Managing tenants and users of multiple Openstack instances


We are contemplating the use of ManageIQ as the CMP managing several Openstack clusters installed in different locations.
Question: is it possible to declare and manage openstack users and tenants in ManageIQ once, and have them propagated over all Openstack instances?
Thank you for your help.


Not out of the box
Tenants and Users in ManageIQ are only for ManageIQ internal RBAC (role based access control) and have nothing to do with Tenants and Users in Openstack

However ManageIQ has a pretty good Automation engine, that would allow you to script it yourself pretty easily

Thank you buc,

Nice to have your answer this morning.

First I have to correct my OpenStack/Keystone language :slightly_smiling_face:
By Tenant I meant Domain and not “Project”

So let’s start having only one Openstack. I can connect keystone where I declare 2 Domains, and 10 different users in each Domain. I assign _admin role to one and _user to 9 others in each Domain.

Then I declare in my ManageIQ this single OpenStack as my Cloud Provider.
Finally I create a new service catalog, and a new service item pointing my single Openstack.

  • But my users are sitting in my keystone and are not the same that the ones accessing ManageIQ, how the “order” of a service item could work if the user is not defined from one end to the other with consistent access rights?

… As I reach saturation, now let’s extend the capacity of my Cloud. In a remote datacenter I create a new Openstack cluster. I have then to “clone” all (almost all) I have in the first cluster, at least Domains, User groups, users, etc. and go back to ManageIQ and declare a new Provider.

  • But now I have two keystones that shall be synchronized upstream and downstream, how to deal with consistency if ManageIQ doesn’t hold the master user reference?

Growing over time with 10s and 10s of clusters, I do not want the “user” having any visibility on my technical setup and be asked to chose where to place the VM. I want my CMS to place automatically the requested VM in a placement zone somewhere based on a predefined policy (role, Domain, geography, resources occupation balance, traffic, latency, affinity, etc.)

  • Again if my user definitions and roles are sitting in each keystone, how the policy engine could sort out where to place the user’s workload?

I suppose that I have solve these questions outside ManageIQ with a kind of master KeyCloak…

Looking forward to having your insight


I am not that familiar with Openstack, anyway

Maybe a little bit of background: ManageIQ is designed to be an abstraction over Public Clouds, Openstack and traditional Infrastructure Virtualization like VMware and RHEV (and some additional stuff). As such ManageIQ maintains its own database with all the information of all the different providers in a common schema.

Providers in ManageIQ are responsible to

  1. Read out all provider resources and store them in the ManageIQ database
  2. Translate common commands to the providers specific API calls
  3. Listen for Events happening in the provider and forward them to ManageIQ

Do do this ManageIQ connects to the provider with an administrator account and will use the same account for all actions, independent of which user triggered the action in ManageIQ

ManageIQ has it’s own access control system. ManageIQ queries the provider data with an administrator account and stores everything in its own database. Access control is implemented on whatever is in the database, completely independent from the providers access control (ManageIQ will even keep database records of stuff that is deleted from the provider)


  • ManageIQ cannot authenticate users based on their Keystone credentials (at least not without some configuration, it is probably possible to set up)
    ManageIQ typically uses its internal database, LDAP or HTTPD external Auth to authenticate users
  • ManageIQ will use its provider credentials to perform actions in Openstack, independent of which user triggered it. There is no federated authentication happening under the hood
  • Do you need to synchronize users, if you aren’t using user federation?
  • ManageIQ has a pretty robust Automation Engine, if you need to synchronize users you can basically script it yourself in ManageIQ using the information in the ManageIQ database
  • ManageIQ has a database with all the information from all the providers. For Cloud Providers it has the concept of Cloud-Tenants I am not sure if they are detailed enough for your use case

I think if you can live without federated users, it would be easier to implement your use case.

Regarding the whole placement question, I would

  • Create a Generic Service Catalog and let the users select a named placement zone, e.g. “my_awsome_placement_one”
  • At some point ManageIQ will drop you into Automation Engine (i.e. some ruby code of your choice) with access to the ManageIQ database and the information which user requested the VM Provisioning
  • Given the Username and the information from the ManageIQ database you should be able to figure out which Openstack Cluster you want the VM to land in
  • Start a Sub-Workflow in the background doing the actual work and just wait in the main Workflow until that is finished