Administering Domains

Managing a Domain

Domains represent a team or an organization in a multi-project environment. The Cloud Administrator can perform the following steps for on-boarding a team in this environment.

Overview

Create a domain resource. This step automatically creates a default project for the domain to facilitate user on-boarding.

Ensure that the domain has access to at least one deployment availability zone. This allows users in that domain to access virtual images and deploy virtual servers when logged in to the domain projects. The availability zones that are assigned to the domain are then visible to be assigned to projects within the domain.

To delegate the domain administration, ensure that at least one user is assigned to the domain with domain_admin role. With this role, the Cloud Administrator can delegate the administrative tasks of the domain to the Domain Administrator who can then start creating projects and assigning users.

Creating a domain

The Cloud Administrator creates domains to organize projects, groups, and users.

GUI:

  • Log in to the OpenStack Dashboard as the Cloud Administrator.
  • In the left navigation pane, click IDENTITY > Domains. The Domains page opens.
  • Select Create Domain. The Create Domain window is displayed.
  • Specify the domain name and, optionally, the domain description.
  • Optional: Clear the Enabled check box to disable the domain. If the domain is disabled, the Domain Administrator cannot create, update, or delete resources that are related to the domain. New domains are enabled by default.
  • Click Create Domain.

CLI:

$ openstack role add --domain <domain> --user admin Admin
$ openstack domain create --description "description" <domain>

The second step is required in order to ensure that the cloud administrator can manage the new domain.

Assigning a zone to a domain

Assigning a zone to a domain enables users in a domain to access the resources available within a zone.

GUI:

  • Log in to the OpenStack Dashboard as the Cloud Administrator.
  • Open the domains page by clicking IDENTITY > Domains in the navigation pane.
  • In the domains page, find the entry for the domain and click the arrow icon in the Actions column. Then click the Edit option to open the Edit Domain window. Click the Availability Zones tab. The Available Zones and the Assigned Zones are listed in the following format: Zone_Name - Region_Name
  • To assign a zone to a domain, from the list of Available Zones, click the plus button beside the zone name. The selected zone moves to the Assigned Zones list. To return an Assigned Zone to an Available Zone, select the minus button beside the zone name. Use the Filter field to search for specific zones.
  • When you have assigned all zones, click Save.

CLI:

$ openstack domain create --description "description" <domain>
$ openstack role add --domain <domain> --user admin Admin

Managing Domain Quotas

The Cloud Administrator can manage quotas for a domain, specifying the maximum amount of a certain resource that is available to the domain. The Domain Administrator can then distribute that quantity among all the projects in the domain.

Using the command-line interface, the administrator can manage the following types of quotas.

  • Compute service quotas * Set Compute quotas for a domain:

    $ openstack quota-set --QUOTA_NAME QUOTA_VALUE <domain>

    For example, to set the maximum number of instances to 20, issue:

    $ openstack quota-set --instances 20 <domain>

    To see the current quotas values, do:

    $ nova quota-show --tenant <domain>
+-----------------------------+-------+
| Quota                       | Limit |
+-----------------------------+-------+
| instances                   | 10    |
| cores                       | 20    |
| ram                         | 51200 |
| floating_ips                | 10    |
| fixed_ips                   | -1    |
| metadata_items              | 128   |
| injected_files              | 5     |
| injected_file_content_bytes | 10240 |
| injected_file_path_bytes    | 255   |
| key_pairs                   | 100   |
| security_groups             | 10    |
| security_group_rules        | 20    |
| server_groups               | 10    |
| server_group_members        | 10    |
+-----------------------------+-------+

  • Block Storage service quotas

  • View Block Storage quotas

  • Set Block Storage service quotas

  • Networking service quotas

  • Basic quota configuration

  • Configure per-project quotas

Editing the domain quotas

The Cloud Administrator can change the quotas of a domain to set limits on the operational resources that a Domain Administrator can distribute among all the projects in the domain.

GUI:

  • Log in to the OpenStack Dashboard as the Cloud Administrator.
  • In the navigation pane, click IDENTITY > Domains.
  • On the Domains page, find the entry for the domain that you want to modify. In the Actions column for that entry, click More > Edit.
  • In the Edit Domain window, click the Quota tab.
  • Edit the quota values as wanted.
  • Click Save.

Setting the Domain Administrator

Adding or removing users from the list of Domain Administrators to control a domain.

GUI:

  • Log in to the OpenStack Dashboard as the Cloud Administrator.
  • In the navigation pane, click IDENTITY > Domains.
  • In the Domains page, select the entry for the domain. In the Actions column, click More > Edit. The Edit Domain window opens.
  • Click the Domain Administrators tab.
  • To add a Domain Administrator, click +a. The user is promoted from `Domain User to Domain Administrator for the default project only. You must manually add the Domain Administrator user to all other projects in the domain, as described in Modifying user assignments for a project.
  • To remove a Domain Administrator, click -. The user is demoted from Domain Administrator to Domain User for all projects in the domain, but is not removed from any projects.
  • Click Save.

