...
Code Block | ||||
---|---|---|---|---|
| ||||
$ openstack user show eigilo --domain=NTNU +-----------+------------------------------------------------------------------+ | Field | Value | +-----------+------------------------------------------------------------------+ | domain_id | cb782810849b4ce8bce7f078cc193b19 | | email | eigil.obrestad@ntnu.no | | enabled | True | | id | 1790de92c726dc409c223dcfed7fe2c67d792f3cf8e7f46118e5c2bfd63faff3 | | name | eigilo | +-----------+------------------------------------------------------------------+ $ openstack role assignment list --user 1790de92c726dc409c223dcfed7fe2c67d792f3cf8e7f46118e5c2bfd63faff3 --names +------------------+-------------+-------+---------------+--------+-----------+ | Role | User | Group | Project | Domain | Inherited | +------------------+-------------+-------+---------------+--------+-----------+ | admin | eigilo@NTNU | | admin@Default | | False | | _member_ | eigilo@NTNU | | eigil@Default | | False | | heat_stack_owner | eigilo@NTNU | | eigil@Default | | False | +------------------+-------------+-------+---------------+--------+-----------+ |
Assigning NTNU users to a project
When a user should be removed from the project, his member role, and heat_stack_owner role, should be removed:
Code Block | ||||
---|---|---|---|---|
| ||||
$ openstack role remove --project <projectname> --user <username> --user-domain=NTNU _member_
$ openstack role remove --project <projectname> --user <username> --user-domain=NTNU heat_stack_owner |
Project administration
Naming scheme:
...
Naming scheme | Example | Purpose |
---|---|---|
<Course-code>_<Term>_<GroupName> | IMT3441_V17_Group1 | Projects related to a specific course. |
<Department>_<DescriptiveName> | AIMTIIK_AssuranceTestingLab | Project related to a certain project not course-specific. |
UPRIV_<username> | UPRIV_eigilo | Single-user private project, not associated with any real courses or projects. |
Any projects not following this naming scheme might be deleted without warning. Projects created before December 2016 will be renamed instead of deleted.
Creating a project
To create a project and add a student with NTNU username pikachu with permissions to create Heat stacks in the course IMT3005.
...
Code Block |
---|
$ openstack role assignment list --project <PROJECTNAME> --names<projectname> --names |
Deleting a project:
When a project is about to be removed, all users should be removed, and all resources should be deleted before the project is deleted. This is a suggested list of actions:
- Remove all users but your own from the project
- Delete all heat stacks
- Delete all virtual machines
- Delete all ports
- Delete all routers
- Delete all subnets
- Delete all networks
- Delete all security groups
- Delete all floating IP's
- Remove your user from the project
- Delete the project
As of Mitaka, openstack is still not cleaning up properly when a project is removed; hence the extensive checklist.
Service users, or temporary guest users
In some special cases it is needed to create users which is not a part of the NTNU LDAP catalog. There are currently two cases where this is necessary:
- In some courses it is desired to automate tasks which accesses the openstack api's in an unattended manner, and in these cases it is undesirable to hard code a student's username and password in these scripts. In these cases a openstack-specific service user can be created.
- When temporary users, where it is undesirable to create a NTNU user, needs an openstack user we can create a local user which he can use.
Everyone who have a personal NTNU user should however use this user for all manual access to the openstack platform. A service user should only be used when unattended tasks targeting the api's are performed.
Create service user:
A service user should only belong to a single project, and it can be created like so:
Code Block | ||||
---|---|---|---|---|
| ||||
$ openstack user create --domain default --password-prompt --email <a-relevant-email@address.no> --description "<A Description of this users purpose>" <project-name>_service
$ openstack role add --project <project-name> --user <project-name>_service _member_ |
Delete service user:
Deleting the service user is the opposite approach
Code Block | ||||
---|---|---|---|---|
| ||||
$ openstack role remove --project <project-name> --user <project-name>_service _member_
$ openstack user delete --domain default <project-name>_service
|
Temporary users
For temporary users a similar approach as with service users can be performed, where the description of the user should indicate the reason for this being a local user, and not a NTNU user. The user should also be deleted as soon as it is not necessary anymore.
Give a user administrative privileges
...