Managing Identity

Metacloud Identity, code-named Keystone, is the default Identity management system for Metacloud.

When your cloud was built, you chose whether to integrate with LDAP (Lightweight Directory Access Protocol). Because Identity works through an API endpoint, all the commands are the same even if your cloud was configured with LDAP. Metacloud also integrates with Active Directory (AD).

If your users are LDAP users, they use the ‘Register Here’ link on the login screen to link their LDAP account to the Metacloud Identity system. Once that link is complete, subsequent logins work from the Dashboard login screen.

If your endpoints are using the Identity v2.0 API, you should use the “default” domain assignment for all users. All Metacloud installations prior to version 4.0 use the Identity v2.0 API. You can change the default domain by opening a request through Metacloud support.

Using Environment Variables for Identity

If you are using an openrc file downloaded from the Dashboard, you may need to add additional variables to your environment in order to use the Identity v3 API.

The Identity v2.0 API endpoints end in /v2.0 (not v2) while endpoints for Identity v3 API end in /v3.

The following shows a list of example credentials for the Identity v3 API including the 35357 port value (port value is 5000 for the user’s endpoint).

export OS_PROJECT_DOMAIN_ID=8865...2bbc2
export OS_USER_DOMAIN_ID=8865...2bbc2
export OS_TENANT_NAME="tenant-is-default"
export OS_AUTH_URL="https://<API-AZ.METACLOUD.NET>:35357/v3" 
export OS_USERNAME="is-the-openstackadmin" 

Administrating Identity Management

You can use either the Dashboard or openstack CLI tool to add users. Refer to Managing Users and Roles in the Dashboard and Managing Projects, Users, and Roles with the CLI for detailed information.

You assign access level to users at the time they are added to projects. If you make a user an administrator of any project, the user has administrator rights to all projects as well as the ability to add users to the system. Any users that have administrator rights are effectively global administrators. It also means users that are added as members to a project do not have administrator privileges.

When you log in as an administrator, you must set the domain context any time you make changes to a user. To set the domain context, go to Admin, Domain, and choose the domain you want to work within.

If you get an HTTP 401 error (The request you have made requires authentication) for CLI commands, make sure you are using admin credentials and that you have indicated the domain context for command using either the --domain or --user-domain parameters. When using the Identity v3 API on Metacloud 4.0 and later versions, you must indicate the domain context for the user.

In an LDAP-configured environment, users may not be able to log in if they do not have a default project already set up. You can have the user log in to the dashboard and while they won’t be able to log in immediately, that action should add the user to the user list for the domain. From that point, an administrator can assign the user to a project, and then the user can log in.