Help designing groups/rights


(Niclas Eriksson) #1

Hi,
Does anyone have some input on how I should design/setup groups/rights in OpenNebula?
We’re a hoster and I would like our support personel to be able to create new customers (i.e networks, VM, routers).
I’ve setup so that authentication is made through a Win AD. I’m thinking I would like to have a Group in AD that our staff is a member of. This group is then able to create resources in the Open Nebula cloud. For instance create a customer network and create/connect VM’s to that network. I would like to group all resources together in a “Customer group” in OpenNebula so we have an easy way to find which resources that a customer have.

Anyone that have comments on how I should set it up ?


(Niclas Eriksson) #2

Anyone that has some input to share? I would greatly appreciated it


#3

I’m thinking about the same.

For now I decided to create the following scheme:

I’ve made a common vnet with WAN access and gave use rights to Other.

For each customer I’m going to create a group named after the customer, create its own internal vnet and VDC, and put it all together.

The only problem I have and don’t know why is this working this way: if I remove the default cluster from VDC but add all hosts and selected virtual networks, scheduler can’t schedule and deploy VMs, they are staying in Pending state. Didn’t figure out is it a bug or a feature.

P.S. May I ask you a question as well: what billing system are you going to use?


#4

A little addition: I found the reason my test group wasn’t able to schedule VMs. Of course it was ACL problem: don’t know why but this particular group missed hosts manage rights. After I’ve set this one ACL all pending VMs booted normally.

For, simple solution:

  1. Create a public internet-connected VNet and set Other - Use rights for each VM template and VM image you’d like to make available to customers.

  2. Create a group for each customer.

  3. Create a VNet (or many).

  4. Remove customer’s group from Default VDC.

  5. Create a VDC and assign customer’s group there.

  6. Remove default cluster (to prevent customers to see all cluster VNets) from the VDC.

  7. Assign all hosts, one public and all customer’s own VNets and all datastores to the VDC.

  8. Be happy with isolated resources customer has.

P.S. Hope I correctly understood your question and problem. And thanks a lot again for your help with luminous user rights leading to VM image errors on ceph-users mailing list! :slight_smile:

BR,
Vladimir


(Miljan Arandjelovic) #5

Hi,
I removed the default cluster from the default VDC and after that I can no longer login to sunstone with the oneadmin username or any other user name I created.

After # systemctl restart opennebula.service
Here’s what the log file looks like.
oneadmin@server01:~$ tail -f /var/log/one/oned.log | grep ‘[AuM]’
Thu Sep 27 11:21:09 2018 [Z0][AuM][I]: Stopping Authorization Manager…
Thu Sep 27 11:21:10 2018 [Z0][AuM][I]: Authorization Manager stopped.
tail: /var/log/one/oned.log: file truncated
Thu Sep 27 11:21:10 2018 [Z0][AuM][I]: Starting Auth Manager…
Thu Sep 27 11:21:10 2018 [Z0][AuM][I]: Authorization Manager started.
Thu Sep 27 11:21:14 2018 [Z0][AuM][I]: Loading Auth. Manager driver.
Thu Sep 27 11:21:14 2018 [Z0][AuM][I]: Auth Manager loaded
Thu Sep 27 11:21:42 2018 [Z0][AuM][D]: Message received: AUTHENTICATE FAILURE 0 Authentication driver ‘default’ not available
Thu Sep 27 11:21:42 2018 [Z0][AuM][E]: Auth Error: Authentication driver ‘default’ not available

file /etc/one/oned.conf
[…]
#Auth Manager Configuration
AUTH_MAD = [
EXECUTABLE = “one_auth_mad”,
AUTHN = “ssh,x509,ldap,server_cipher,server_x509”
]

#DEFAULT_AUTH = “default”

SESSION_EXPIRATION_TIME = 900

#ENABLE_OTHER_PERMISSIONS = “YES”

DEFAULT_UMASK = 177
[…]

Can you help me about this?
I never changed any authentication. It was all how I installed OpenNebula by default.

BR,

Миљан Аранђеловић


#6

miljan, sorry to hear you’ve got a problem following my instruction.

  1. Remove default cluster (to prevent customers to see all cluster VNets) from the VDC.

This mean to remove the default cluster from the newly created customer’s VDC, not from the default one.

Did you try to add default cluster via command line tools under oneadmin account? Like this:

oneadmin@hostname:~$ onevdc addcluster 0 0 0

This should add default cluster (with id 0) from zone 0 to the VDC with id 0 (default VDC).


(Miljan Arandjelovic) #7

Yes, I do that but nothing is happens.
$ onevdc show 0
VDC 0 INFORMATION
ID : 0
NAME : default

GROUPS
0
1
100
101
102
103

CLUSTERS
ZONE CLUSTER
0 0

HOSTS
ZONE HOST
0 3

DATASTORES
ZONE DATASTORE
0 0
0 1
0 2

VNETS
ZONE VNET
0 16
0 17
0 18

VDC TEMPLATE
DESCRIPTION=“Every new group is added to this VDC. Use it to store default acces s rules for your groups. NOTE: You may need to remove a group from the default V DC before assigning it to other VDC.”

Now I have returned everything as it was.

I wanted to check how VDC works. That’s why I wanted to make a scenario like yours. So I followed your instructions. But I did not understand it well. All in all, for now, I’m learning how everything works in OpenNebula. If I do not find the problem, I’ll have to uninstall everything and install it again.