Table of Contents |
---|
We are using openstack projects, with some defined quotas, to contain student projects. For courses which uses the openstack platform, we are creating one openstack project per project group. This page of the wiki documents this process.
General user administration
As we are performing authentication using the NTNU LDAP infrastructure, we do not administer the user accounts. We are simply adding existing NTNU users to openstack projects.
Project administration
Naming scheme:
We are creating projects using a strict naming scheme. All projects should be named using one of the following schemes:
Naming scheme | Example | Purpose |
---|---|---|
<Course-code>_<Term>_<GroupName> | IMT3441_V17_Group1 | Projects related to a specific course. Term should reflect when the project is created, and is built up by "H" for autumn and "V" for spring, and then two digits signalizing the year. |
<Department>_<DescriptiveName> | IIK_AssuranceTestingLab | Project related to a certain project not course-specific. |
PRIV_<username> | PRIV_eigilo | Single-user private project, not associated with any real courses or projects. Employees only. Similar student projects are prefixed "STUDENT". |
MISC | MISC | Project with misc instances for "people who just wants a server" |
STUDENT_<username> | STUDENT_olanordm | Private projects which a student requests for own learning. |
STUDPROJ_<shortname> | STUDPROJ_cognita | Project assigned to a group of students for a project that is not directly associated with any courses. |
Any projects not following this naming scheme might be deleted without warning. Projects created before December 2016 will be renamed instead of deleted.
Description field:
The projects have a description-field. This field should provide a description of the project, to help the administrators to understand what it is there for.
Expiry
The projects can have an "expiry" property. This property controls when the project can be deleted. It should contain a date in the format "dd.mm.yyyy"
Setting/modifying expiry
Code Block |
---|
openstack project set --property expiry='31.08.2022' <project id> |
Creating a project
We use a script in our admintools to create projects. Please refer to it for help. It prints a help-page if ran without parameters.
Deleting a project:
When a project is about to be removed, all users should be removed, and all resources should be deleted before the project is deleted. This is a suggested list of actions:
- Remove all users and groups but your own from the project
- Delete all heat stacks
- Deattach and delete all volumes
- Delete all virtual machines
- Delete all ports
- Delete all firewall-rules
- Delete all firewall-policies
- Delete all firewalls
- Delete all routers
- Delete all subnets
- Delete all networks
- Delete all security groups
- Delete all floating IP's
- Remove your user from the project
- Delete the project
As of Mitaka, openstack is still not cleaning up properly when a project is removed; hence the extensive checklist.
We have a script to delete projects for us.
Adding/Removing users/groups to/from projects
This section describes how to add/remove users and groups from projects.
Displaying users assigned to a certain project
To show which users are assigned to a certain project, the following command can be used.
Code Block |
---|
$ openstack role assignment list --project <projectname> --names |
Assigning NTNU users to a project
...
Code Block | ||||
---|---|---|---|---|
| ||||
$ openstack role add --project <projectname> --user <username> --user-domain=NTNU _member_
$ openstack role add --project <projectname> --user <username> --user-domain=NTNU heat_stack_owner
$ openstack role add --project <projectname> --user <username> --user-domain=NTNU load-balancer_member
$ openstack role add --project <projectname> --user <username> --user-domain=NTNU creator |
This will give the user access to create networks/routers/vm's, in addition to use the heat orchestration services, octavia loadbalancing and barbican key-storage.
Assigning NTNU groups to a project
...
Code Block | ||||
---|---|---|---|---|
| ||||
$ openstack role add --project <projectname> --group <groupname> --group-domain=NTNU _member_
$ openstack role add --project <projectname> --group <groupname> --group-domain=NTNU heat_stack_owner
$ openstack role add --project <projectname> --group <groupname> --group-domain=NTNU load-balancer_member
$ openstack role add --project <projectname> --group <groupname> --group-domain=NTNU creator |
BAS groupadmin: https://bas.ntnu.no/groupadmin
SkyHiGh will only contain groups that starts with "ie-iik_skyhigh"
stack.it will only contain groups that starts with "itea_stackit"
Removing NTNU users from a project
...
Code Block | ||||
---|---|---|---|---|
| ||||
$ openstack role remove --project <projectname> --user <username> --user-domain=NTNU _member_
$ openstack role remove --project <projectname> --user <username> --user-domain=NTNU heat_stack_owner
$ openstack role remove --project <projectname> --user <username> --user-domain=NTNU load-balancer_member
$ openstack role remove --project <projectname> --user <username> --user-domain=NTNU creator |
Removing NTNU groups from a project
...
