[Openstack] per-user quota keystone user database is LDAP based ?

Jacques LANDRU landru at telecom-lille.fr
Mon Jan 13 16:12:09 UTC 2014 

Thnak you Adam for this answer. 

Another easier (better?) approach would be to have one tenant per user, setting default instances quota for all tenant to 1 (using quota-defaults nova command). 
As users and tenants can be managed by LDAP in Havana, binding default tenant to his own tenant for each user could be LDAP driven. 

Jacques Landru 

----- Mail original -----

De: "Adam Young" <ayoung at redhat.com> 
À: "Jacques LANDRU" <landru at telecom-lille.fr> 
Envoyé: Lundi 13 Janvier 2014 15:59:39 
Objet: Re: [Openstack] per-user quota keystone user database is LDAP based ? 

On 01/10/2014 12:16 PM, Jacques LANDRU wrote: 



Hi, 

I have some questions about instance quota, and instance access authorization. 

Openstack version is Havana (nova --version 2.15.0, keystone --version 0.3.2) 

I plan to use a small openstack project/tenant as an online virtual computer lab room. 
The project/tenant instance quota will be limited to 12 or 24 instances (as in a real lab room, there're 12 or 24 workstations). 
Keystone user database will point to our LDAP server where student posixaccounts are managed. Amount of potential users is around 800, ( maybe several thousand in the future when keystone will be saml/shibboleth compatible). 

A user will be restricted to 1 instance at a time, as in a real lab room a student can use 1 workstation at a time. 

The main idea is : 
- each student can access the online lab room.to launch an instance choosen among a small set of pre-defined images or flavors, 
- when tenant instance quota is reached, lab room is full, other sutdents will have to wait untill one or more instances being freed by their owners, 

Two questions : 
1) Is there a simple way to set per-user default instance quota to 1 and tenant instance quota to 12 ? 


Quotas are not held in Keystone, so I don't know if you can get Quoate data from LDAP to Nova without a script. 


<blockquote>

2) how can I restrict instance access (console, reboot command,...) only to the owner of that instance ? 

</blockquote>
You can't, RBAC is at Project/tenant granularity only. So unless each VM is in separate project, others can reboot. 


<blockquote>


Some ideas ? 

Regards. 



-----oOo----- 
Jacques Landru 
mel: landru~hat~telecom-lille.fr 
tel: +33 (0)3 2033 5556 
fax: +33 (0)3 2033 5598 

Telecom Lille 
Cite scientifique, rue G. Marconi, BP20145 
59653 VILLENEUVE D'ASCQ Cedex 
web: http://www.telecom-lille.fr 
Tel: +33 (0)3 2033 5577 
Fax: +33 (0)3 2033 5599 
-----oOo----- 





_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to     : openstack at lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 

</blockquote>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140113/726d6245/attachment.html>

More information about the Openstack mailing list