红帽全球峰会此内容没有您所选择的语言版本。
Chapter 6. Project Management
6.1. Project Management
As a cloud administrator, you can create and manage projects (tenants). A tenant describes a project with an assigned number of OpenStack users and resources. It is possible to set up quotas for each tenant. This enables multiple projects to use a single cloud without interfering with each other’s permissions and resources. The words project and tenant are used interchangeably. Users can be associated with more than one project. Each user-project pairing must have a role associated with it.
6.1.1. Create a Project
Use this procedure to create projects, add members to the project, and set resource limits for the project.
- As an admin user in the dashboard, select Identity > Projects.
- Click Create Project.
- On the Project Information tab, enter a name and description for the project (the Enabled check box is selected by default).
- On the Project Members tab, add members to the project from the All Users list.
- On the Quotas tab, specify resource limits for the project.
- Click Create Project.
6.1.2. Edit a Project
You can edit a project to change its name or description, enable or temporarily disable it, or update its members.
- As an admin user in the dashboard, select Identity > Projects.
- In the project’s Actions column, click the arrow, and click Edit Project.
- In the Edit Project window, you can update a project to change its name or description, and enable or temporarily disable the project.
- On the Project Members tab, add members to the project, or remove them as needed.
- Click Save.
The Enabled check box is selected by default. To temporarily disable the project, clear the Enabled check box. To enable a disabled project, select the Enabled check box.
6.1.3. Delete a Project
- As an admin user in the dashboard, select Identity > Projects.
- Select the project you want to delete.
- Click Delete Projects. The Confirm Delete Projects window is displayed.
- Click Delete Projects to confirm the action.
The project gets deleted and any user pairing will be disassociated.
6.1.4. Update Project Quotas
Quotas are operational limits that can be set per project to optimize cloud resources. You can set quotas to prevent project resources from being exhausted without notification. Quotas can be enforced at both the project and the project-user level.
- As an admin user in the dashboard, select Identity > Projects.
- In the project’s Actions column, click the arrow, and click Modify Quotas.
- In the Quota tab, modify project quotas as needed.
- Click Save.
6.1.5. Change Active Project
A user can set a project as the active project only of which they are a member. It is also necessary for the user to be a member of more than one project to have the Set as Active Project option be enabled. Setting a project as an active project enables you to access objects in the dashboard for the active project. Note that a disabled project cannot be set as active, unless it is re-enabled.
- As an admin user in the dashboard, select Identity > Projects.
- In the project’s Actions column, click the arrow, and click Set as Active Project.
- Alternatively, as a non-admin user, in the project’s Actions column, click Set as Active Project which becomes the default action in the column.
6.2. Project Security Management
Security groups are sets of IP filter rules that can be assigned to project instances, and which define networking access to the instance. Security groups are project specific; project members can edit the default rules for their security group and add new rule sets.
All projects have a default security group that is applied to any instance that has no other defined security group. Unless you change the default values, this security group denies all incoming traffic and allows only outgoing traffic to your instance.
6.2.1. Create a Security Group
- In the dashboard, select Project > Compute > Access & Security.
- On the Security Groups tab, click Create Security Group.
- Provide a name and description for the group, and click Create Security Group.
6.2.2. Add a Security Group Rule
By default, rules for a new group only provide outgoing access. You must add new rules to provide additional access.
- In the dashboard, select Project > Compute > Access & Security.
- On the Security Groups tab, click Manage Rules for the security group that you want to edit.
- Click Add Rule to add a new rule.
Specify the rule values, and click Add.
The following rule fields are required:
- Rule
Rule type. If you specify a rule template (for example, SSH), its fields are automatically filled in:
- TCP: Typically used to exchange data between systems, and for end-user communication.
- UDP: Typically used to exchange data between systems, particularly at the application level.
- ICMP: Typically used by network devices, such as routers, to send error or monitoring messages.
- Direction
- Ingress (inbound) or Egress (outbound).
