Importing User Accounts from Keystone

Using the NSX Advanced Load Balancer REST API, you can export user roles from Keystone into the Controller and directly map to role names in the Controller. You need not recreate the accounts on the Controller. For instance,

"openstack_configuration":
{
    ....
    "role_mapping": [
       {"os_role": "admin",
        "avi_role": "Tenant-Admin"},
       {"os_role": "_member_",
        "avi_role": "Tenant-Admin"},
       {"os_role": "*",
        "avi_role": "Application-Operator"}
    ],
    ....
}

The role_mapping parameter is an ordered list, where each item specifies how a Keystone role (os_role) maps to a role in the Controller (avi_role). You can define a default mapping for any Keystone role by specifying the “ /* ” wildcard for the os_role field. In the above example, roles administrator and member from Keystone are mapped to the Tenant-Admin role in the Controller. Further, any other role from Keystone is mapped to Application-Operator role on the Controller.

In the following example, only the users with role lbaas_project_admin are allowed to access the Controller:

"openstack_configuration":
{
    ....
    "role_mapping": [
       {"os_role": "lbaas_project_admin",
        "avi_role": "Tenant-Admin"}
    ],
    ....
}

Metadata instead of config_drive for NSX Advanced Load Balancer SEs

In some OpenStack environments, config_drive support is either absent or not installed properly. Also, under certain conditions, you may not allow NSX Advanced Load Balancer SEs to use config_drive, as VM can prevent SE migration while configuring.

The NSX Advanced Load Balancer OpenStack configuration option uses metadata instead of config_drive for SE VMs. You can enable NSX Advanced Load Balancer to use metadata by deactivating config_drive.

The following is the CLI command to deactivate config_drive:

 : > configure cloud Default-Cloud
 : cloud> openstack_configuration
 : cloud:openstack_configuration> no config_drive
 : cloud:openstack_configuration> save
 : cloud> save