Red Hat Training

A Red Hat training course is available for Red Hat OpenStack Platform

Chapter 5. Project Management

5.1. Project Management

As a cloud administrator, you can create and manage projects (tenants). A tenant describes a project with an assigned number of OpenStack users and resources. It is possible to set up quotas for each tenant. This enables multiple projects to use a single cloud without interfering with each other’s permissions and resources. The words project and tenant are used interchangeably. Users can be associated with more than one project. Each user-project pairing must have a role associated with it.

5.1.1. Create a Project

Use this procedure to create projects, add members to the project, and set resource limits for the project.

  1. As an admin user in the dashboard, select Identity > Projects.
  2. Click Create Project.
  3. On the Project Information tab, enter a name and description for the project (the Enabled check box is selected by default).
  4. On the Project Members tab, add members to the project from the All Users list.
  5. On the Quotas tab, specify resource limits for the project.
  6. Click Create Project.

5.1.2. Edit a Project

You can edit a project to change its name or description, enable or temporarily disable it, or update its members.

  1. As an admin user in the dashboard, select Identity > Projects.
  2. In the project’s Actions column, click the arrow, and click Edit Project.
  3. In the Edit Project window, you can update a project to change its name or description, and enable or temporarily disable the project.
  4. On the Project Members tab, add members to the project, or remove them as needed.
  5. Click Save.
Note

The Enabled check box is selected by default. To temporarily disable the project, clear the Enabled check box. To enable a disabled project, select the Enabled check box.

5.1.3. Delete a Project

  1. As an admin user in the dashboard, select Identity > Projects.
  2. Select the project you want to delete.
  3. Click Delete Projects. The Confirm Delete Projects window is displayed.
  4. Click Delete Projects to confirm the action.

The project gets deleted and any user pairing will be disassociated.

5.1.4. Update Project Quotas

Quotas are operational limits that can be set per project to optimize cloud resources. You can set quotas to prevent project resources from being exhausted without notification. Quotas can be enforced at both the project and the project-user level.

  1. As an admin user in the dashboard, select Identity > Projects.
  2. In the project’s Actions column, click the arrow, and click Modify Quotas.
  3. In the Quota tab, modify project quotas as needed.
  4. Click Save.

5.1.5. Change Active Project

A user can set a project as the active project only of which they are a member. It is also necessary for the user to be a member of more than one project to have the Set as Active Project option be enabled. Setting a project as an active project enables you to access objects in the dashboard for the active project. Note that a disabled project cannot be set as active, unless it is re-enabled.

  1. As an admin user in the dashboard, select Identity > Projects.
  2. In the project’s Actions column, click the arrow, and click Set as Active Project.
  3. Alternatively, as a non-admin user, in the project’s Actions column, click Set as Active Project which becomes the default action in the column.

5.2. Project Hierarchies

5.2.1. Hierarchical Multitenancy (HMT) in Identity Service

Projects can be nested using multitenancy in keystone. Multitenancy allows subprojects to inherit role assignments from a parent project.

5.2.1.1. Create the Project and Subprojects

You can implement Hierarchical Multitenancy (HMT) using keystone domains and projects. Begin by creating a new domain and then creating a project within that domain. You can then add subprojects to that project. You can also promote a user to administrator of a subproject by adding the user to the admin role for that subproject.

Note

The HMT structure used by keystone is not currently represented in the dashboard.

For example:

1. Create a new keystone domain called corp:

$ openstack domain create corp
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| enabled     | True                             |
| id          | 69436408fdcb44ab9e111691f8e9216d |
| name        | corp                             |
+-------------+----------------------------------+

2. Create the parent project (private-cloud) within the corp domain:

$ openstack project create private-cloud --domain corp
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | 69436408fdcb44ab9e111691f8e9216d |
| enabled     | True                             |
| id          | c50d5cf4fe2e4929b98af5abdec3fd64 |
| is_domain   | False                            |
| name        | private-cloud                    |
| parent_id   | 69436408fdcb44ab9e111691f8e9216d |
+-------------+----------------------------------+

