Red Hat Training

A Red Hat training course is available for Red Hat OpenStack Platform

Chapter 5. Project Management

5.1. Project Management

As a cloud administrator, you can create and manage projects (tenants). A tenant describes a project with an assigned number of OpenStack users and resources. It is possible to set up quotas for each tenant. This enables multiple projects to use a single cloud without interfering with each other’s permissions and resources. The words project and tenant are used interchangeably. Users can be associated with more than one project. Each user-project pairing must have a role associated with it.

5.1.1. Create a Project

Use this procedure to create projects, add members to the project, and set resource limits for the project.

  1. As an admin user in the dashboard, select Identity > Projects.
  2. Click Create Project.
  3. On the Project Information tab, enter a name and description for the project (the Enabled check box is selected by default).
  4. On the Project Members tab, add members to the project from the All Users list.
  5. On the Quotas tab, specify resource limits for the project.
  6. Click Create Project.

5.1.2. Edit a Project

You can edit a project to change its name or description, enable or temporarily disable it, or update its members.

  1. As an admin user in the dashboard, select Identity > Projects.
  2. In the project’s Actions column, click the arrow, and click Edit Project.
  3. In the Edit Project window, you can update a project to change its name or description, and enable or temporarily disable the project.
  4. On the Project Members tab, add members to the project, or remove them as needed.
  5. Click Save.
Note

The Enabled check box is selected by default. To temporarily disable the project, clear the Enabled check box. To enable a disabled project, select the Enabled check box.

5.1.3. Delete a Project

  1. As an admin user in the dashboard, select Identity > Projects.
  2. Select the project you want to delete.
  3. Click Delete Projects. The Confirm Delete Projects window is displayed.
  4. Click Delete Projects to confirm the action.

The project gets deleted and any user pairing will be disassociated.

5.1.4. Update Project Quotas

Quotas are operational limits that can be set per project to optimize cloud resources. You can set quotas to prevent project resources from being exhausted without notification. Quotas can be enforced at both the project and the project-user level.

  1. As an admin user in the dashboard, select Identity > Projects.
  2. In the project’s Actions column, click the arrow, and click Modify Quotas.
  3. In the Quota tab, modify project quotas as needed.
  4. Click Save.

5.1.5. Change Active Project

A user can set a project as the active project only of which they are a member. It is also necessary for the user to be a member of more than one project to have the Set as Active Project option be enabled. Setting a project as an active project enables you to access objects in the dashboard for the active project. Note that a disabled project cannot be set as active, unless it is re-enabled.

  1. As an admin user in the dashboard, select Identity > Projects.
  2. In the project’s Actions column, click the arrow, and click Set as Active Project.
  3. Alternatively, as a non-admin user, in the project’s Actions column, click Set as Active Project which becomes the default action in the column.

5.2. Project Security Management

Security groups are sets of IP filter rules that can be assigned to project instances, and which define networking access to the instance. Security groups are project specific; project members can edit the default rules for their security group and add new rule sets.

All projects have a default security group that is applied to any instance that has no other defined security group. Unless you change the default values, this security group denies all incoming traffic and allows only outgoing traffic to your instance.

5.2.1. Create a Security Group

  1. In the dashboard, select Project > Compute > Access & Security.
  2. On the Security Groups tab, click Create Security Group.
  3. Provide a name and description for the group, and click Create Security Group.

5.2.2. Add a Security Group Rule

By default, rules for a new group only provide outgoing access. You must add new rules to provide additional access.

  1. In the dashboard, select Project > Compute > Access & Security.
  2. On the Security Groups tab, click Manage Rules for the security group that you want to edit.
  3. Click Add Rule to add a new rule.
  4. Specify the rule values, and click Add.

    The following rule fields are required:

    Rule

    Rule type. If you specify a rule template (for example, SSH), its fields are automatically filled in:

    • TCP: Typically used to exchange data between systems, and for end-user communication.
    • UDP: Typically used to exchange data between systems, particularly at the application level.
    • ICMP: Typically used by network devices, such as routers, to send error or monitoring messages.
    Direction
    Ingress (inbound) or Egress (outbound).
    Open Port

    For TCP or UDP rules, the Port or Port Range (single port or range of ports) to open:

    • For a range of ports, enter port values in the From Port and To Port fields.
    • For a single port, enter the port value in the Port field.
    Type
    The type for ICMP rules; must be in the range -1:255.
    Code
    The code for ICMP rules; must be in the range -1:255.
    Remote

    The traffic source for this rule:

    • CIDR (Classless Inter-Domain Routing): IP address block, which limits access to IPs within the block. Enter the CIDR in the Source field.
    • Security Group: Source group that enables any instance in the group to access any other group instance.

5.2.3. Delete a Security Group Rule

  1. In the dashboard, select Project > Compute > Access & Security.
  2. On the Security Groups tab, click Manage Rules for the security group.
  3. Select the security group rule, and click Delete Rule.
  4. Click Delete Rule again.
Note

You cannot undo the delete action.

5.2.4. Delete a Security Group

  1. In the dashboard, select Project > Compute > Access & Security.
  2. On the Security Groups tab, select the group, and click Delete Security Groups.
  3. Click Delete Security Groups.
Note

You cannot undo the delete action.

5.3. Hierarchical Multi-tenancy in Identity Service

In the OpenStack Identity Service (keystone) you can use multi-tenancy to nest projects. Domains represent collections of users, groups, and projects where each one of these is owned by exactly one domain. Users can be associated with multiple projects by granting roles to them on a project, including projects owned by other domains. Projects are the container of resources, which define quotas and access to VM images.

Note

Multi-tenancy is available as a technology preview. For more information on the support scope for features marked as technology previews, see https://access.redhat.com/support/offerings/techpreview/