OpenStack Role Assignment Inheritance for CloudForms

Operators expect to use CloudForms to perform administrative tasks. For this reason, the documentation for OpenStack states that the Keystone user must have an admin role. We found at least one case, however, where this was not sufficient. Fortunately, we have a better approach, and one that can lead to success in a wider array of deployments.


CloudForms uses the role assignments for the give user account to enumerate the set of projects. Internally it creates a representation of these projects to be used to track resources. However, The way that ‘admin’ is defined on OpenStack is tied to a single project. This means that CloudForms really has no way to ask “what projects can this user manage?” Now, while admin anywhere is admin everywhere so you would not think that you need to enumeration projects, but it turns out that some of the more complex operations, such as mounting a volume, has to cross service boundaries, and need the project abstraction to link the sets of operations. CloudForms design did not see this disconnect, and so some of those operations fail.

Lets assume, for the moment, that a user had to have a role on project in order to perform operations on that project. The current admin-everywhere approach would break. What CloudForms would require is an automated way to give a user a role on a project as soon as that project was created. It turns out that CloudForms is not the only thing that has this requirement.

Role Assignment Inheritance

Keystone projects do not have to be organized as a flat collection. They can be nested into a tree form. This is called “Hierarchical Multitenancy.” Added to that, a role can be assigned to a user or group on parent project and that role assignment is inherited down the tree. This is called “Role Assignment Inheritance.”

This presentation, while old, does a great job of putting the details together.

You don’t need to do anything different in your project setup to take advantage of this mechanism. Here’s something that is subtle: a Domain IS A project. Every project is already in a domain, and thus has a parent project. Thus, you can assign a user a role on the domain-as-a-project, and they will have that role on every project inside that domain.

Sample Code

Here is in command line form.

openstack role add --user CloudAdmin --user-domain Default --project Default --project-domain Default --inherited admin

Lets take those arguments step by step.

--user CloudAdmin  --user-domain Default

This is the user that CloudForms is using to connect to Keystone and OpenStack. Every user is owned by a domain, and this user is owned by the Default” domain.

--project Default --project-domain Default

This is blackest of magic. The Default domain IS-A project. So it owns itself.


A role assignment is either on a project OR on all its subprojects. So, the user does not actually have a role that is usable against the Default DOMAIN-AS-A-PROJECT, but only on all odf the subordinate projects. This might seem strange, but it was built this way for exactly this reason: being able to distinguish between levels of a hierarchy.


This is the role name.


With this role assignment, the CloudForms Management Engine instance can perform all operations on all projects within the default domain. If you add another domain to manage a separate set of projects, you would need to perform this same role assignment on the new domain as well.

I assume this is going to leave people with a lot of questions. Please leave comments, and I will try to update this with any major concepts that people want made lucid.

4 thoughts on “OpenStack Role Assignment Inheritance for CloudForms

  1. I think this same trick is applicable for other management and monitoring tools (where typically a special role is created.) I’ve forwarded this to a number of other folks. Is there a minimum version of keystone required for this to “just work”?

  2. I should hope so! This is not a trick, but rather it is a lesser known feature of OpenStack that is not widely used. Role Assignment Inheritance was designed for just these kinds of use cases.

  3. Thanks Adam .. works well – exactly what we needed for CloudForms.

    One tip for anyone else reading this, I needed to use the domain ID for the project parameter. It did not recognise the domain name as a project.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.