Creating domains, configuring roles and more

Keystone – An OpenStack Identity Service tutorial

Richard Gall
© Shutterstock /  Ramann  

Through this OpenStack Cloud Computing book extract, Kevin Jackson, Cody Bunch, Egle Sigler, and James Denton will help you understand the OpenStack Identity service known as Keystone.

Keystone provides services for authenticating and managing user accounts and role information for our OpenStack cloud environment.

In this article, we will cover the following topics:

  • Creating domains
  • Enabling domains in the OpenStack dashboard
  • Configuring roles in Keystone
  • Deleting roles
  • Deleting domains

Creating OpenStack domains in Keystone

To create a domain in our OpenStack environment, perform the following step:

1. We start by creating a domain called bookstore as follows:

openstack domain create --description "Book domain" bookstore

The output will look similar to this:

Enabling domains in the OpenStack dashboard

To enable multidomain support in the OpenStack dashboard, we will update one horizon variable, OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT in using the openstack-ansible deployment tool. First, you will need to connect to your openstack-ansible deployment host. Once connected, execute the following steps:

1. Edit the /etc/openstack_deploy/user_variables.yml file to add the following line:

horizon_keystone_multidomain_support: True

2. Deploy Horizon with the openstack-ansible command:

openstack-ansible \

The openstack-ansible command produces a lot of output. For brevity, its output has been omitted.

3. Launch the OpenStack dashboard to verify that the login screen now shows domain field:

Configuring roles in Keystone

To create the required roles in our OpenStack environment, perform the following steps:

1. Creation of the cloud_admin role is done as follows:

openstack role create --domain bookstore cloud_admin:

2. To configure the user role for the default domain, execute the following command:

openstack role create user

This command created a new role called user. Since we didn’t specify a domain, it was created under the default domain.

3. View roles associated with the bookstore domain:

openstack role list --domain bookstore

4. List roles associated with the current admin user:

openstack role list

Deleting roles

In order to delete a role, execute the following commands:

1. Get the role’s name from a current role list:

openstack role list

2. Delete the oldrole role:

openstack role delete oldrole

This command will have no output.

Deleting domains

In order to delete a domain, execute the following commands:

1. Get the domain’s name from a current domain list:

2. Verify that there are no users associated with the olddomain domain that we will be deleting:

openstack user list --domain olddomain

This list should be empty before proceeding. If it is not, delete all the users before proceeding to the next step.

3. Disable the domain:

openstack domain set --disable olddomain

This command will have no output.

4. Delete domain:

openstack domain delete olddomain

If successful, this command will have no output.


In this article, we learned the concepts of domains and roles in Keystone. A Keystone domain is a high-level OpenStack Identity resource that contains projects, users, and groups. A project has resources such as users, images, and instances, as well as networks in it that can be restricted only to that particular project unless explicitly shared with others.

This tutorial is a recipe excerpt from “OpenStack Cloud Computing Cookbook – Fourth Edition” by Packt. Use the code ORJEA10 at checkout to get the eBook for just $10 (valid until 30th April 2018).

Richard Gall
Richard Gall is Communications Manager at Packt, utilising his background in writing and publishing to help Packt in their mission to help the world put software to work in new ways. Packt, one of the biggest tech publishers in the world, deliver effective learning and information services to IT professionals.

Inline Feedbacks
View all comments