We are using openstack projects, with some defined quotas, to contain student projects. For courses which uses the openstack platform, we are creating one openstack project per project group. This page of the wiki documents this process.
General user administration
As we are performing authentication using the NTNU LDAP infrastructure, we do not administer the user accounts. We are simply adding existing NTNU users to openstack projects.
Assigning NTNU users to a project
A user can be assigned to a project using the following commands:
$ openstack role add --project <projectname> --user <username> --user-domain=NTNU _member_ $ openstack role add --project <projectname> --user <username> --user-domain=NTNU heat_stack_owner
This will give the user access to create networks/routers/vm's, in addition to use the heat orchestration services.
Assigning NTNU groups to a project
A group from BAS can be assigned to a project using the following command:
$ openstack role add --project <projectname> --group <groupname> --group-domain=NTNU _member_ $ openstack role add --project <projectname> --group <groupname> --group-domain=NTNU heat_stack_owner
Removing NTNU users from a project
When a user should be removed from the project, his member role, and heat_stack_owner role, should be removed:
$ openstack role remove --project <projectname> --user <username> --user-domain=NTNU _member_ $ openstack role remove --project <projectname> --user <username> --user-domain=NTNU heat_stack_owner
Removing NTNU groups from a project
When a group should be removed from the project, his member role, and heat_stack_owner role, should be removed:
$ openstack role remove --project <projectname> --group <groupname> --group-domain=NTNU _member_ $ openstack role remove --project <projectname> --group <groupname> --group-domain=NTNU heat_stack_owner
Displaying projects a user is member of
To display which projects a user is a member of:
$ openstack role assignment list --user eigilo --user-domain=NTNU --names +------------------+-------------+-------+---------------+--------+-----------+ | Role | User | Group | Project | Domain | Inherited | +------------------+-------------+-------+---------------+--------+-----------+ | admin | eigilo@NTNU | | admin@Default | | False | | _member_ | eigilo@NTNU | | eigil@Default | | False | | heat_stack_owner | eigilo@NTNU | | eigil@Default | | False | +------------------+-------------+-------+---------------+--------+-----------+
Displaying project a group is member of
To display which projects a group is a member of:
$ openstack role assignment list --group ie-iik_skylow1 --group-domain=NTNU --names +----------+------+---------------------+-----------------------+--------+-----------+ | Role | User | Group | Project | Domain | Inherited | +----------+------+---------------------+-----------------------+--------+-----------+ | _member_ | | ie-iik_skylow1@NTNU | IIK_testproject1@NTNU | | False | +----------+------+---------------------+-----------------------+--------+-----------+
Project administration
Naming scheme:
We are creating projects using a strict naming scheme. All projects should be named using one of the following schemes:
| Naming scheme | Example | Purpose |
|---|---|---|
| <Course-code>_<Term>_<GroupName> | IMT3441_V17_Group1 | Projects related to a specific course. |
| <Department>_<DescriptiveName> | IIK_AssuranceTestingLab | Project related to a certain project not course-specific. |
| PRIV_<username> | PRIV_eigilo | Single-user private project, not associated with any real courses or projects. |
Any projects not following this naming scheme might be deleted without warning. Projects created before December 2016 will be renamed instead of deleted.
Creating a project
To create a project and add a student (or a group) with NTNU username pikachu with permissions to create Heat stacks in the course IMT3005.
$ openstack project create --description "<Project Description>" --domain NTNU <Projectname> $ openstack role add --project IMT3005_H17_Group12 --user pikachu --user-domain=NTNU _member_ $ openstack role add --project IMT3005_H17_Group12 --user pikachu --user-domain=NTNU heat_stack_owner $ openstack role add --project IMT3005_H17_Group12 --group pikachu --group-domain=NTNU _member_ $ openstack role add --project IMT3005_H17_Group12 --group pikachu --group-domain=NTNU heat_stack_owner # if you copy and paste (a messy) list of user info from blackboard into a.txt and need to extract the usernames: $ grep -o ' [^ ]*@[^ ]* ' a.txt | tr -d '\t' | tr -d ' ' | grep -o '^[^@]*' > usernames.dat # redirecting usernames.dat into a loop to create a project for each student: while read -r do openstack project create --description "IMT3005_H17_$REPLY" --domain NTNU IMT3005_H17_$REPLY openstack role add --project IMT3005_H17_$REPLY --user $REPLY --user-domain=NTNU _member_ openstack role add --project IMT3005_H17_$REPLY --user $REPLY --user-domain=NTNU heat_stack_owner done < usernames.dat
Displaying users assigned to a certain project
To show which users are assigned to a certain project, the following command can be used.
$ openstack role assignment list --project <projectname> --names
Deleting a project:
When a project is about to be removed, all users should be removed, and all resources should be deleted before the project is deleted. This is a suggested list of actions:
- Remove all users and groups but your own from the project
- Delete all heat stacks
- Deattach and delete all volumes
- Delete all virtual machines
- Delete all ports
- Delete all firewall-rules
- Delete all firewall-policies
- Delete all firewalls
- Delete all routers
- Delete all subnets
- Delete all networks
- Delete all security groups
- Delete all floating IP's
- Remove your user from the project
- Delete the project
As of Mitaka, openstack is still not cleaning up properly when a project is removed; hence the extensive checklist.
Service users, or temporary guest users
In some special cases it is needed to create users which is not a part of the NTNU LDAP catalog. There are currently two cases where this is necessary:
- In some courses it is desired to automate tasks which accesses the openstack api's in an unattended manner, and in these cases it is undesirable to hard code a student's username and password in these scripts. In these cases a openstack-specific service user can be created.
- When temporary users, where it is undesirable to create a NTNU user, needs an openstack user we can create a local user which he can use.
Everyone who have a personal NTNU user should however use this user for all manual access to the openstack platform. A service user should only be used when unattended tasks targeting the api's are performed.
Create service user:
A service user should only belong to a single project, and it can be created like so:
$ openstack user create --domain default --password-prompt --email <a-relevant-email@address.no> --description "<A Description of this users purpose>" <project-name>_service $ openstack role add --project <project-name> --user <project-name>_service _member_
Delete service user:
Deleting the service user is the opposite approach
$ openstack role remove --project <project-name> --user <project-name>_service _member_ $ openstack user delete --domain default <project-name>_service
Temporary users
For temporary users a similar approach as with service users can be performed, where the description of the user should indicate the reason for this being a local user, and not a NTNU user. The user should also be deleted as soon as it is not necessary anymore.
Give a user or group administrative privileges
To give full administration access to a user, he needs to be an admin member of the admin project.
$ openstack role add --project admin --user <username> admin --user-domain NTNU $ openstack role add --project admin --group <groupname> admin --group-domain NTNU