Code Block | ||||
---|---|---|---|---|
| ||||
$ openstack role remove --project <projectname> --group <groupname> --group-domain=NTNU _member_
$ openstack role remove --project <projectname> --group <groupname> --group-domain=NTNU heat_stack_owner
$ openstack role remove --project <projectname> --group <groupname> --group-domain=NTNU load-balancer_member
$ openstack role remove --project <projectname> --group <groupname> --group-domain=NTNU creator |
User administration
As we are performing authentication using the NTNU LDAP infrastructure, we do not administer regular user accounts. We are simply adding existing NTNU users to openstack projects.
Displaying projects a user is member of
...
Code Block | ||||
---|---|---|---|---|
| ||||
$ openstack role assignment list --user eigilo --user-domain=NTNU --names
+------------------+-------------+-------+---------------+--------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+------------------+-------------+-------+---------------+--------+-----------+
| admin | eigilo@NTNU | | admin@Default | | False |
| _member_ | eigilo@NTNU | | eigil@Default | | False |
| heat_stack_owner | eigilo@NTNU | | eigil@Default | | False |
+------------------+-------------+-------+---------------+--------+-----------+ |
Displaying project a group is member of
To display which projects a group is a member of:
Code Block | ||
---|---|---|
| ||
$ openstack role assignment list --group ie-iik_skylow1 --group-domain=NTNU --names +----------+------+---------------------+-----------------------+--------+-----------+ | Role | User | Group | Project | Domain | Inherited | +----------+------+---------------------+-----------------------+--------+-----------+ | _member_ | | ie-iik_skylow1@NTNU | IIK_testproject1@NTNU | | False | +----------+------+---------------------+-----------------------+--------+-----------+ |
...
Naming scheme:
We are creating projects using a strict naming scheme. All projects should be named using one of the following schemes:
Naming scheme | Example | Purpose |
---|---|---|
<Course-code>_<Term>_<GroupName> | IMT3441_V17_Group1 | Projects related to a specific course. |
<Department>_<DescriptiveName> | IIK_AssuranceTestingLab | Project related to a certain project not course-specific. |
PRIV_<username> | PRIV_eigilo | Single-user private project, not associated with any real courses or projects. |
MISC | MISC | Project with misc instances for "people who just wants a server" |
Any projects not following this naming scheme might be deleted without warning. Projects created before December 2016 will be renamed instead of deleted.
Creating a project
To create a project and add a student (or a group) with NTNU username pikachu with permissions to create Heat stacks in the course IMT3005.
Code Block |
---|
$ openstack project create --description "<Project Description>" --domain NTNU <Projectname>
$ openstack role add --project IMT3005_H17_Group12 --user pikachu --user-domain=NTNU _member_
$ openstack role add --project IMT3005_H17_Group12 --user pikachu --user-domain=NTNU heat_stack_owner
$ openstack role add --project IMT3005_H17_Group12 --group pikachu --group-domain=NTNU _member_
$ openstack role add --project IMT3005_H17_Group12 --group pikachu --group-domain=NTNU heat_stack_owner
# if you copy and paste (a messy) list of user info from blackboard into a.txt and need to extract the usernames:
$ grep -o ' [^ ]*@[^ ]* ' a.txt | tr -d '\t' | tr -d ' ' | grep -o '^[^@]*' > usernames.dat
# redirecting usernames.dat into a loop to create a project for each student:
while read -r
do
openstack project create --description "IMT3005_H17_$REPLY" --domain NTNU IMT3005_H17_$REPLY
openstack role add --project IMT3005_H17_$REPLY --user $REPLY --user-domain=NTNU _member_
openstack role add --project IMT3005_H17_$REPLY --user $REPLY --user-domain=NTNU heat_stack_owner
done < usernames.dat |
Displaying users assigned to a certain project
To show which users are assigned to a certain project, the following command can be used.
Code Block |
---|
$ openstack role assignment list --project <projectname> --names |
Deleting a project:
When a project is about to be removed, all users should be removed, and all resources should be deleted before the project is deleted. This is a suggested list of actions:
- Remove all users and groups but your own from the project
- Delete all heat stacks
- Deattach and delete all volumes
- Delete all virtual machines
- Delete all ports
- Delete all firewall-rules
- Delete all firewall-policies
- Delete all firewalls
- Delete all routers
- Delete all subnets
- Delete all networks
- Delete all security groups
- Delete all floating IP's
- Remove your user from the project
- Delete the project
As of Mitaka, openstack is still not cleaning up properly when a project is removed; hence the extensive checklist.
Service users, or temporary guest users
In some special cases it is needed to create users which is not a part of the NTNU LDAP catalog. There are currently two cases where this is necessary:
...
For temporary users a similar approach as with service users can be performed, where the description of the user should indicate the reason for this being a local user, and not a NTNU user. The user should also be deleted as soon as it is not necessary anymore.
Give a user or group administrative privileges
To give full administration access to a user, he needs to be an admin member of the admin project.
...
title | Give admin credentials to a user |
---|
...