, commands with prefix or suffix, such as, list, query, show and summary get the configuration from the system, and are allowed for this type of user, all other commands are denied. Some examples of CLI commands executed by a user with reader role are shown below.

~(keystone_admin)]$ system host-list

| id  | hostname     | personality | administrative | operational | availability |
| 1   | controller-0 | controller  | unlocked       | enabled     | degraded     |
~(keystone_admin)]$ system host-lock controller-0

Error: Forbidden
~(keystone_admin)]$ fm alarm-summary

| Critical Alarms | Major Alarms | Minor Alarms | Warnings |
| 1               | 13           | 0            | 0        |
~(keystone_admin)]$ fm event-suppress --alarm_id 100.103

Error: Forbidden.

Exception: all fm read-only commands require reader role but there is no project verification, so a user in a project different from admin may execute them. Examples: alarm-list, alarm-show, alarm-summary, event-list, event-show and event-suppress-list.

Currently, the member role is equivalent to reader role, but this may change in the future, allowing a user with member role to execute some actions that change the system configuration.

The following sections describe how to create users with specific keystone roles in StarlingX.

Creation of user with specific role for Horizon only

Use the following commands to add a new user named readeruser with password “Passw0rd*” and role reader:

~(keystone_admin)]$ openstack user create readeruser --project admin --password Passw0rd*
~(keystone_admin)]$ openstack role add --project admin --user readeruser reader

To create a user with admin role instead of reader role, change reader to admin using the openstack role add command.

When this user is added in the central cloud, it is propagated to the managed subclouds. To check if this new user is already present in a host, use the openstack user list command.

Creation of user with specific role for Horizon and CLI

Follow the instructions in Manage Composite Local LDAP Accounts at Scale using the parameter user_role=reader in extra-vars of manage_local_ldap_account.yml playbook to create a user with reader role. To create a user with admin role, use user_role=admin instead.


Users with reader role do not have sudo capabilities, use sudo_permission=false when the users role is user_role=reader.