Over a million developers have joined DZone.

Working With OpenStack4j Identity Service (Keystone) V2

DZone's Guide to

Working With OpenStack4j Identity Service (Keystone) V2

If you love Java and OpenStack, then you should take a look at OpenStack4j. This post deals with integrating it to your deployment and common commands to keep in mind.

· Cloud Zone ·
Free Resource

Discover a centralized approach to monitor your virtual infrastructure, on-premise IT environment, and cloud infrastructure – all on a single platform.

OpenStack4j is an open source library that helps you manage OpenStack deployments. It is a fluent-based API, giving you full control over the various OpenStack services.

We'll grab the latest release of OpenStack4j from the central Maven repository. Starting with version 3.0.0+, OpenStack4j now has the ability to choose the underlying connection framework. By default, the API’s are configured to use the Jersey 2 connector. See optional configuration scenarios below:

Default Setup (Using Jersey2 as the Connector Choice)


With Dependencies (All in One JAR)


Using a Connector of Your Choice

  • Declare the OpenStack4j core dependency in your POM.


  • Declare a connector

    <artifactId>[ connector artifactId ]</artifactId>

Valid artifactId's are: openstack4j-jersey2, openstack4j-jersey2-jdk16 [OS4J 2.0.X Only], openstack4j-resteasy, openstack4j-okhttp, and openstack4j-httpclient.

Identity Service V2

The Identity (Keystone) V2 service provides the central directory of users, tenants, service endpoints, and authorization. This API is responsible for authenticating and providing access to all the other OpenStack services. The API also enables administrators to configure centralized access policies, users, and tenants.

Version 2 Authentication

import org.openstack4j.api.OSClient.OSClientV2;
import org.openstack4j.openstack.OSFactory;

OSClientV2 os = OSFactory.builderV2()


OpenStack4j supports the ability to switch from one region to another within the same client. If you have a regional deployment (example: West and East coast) and would like to target certain calls to specific region, see the sample below:

// Switch to East Coast
List<? extends Server> eastServers = os.compute().servers().list();

// Switch to West Coast
List<? extends Server> westServers = os.compute().servers().list();

// Switch to Default - No region specified


In OpenStack user interfaces and documentation, a group of users is referred to as a project or tenant. Users must be associated with at least one tenant and can belong to many.

Creating Tenants

This example will create a new tenant called ABC Corp. Once created, the tenant could then be assigned to users who have access to the resources within this tenant.

Tenant tenant = os.identity().tenants()
                                .name("ABC Corp")
                                .description("ABC Corporation Tenant")

Querying for Tenants

The examples below are ways to find tenants.

Find all Tenants

List<? extends Tenant> tenants = os.identity().tenants().list();

Find a specific Tenant

// Find by ID
Tenant tenant = os.identity().tenants().get("tenantId");
// Find by Name
tenant = os.identity().tenants().getByName("ABC Corp");

Updating a Tenant

This example will change the name of ABC Corp to ABC Corporation by looking up the tenant and updating it. The example also shows the fluent nature of the API and how easily you can go to and from a mutable state via builder:

Tenant tenant = os.identity().tenants().get("tenantId");
if (tenant != null)
  tenant = os.identity().tenants().update(tenant.builder().name("ABC Corporation").build());

Deleting a Tenant

This example will delete the ABC Corporation tenant we have been working with:


User and Role Management

Users and Roles are essentially associated to one another, which is why we’ve covered this in one section.

Create a Tenant and User and Associate a Role

This example covers the most common use case in user management. We will create a new tenant and user, then associate the user to a role. The tenant, since it will be the first tenant assigned to the user, will automatically become the user's default tenant as per OpenStack's documentation. OpenStack ships with two roles (member and admin). In this example, we will assign the member role, which is a non-superuser role.

// Create the Tenant
Tenant abcTenant = os.identity().tenants().create(Builders.identityV2().tenant().name("ABC Corporation").build());

// Create a User associated to the ABC Corporation tenant
User john = os.identity().users()

// Associate the Member role to the John Doe
Role memberRole = os.identity().roles().getByName("Member");
os.identity().roles().addUserRole(abcTenant.getId(), john.getId(), memberRole.getId());

Querying for Users and Roles

Below are common examples of locating users and roles:

// Find all Users
List<? extends User> users = os.identity().users().list();

// Find all Users for a Tenant
List<? extends User> users = os.identity().users().listTenantUsers("tenantId");

// List a Users Global Roles
List<? extends Role> roles = os.identity().users().listRoles("userId");

// List User Roles on a Tenant
List<? extends Role> roles = os.identity().users().listRolesOnTenant("userId", "tenantId");

// Find all Global Roles
List<? extends Role> roles = os.identity().roles().list();

// Get a User by ID
User user = os.identity().users().get("userId");

// Get a Role by ID
Role role = os.identity().roles().get("roleId");

// Get a Role by Name
Role role = os.identity().roles().getByName("Member");

Update a User

The example below shows how to update a user:

// Lookup an existing User
User jdoe = User john = os.identity().users().get("userId");

// Change the user John's email address
jdoe = os.identity().users().update(jdoe.builder().email("newemail@abccorp.com").build());

Toggle Enabled State

// Disable John Doe from having access
User jdoe = os.identity().users().enableUser("userId", false);

Change a User Password

// You must be authenticated with administrative rights to do this operation
os.identity().users().changePassword("userId", "newPassword");

Delete a User or Role

The examples below show how to delete a user and a role:

// Delete a Role

// Delete a User

The above examples should help you understand the basic management of users and roles. There are many other API operations that have not been listed in this guide. 

Services and Endpoints

Services and endpoints are typically not used a lot unless you are in charge of the deployment. Most plugins will automatically associate the service and endpoint information when installed. We cover this in the API of OpenStack4j to be current with all major Identity operations.

Below are various examples of service and endpoint management:

// Lets cut down our method chaining and pre-assign the ServiceManagerService API
ServiceManagerService sm = os.identity().services();

// List Services
List<Service> services = sm.list();

// List Endpoints
List<? extends ServiceEndpoint> ep = sm.listEndpoints();

// Create a Service and Endpoint
Service service = sm.create("Name", "Type", "Description");
ServiceEndpoint sep = sm.createEndpoint("region", service.getId(), "pubURL", "admURL", "intURL");

// Get a Service by ID
Service service = sm.get("serviceId");

// Delete a Service

// Delete a Endpoint


Extensions are add-ons to the core OpenStack deployment. Sometimes, it is important to determine whether the deployment has an enhanced feature set available. To get a list of installed extensions, see the example below:

List<? extends Extension> extensions = os.identity().listExtensions();

Token Endpoints

Token endpoints are authorized accessible endpoints through the Identity service. For example, Compute (Nova) is an endpoint. The example below will return a list of all the authorized endpoints for the current authorized user:

List<? extends Endpoint> endpoints = os.identity().listTokenEndpoints();

Learn how to auto-discover your containers and monitor their performance, capture Docker host and container metrics to allocate host resources, and provision containers.

cloud ,openstack4j ,identity management ,tenant management ,tutorial

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}