We are using openstack projects, with some defined quotas, to contain student projects. For courses which uses the openstack platform, we are creating one openstack project per project group. This page of the wiki documents this process.
General user administration
As we are performing authentication using the NTNU LDAP infrastructure, we do not administer the user accounts. We are simply adding existing NTNU users to openstack projects.
Assigning NTNU users to a project
A user can be assigned to a project using the following commands:
$ openstack role add --project <projectname> --user <username> --user-domain=NTNU _member_ $ openstack role add --project <projectname> --user <username> --user-domain=NTNU heat_stack_owner
This will give the user access to create networks/routers/vm's, in addition to use the heat orchestration services.
Displaying projects a user is member of
To display which project a user is a member of is a two-step approach in Mitaka. First one needs to determine the user's ID, before this ID is used to retreive the projects this user is a member of:
$ openstack user show eigilo --domain=NTNU +-----------+------------------------------------------------------------------+ | Field | Value | +-----------+------------------------------------------------------------------+ | domain_id | cb782810849b4ce8bce7f078cc193b19 | | email | eigil.obrestad@ntnu.no | | enabled | True | | id | 1790de92c726dc409c223dcfed7fe2c67d792f3cf8e7f46118e5c2bfd63faff3 | | name | eigilo | +-----------+------------------------------------------------------------------+ $ openstack role assignment list --user 1790de92c726dc409c223dcfed7fe2c67d792f3cf8e7f46118e5c2bfd63faff3 --names +------------------+-------------+-------+---------------+--------+-----------+ | Role | User | Group | Project | Domain | Inherited | +------------------+-------------+-------+---------------+--------+-----------+ | admin | eigilo@NTNU | | admin@Default | | False | | _member_ | eigilo@NTNU | | eigil@Default | | False | | heat_stack_owner | eigilo@NTNU | | eigil@Default | | False | +------------------+-------------+-------+---------------+--------+-----------+
Project administration
Naming scheme:
We are creating projects using a strict naming scheme. All projects should be named using one of the following schemes:
Naming scheme | Example | Purpose |
---|---|---|
<Course-code>_<Term>_<GroupName> | IMT3441_V17_Group1 | Projects related to a specific course. |
<Department>_<DescriptiveName> | AIMT_AssuranceTestingLab | Project related to a certain project not course-specific. |
U_<username> | U_eigilo | Single-user project, not associated with any real courses or projects. |
Creating a project
To create a project and add a student with NTNU username pikachu with permissions to create Heat stacks in the course IMT3005.
$ openstack project create --description "<Project Description>" --domain NTNU <Projectname>
Displaying users assigned to a certain project
To show which users are assigned to a certain project, the following command can be used.
$ openstack role assignment list --project <PROJECTNAME> --names
Give a user administrative privileges
To give full administration access to a user, he needs to be an admin member of the admin project.
$ openstack role add --project admin --user <username> admin --user-domain NTNU