CLI:

$ openstack role add --domain $domain --user $id_of_user admin

Setting a domain context

Cloud administrators can set the context of a domain in order to limit its visibility, rather than having visibility across all domains. This allows the Cloud administrator to identify the projects, users, groups, and roles that are associated with a domain.

GUI:

  • Log in to the OpenStack Dashboard as the Cloud Administrator.
  • In the left navigation pane, click IDENTITY > Domains.
  • In the domains page, find the entry for the domain and click Set Domain Context.

Clearing the domain context

Cloud administrators can clear the scope of all domains, enabling visibility across all domains.

GUI:

  • Log in to the OpenStack Dashboard as the Cloud Administrator.
  • In the left navigation pane, click IDENTITY > Domains.
  • In the domains page, select Clear Domain Context from the top right-hand corner.

Managing security groups

The Cloud Administrator can create, modify, or delete security groups in a domain.

GUI:

  • Log in to the OpenStack Dashboard as the Cloud Administrator.
  • In the navigation pane, click PROJECT > Access & Security. In the Access & Security panel, you can create, modify or delete a security group.
  • To modify a security group, click Manage Rules for the group that you want to modify and add or delete rules for the security group.

Managing Projects

The Cloud or Domain administrator can set the level of access for each project with the user interface.

Creating a project

The administrator can assign individual zones to a domain with the OpenStack Dashboard.

GUI:

  • Log in to the OpenStack Dashboard as a Cloud or Domain Administrator.
  • Open the projects page by clicking IDENTITY > Projects in the navigation pane.
  • Click Create Project. The Create Project window is displayed.
  • Specify the name for the project.
  • Optional: Enter a description for the project
  • Optional: By clearing the Enabled check box, the project is disabled and users cannot log into it.
  • Click Create Project.

CLI:

$ openstack project create $project --domain $domain

See http://docs.openstack.org/mitaka/install-guide-obs/keystone-users.html

Enabling a project

Enabling a project allows you to set that project as your default project. The action only appears if the project is disabled.

Editing a project

You can modify the name and description of a project.

Disabling a project

Disabling a project in a domain means that the users who previously had that project set as their default cannot log in to it anymore. Other users also cannot switch to this project anymore.

Deleting a project

Delete a project in the OpenStack Dashboard as the Cloud or Domain Administrator.

Assigning a zone to a project

Assigning a zone to a project enables users within a zone to access a specific project.

GUI:

  • Log in to the OpenStack Dashboard as the Cloud or Domain Administrator.
  • Open the domains page by clicking IDENTITY > Domains in the navigation pane.
  • In the domains page, find the entry for the domain and select Set Domain Context in the Actions column. The Identity Panel group is now in the context of the selected domain and the Domains page is also changed. You are now working within the context of the domain that you created.
  • Select IDENTITY > Projects.
  • In the Actions column in the table for the project, click the arrow icon then click the Edit Project option.
  • Click the Availability Zones tab. The available zones and the assigned zones are listed in the following format: Zone_Name - Region_Name.
  • To assign a zone to a domain, from the list of Available Zones, click the plus button beside the zone name. The selected zone moves to the Assigned Zones list. To return an Assigned Zone to an Available Zone, select the minus button beside the zone name. Use the Filter field to search for specific zones.
  • When you have assigned all zones, click Save.

Configuring project quotas

The Cloud or Project Administrator can configure the project quotas, in order to limit the following resources:

  • Number of volumes that can be created
  • Total size of all volumes within a project as measured in GB
  • Number of instances that can be started
  • Number of processor cores that can be allocated
  • Publicly accessible IP addresses
  • Quotas can be enforced at both the project and the project-user level.
  • Compute service quotas
  • Set Compute quotas for a project (project)
  • Set Compute quotas for a project user
  • Block Storage service quotas
  • View Block Storage quotas
  • Set Block Storage service quotas
  • Networking service quotas
  • Basic quota configuration
  • Configure per-project quotas

Managing Quotas

Nested quotas allow deciding how to divide resources among hierarchical sub-projects.

For example, the following commands updates the quota of volumes assigned to a project:

$ cinder quota-update PROJECT_ID --volumes 10
+-----------------------+-------+
|        Property       | Value |
+-----------------------+-------+
|    backup_gigabytes   |   0   |
|        backups        |   0   |
|       gigabytes       |   0   |
| gigabytes_lvmdriver-1 |   0   |
|  per_volume_gigabytes |   0   |
|       snapshots       |   0   |
| snapshots_lvmdriver-1 |   0   |
|        volumes        |   10  |
|  volumes_lvmdriver-1  |   0   |
+-----------------------+-------+

Once these volumes are assigned to the project, the amount of volumes that can be used by sibling projects is reduced correspondingly.

Managing Groups

You can manage the level of access for each group in the Cloud with the user interface.

Managing Users

You can manage the level of access for each individual user.

Create a user

Add a user to a project

Add a user to a project and assign the user the role “Member” in the project:

$ openstack role add --project $project_id --user $id_of_user Member

Managing Networks

As a cloud administrator you can manage networks in the Cloud with the user interface.