- Open Port
For TCP or UDP rules, the Port or Port Range (single port or range of ports) to open:
- For a range of ports, enter port values in the From Port and To Port fields.
- For a single port, enter the port value in the Port field.
- Type
- The type for ICMP rules; must be in the range -1:255.
- Code
- The code for ICMP rules; must be in the range -1:255.
- Remote
The traffic source for this rule:
- CIDR (Classless Inter-Domain Routing): IP address block, which limits access to IPs within the block. Enter the CIDR in the Source field.
- Security Group: Source group that enables any instance in the group to access any other group instance.
6.2.3. Delete a Security Group Rule
- In the dashboard, select Project > Compute > Access & Security.
- On the Security Groups tab, click Manage Rules for the security group.
- Select the security group rule, and click Delete Rule.
- Click Delete Rule again.
You cannot undo the delete action.
6.2.4. Delete a Security Group
- In the dashboard, select Project > Compute > Access & Security.
- On the Security Groups tab, select the group, and click Delete Security Groups.
- Click Delete Security Groups.
You cannot undo the delete action.
6.3. Hierarchical Multitenancy (HMT) in Identity Service
Using keystone, you can use multitenancy to nest projects. This allows subprojects to inherit role assignments from a parent project.
6.3.1. Create the Project and Subprojects
You can implement Hierarchical Multitenancy (HMT) using keystone domains and projects. To do so, start by creating a new domain, then creating a project within that domain. This enables you to add subprojects to that project. You can also promote a user to administrator of a subproject by adding the user to the admin role for that subproject.
The HMT structure used by keystone is not currently represented in the dashboard.
For example:
1. Create a new keystone domain called corp:
2. Create the parent project (private-cloud) within the corp domain:
3. Create a subproject (dev) within the private-cloud parent project, while also specifying the corp domain:
4. Create another subproject called qa:
You can use the Identity API to view the project hierarchy. For more information, see https://developer.openstack.org/api-ref/identity/v3/index.html?expanded=show-project-details-detail
6.3.2. Granting Access
By default, a newly-created project has no assigned roles. When you assign role permissions to the parent project, you can include the --inherited flag to instruct subprojects to inherit the assigned permissions from the parent project. For example, a user with admin role access to the parent project will also have admin access to the subprojects.
1. View the existing permissions assigned to a project:
openstack role assignment list --project private-cloud
$ openstack role assignment list --project private-cloud2. View the existing roles:
3. Grant the user account user1 access to the private-cloud project:
openstack role add --user user1 --user-domain corp --project private-cloud _member_
$ openstack role add --user user1 --user-domain corp --project private-cloud _member_
Re-run the command above using the --inherited flag. As a result, user1 also has access to the private-cloud subprojects, which have inherited the role assignment:
openstack role add --user user1 --user-domain corp --project private-cloud _member_ --inherited
$ openstack role add --user user1 --user-domain corp --project private-cloud _member_ --inherited4. Review the result of the permissions update:
You will see in the results that user1 has inherited access to the qa and dev projects. In addition, because the --inherited flag was applied to the parent project, user1 will also automatically get access to any subprojects that are created later.
6.3.3. Removing access
Explicit and inherited permissions need to be removed separately. For example:
1. Remove a user from an explicitly assigned role:
openstack role remove --user user1 --project private-cloud _member_
$ openstack role remove --user user1 --project private-cloud _member_2. Review the result of the change. Notice that the inherited permissions are still present:
3. Remove the inherited permissions:
openstack role remove --user user1 --project private-cloud _member_ --inherited
$ openstack role remove --user user1 --project private-cloud _member_ --inherited4. Review the result of the change. The inherited permissions have been removed, and the resulting output is now empty:
openstack role assignment list --effective --user user1 --user-domain corp
# openstack role assignment list --effective --user user1 --user-domain corp6.3.4. Nested Quotas
At present, nested quotas are not yet supported. As such, you will need to manage quotas individually against projects and subprojects.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}