3. Create a subproject (dev) within the private-cloud parent project, while also specifying the corp domain:

$ openstack project create dev --parent private-cloud --domain corp
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | 69436408fdcb44ab9e111691f8e9216d |
| enabled     | True                             |
| id          | 11fccd8369824baa9fc87cf01023fd87 |
| is_domain   | False                            |
| name        | dev                              |
| parent_id   | c50d5cf4fe2e4929b98af5abdec3fd64 |
+-------------+----------------------------------+

4. Create another subproject called qa:

$ openstack project create qa --parent private-cloud --domain corp
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | 69436408fdcb44ab9e111691f8e9216d |
| enabled     | True                             |
| id          | b4f1d6f59ddf413fa040f062a0234871 |
| is_domain   | False                            |
| name        | qa                               |
| parent_id   | c50d5cf4fe2e4929b98af5abdec3fd64 |
+-------------+----------------------------------+
Note

You can use the Identity API to view the project hierarchy. For more information, see https://developer.openstack.org/api-ref/identity/v3/index.html?expanded=show-project-details-detail

5.2.1.2. Granting Access to Users

By default, a newly-created project has no assigned roles. When you assign role permissions to the parent project, you can include the --inherited flag to instruct the subprojects to inherit the assigned permissions from the parent project. For example, a user with admin role access to the parent project will also have admin access to the subprojects.

1. View the existing permissions assigned to a project:

$ openstack role assignment list --project private-cloud

2. View the existing roles:

$ openstack role list
+----------------------------------+---------------+
| ID                               | Name          |
+----------------------------------+---------------+
| 3a5137e4b620489791df1152ac013bfa | ResellerAdmin |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_      |
| cf4f87df933b455f957cf03b6d3784d2 | admin         |
| eef5cea6ff9549aa98cccc208c370d80 | SwiftOperator |
+----------------------------------+---------------+

3. Grant the user account user1 access to the private-cloud project:

$ openstack role add --user user1 --user-domain corp --project private-cloud _member_

Re-run the command above using the --inherited flag. As a result, user1 also has access to the private-cloud subprojects, which have inherited the role assignment:

$ openstack role add --user user1 --user-domain corp --project private-cloud _member_ --inherited

4. Review the result of the permissions update:

$ openstack role assignment list --effective --user user1 --user-domain corp
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| Role                             | User                             | Group | Project                          | Domain | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | 10b5b34df21d485ca044433818d134be |       | c50d5cf4fe2e4929b98af5abdec3fd64 |        | False     |
| 9fe2ff9ee4384b1894a90878d3e92bab | 10b5b34df21d485ca044433818d134be |       | 11fccd8369824baa9fc87cf01023fd87 |        | True      |
| 9fe2ff9ee4384b1894a90878d3e92bab | 10b5b34df21d485ca044433818d134be |       | b4f1d6f59ddf413fa040f062a0234871 |        | True      |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+

You will see in the results that user1 has inherited access to the qa and dev projects. In addition, because the --inherited flag was applied to the parent project, user1 will also automatically get access to any subprojects that are created later.

5.2.2. Removing access

Explicit and inherited permissions must be separately removed. For example:

1. Remove a user from an explicitly assigned role:

$ openstack role remove --user user1 --project private-cloud _member_

2. Review the result of the change. Notice that the inherited permissions are still present:

$ openstack role assignment list --effective --user user1 --user-domain corp
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| Role                             | User                             | Group | Project                          | Domain | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | 10b5b34df21d485ca044433818d134be |       | 11fccd8369824baa9fc87cf01023fd87 |        | True      |
| 9fe2ff9ee4384b1894a90878d3e92bab | 10b5b34df21d485ca044433818d134be |       | b4f1d6f59ddf413fa040f062a0234871 |        | True      |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+

3. Remove the inherited permissions:

$ openstack role remove --user user1 --project private-cloud _member_ --inherited

4. Review the result of the change. The inherited permissions have been removed, and the resulting output is now empty:

$ openstack role assignment list --effective --user user1 --user-domain corp

5.2.3. Nested Quotas

At present, nested quotas are not yet supported. As such, you will need to manage quotas individually against projects and subprojects.

5.2.4. Reseller Overview

With the Reseller project, the goal is to have a hierarchy of domains; these domains will eventually allow you to consider reselling portions of the cloud, with a subdomain representing a fully-enabled cloud. This work has been split into phases, with phase 1 described below:

5.2.4.1. Phase 1 of Reseller

Reseller (phase 1) is an extension of Hierarchical Multitenancy (HMT), described here: Section 5.2.1, “Hierarchical Multitenancy (HMT) in Identity Service”. Previously, keystone domains were originally intended to be containers that stored users and projects, with their own table in the database back-end. As a result, domains are now no longer stored in their own table, and have been merged into the project table:

  • A domain is now a type of project, distinguished by the is_domain flag.
  • A domain represents a top-level project in the project hierarchy: domains are roots in the project hierarchy
  • APIs have been updated to create and retrieve domains using the projects subpath:

    • Create a new domain by creating a project with the is_domain flag set to true
    • List projects that are domains: get projects including the is_domain query parameter.
Note

Phase 1 does not allow you to create a hierarchy of domains, meaning that the subdomains are not yet available. In addition, this does not change the scope of tokens, neither does it include the hierarchy support necessary for projects other than keystone.

5.3. Project Security Management

Security groups are sets of IP filter rules that can be assigned to project instances, and which define networking access to the instance. Security groups are project specific; project members can edit the default rules for their security group and add new rule sets.

All projects have a default security group that is applied to any instance that has no other defined security group. Unless you change the default values, this security group denies all incoming traffic and allows only outgoing traffic to your instance.

5.3.1. Create a Security Group

  1. In the dashboard, select Project > Compute > Access & Security.
  2. On the Security Groups tab, click Create Security Group.
  3. Provide a name and description for the group, and click Create Security Group.

5.3.2. Add a Security Group Rule

By default, rules for a new group only provide outgoing access. You must add new rules to provide additional access.

  1. In the dashboard, select Project > Compute > Access & Security.
  2. On the Security Groups tab, click Manage Rules for the security group that you want to edit.
  3. Click Add Rule to add a new rule.
  4. Specify the rule values, and click Add.

    The following rule fields are required:

    Rule

    Rule type. If you specify a rule template (for example, SSH), its fields are automatically filled in:

    • TCP: Typically used to exchange data between systems, and for end-user communication.
    • UDP: Typically used to exchange data between systems, particularly at the application level.
    • ICMP: Typically used by network devices, such as routers, to send error or monitoring messages.
    Direction
    Ingress (inbound) or Egress (outbound).
    Open Port

    For TCP or UDP rules, the Port or Port Range (single port or range of ports) to open:

    • For a range of ports, enter port values in the From Port and To Port fields.
    • For a single port, enter the port value in the Port field.
    Type
    The type for ICMP rules; must be in the range -1:255.
    Code
    The code for ICMP rules; must be in the range -1:255.
    Remote

    The traffic source for this rule:

    • CIDR (Classless Inter-Domain Routing): IP address block, which limits access to IPs within the block. Enter the CIDR in the Source field.
    • Security Group: Source group that enables any instance in the group to access any other group instance.

5.3.3. Delete a Security Group Rule

  1. In the dashboard, select Project > Compute > Access & Security.
  2. On the Security Groups tab, click Manage Rules for the security group.
  3. Select the security group rule, and click Delete Rule.
  4. Click Delete Rule again.
Note

You cannot undo the delete action.

5.3.4. Delete a Security Group

  1. In the dashboard, select Project > Compute > Access & Security.
  2. On the Security Groups tab, select the group, and click Delete Security Groups.
  3. Click Delete Security Groups.
Note

You cannot undo the delete action.