Skip to content

Commit

Permalink
Move user section from AAI
Browse files Browse the repository at this point in the history
  • Loading branch information
@enolfc
enolfc committed Jan 10, 2024
1 parent e7ffca2 commit 0bb3497
Show file tree
Hide file tree
Showing 2 changed files with 73 additions and 67 deletions.
77 changes: 73 additions & 4 deletions content/en/providers/cloud-compute/openstack/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,9 +79,78 @@ The EGI Cloud components require the following outgoing connections open:

<!-- markdownlint-enable line-length -->

## Accounts in OpenStack
## Users

User accounts will be managed by the
### Local Users

In order to get accounting information from your OpenStack, cASO needs to be run
with a user that is a member of the projects to extract accoutning information
from and it's allowed to access `identity:list_users` and
`identity:list_projects` in Keystone. Check
[cASO documentation](https://caso.readthedocs.io/en/stable/configuration.html#user-credentials-required)
for further information.

### Federated Users

Regular user accounts will be managed by the
[Federated Identity](https://docs.openstack.org/keystone/latest/admin/federation/federated_identity.html)
features of OpenStack. cASO expects to be run with a user that is allowed to
access `identity:list_users` and `identity:list_projects` in Keystone.
features of OpenStack. These users are created into a specific OpenStack domain
for every configured identity provider. All users within the `egi.eu` domain
will have a unique username. For users whose community identity is managed by
Check-in, this identifier is of the form `<uniqueID>@egi.eu`. The `<uniqueID>`
portion is an opaque identifier issued by Check-in, for example:

```shell
$ openstack domain list
+----------------------------------+----------------------------------+---------+---------------------------------------------------------------+
| ID | Name | Enabled | Description |
+----------------------------------+----------------------------------+---------+---------------------------------------------------------------+
| 0125ed0ebc8045a49ed8c34c2a78740d | 0125ed0ebc8045a49ed8c34c2a78740d | True | Auto generated federated domain for Identity Provider: egi.eu |
| default | Default | True | The default domain |
+----------------------------------+----------------------------------+---------+---------------------------------------------------------------+

$ openstack user list --domain 0125ed0ebc8045a49ed8c34c2a78740d
+------------------------------------------------------------------+-------------------------------------------------------------------------+
| ID | Name |
+------------------------------------------------------------------+-------------------------------------------------------------------------+
| 2c096b11a1410d44e3936fa40479ad26eaa649cfd6887f06b3c6669e5d6c03d0 | [email protected] |
| 933c692b53192e4d893e5ed5c026aa444acb4d75f6ee6c304422861207ce1ea5 | e9c37aa0d1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX2867bc43581b835c@egi.eu |
| d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c | 529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907@egi.eu |
+------------------------------------------------------------------+-------------------------------------------------------------------------+
```

If you have set the email of the user in the mapping, you will be able to also
get this information:

```shell
$ openstack user show d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c
+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
| domain_id | 0125ed0ebc8045a49ed8c34c2a78740d |
| email | [email protected] |
| enabled | True |
| federated | [{'idp_id': 'egi.eu', 'protocols': [{'protocol_id': 'openid', 'unique_id': '529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907%40egi.eu'}]}] |
| id | d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c |
| name | 529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907@egi.eu |
| options | {} |
| password_expires_at | None |
+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
```

Every VO has a VO identity card available via the
[Operations Portal](https://operations-portal.egi.eu/vo/a/list), where you can
also get contact information for the VO managers.

VMs created by
[EGI's Infrastructure Manager](../../../users/compute/orchestration/im/) have
additional metadata properties that can help to identify the workload:

```shell
$ openstack server show 0f3e1420-4480-4bea-95f1-9920a70b324d -c properties -f yaml
properties:
eu.egi.cloud.orchestrator: es.upv.grycap.im
eu.egi.cloud.orchestrator.id: 0afdc7ba-bf5d-11ed-9e89-86ce117c3fcf
eu.egi.cloud.orchestrator.url: https://appsgrycap.i3m.upv.es:31443/im
eu.egi.cloud.orchestrator.user: __OPENID__XXXXXXredacted
```
63 changes: 0 additions & 63 deletions content/en/providers/cloud-compute/openstack/aai/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -611,66 +611,3 @@ reconfiguration request through the

Once `ops` VO is working, you can include any further VOs you want to support as
documented in the [VO Configuration guide](../vo-config).

## User identification

Federated users are created into a specific OpenStack domain for every
configured identity provider. All users within the egi.eu domain will have a
unique username. For users whose community identity is managed by Check-in, this
identifier is of the form `<uniqueID>@egi.eu`. The `<uniqueID>` portion is an
opaque identifier issued by Check-in, for example:

```shell
$ openstack domain list
+----------------------------------+----------------------------------+---------+---------------------------------------------------------------+
| ID | Name | Enabled | Description |
+----------------------------------+----------------------------------+---------+---------------------------------------------------------------+
| 0125ed0ebc8045a49ed8c34c2a78740d | 0125ed0ebc8045a49ed8c34c2a78740d | True | Auto generated federated domain for Identity Provider: egi.eu |
| default | Default | True | The default domain |
+----------------------------------+----------------------------------+---------+---------------------------------------------------------------+
$ openstack user list --domain 0125ed0ebc8045a49ed8c34c2a78740d
+------------------------------------------------------------------+-------------------------------------------------------------------------+
| ID | Name |
+------------------------------------------------------------------+-------------------------------------------------------------------------+
| 2c096b11a1410d44e3936fa40479ad26eaa649cfd6887f06b3c6669e5d6c03d0 | [email protected] |
| 933c692b53192e4d893e5ed5c026aa444acb4d75f6ee6c304422861207ce1ea5 | e9c37aa0d1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX2867bc43581b835c@egi.eu |
| d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c | 529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907@egi.eu |
+------------------------------------------------------------------+-------------------------------------------------------------------------+
```

If you have set the email of the user in the mapping, you will be able to also
get this information:

```shell
$ openstack user show d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c
+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
| domain_id | 0125ed0ebc8045a49ed8c34c2a78740d |
| email | [email protected] |
| enabled | True |
| federated | [{'idp_id': 'egi.eu', 'protocols': [{'protocol_id': 'openid', 'unique_id': '529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907%40egi.eu'}]}] |
| id | d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c |
| name | 529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907@egi.eu |
| options | {} |
| password_expires_at | None |
+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
```

Every VO has a VO identity card available via the
[Operations Portal](https://operations-portal.egi.eu/vo/a/list), where you can
also get contact information for the VO managers.

VMs created by
[EGI's Infrastructure Manager](../../../users/compute/orchestration/im/) have
additional metadata properties that can help to identify the workload:

```shell
$ openstack server show 0f3e1420-4480-4bea-95f1-9920a70b324d -c properties -f yaml
properties:
eu.egi.cloud.orchestrator: es.upv.grycap.im
eu.egi.cloud.orchestrator.id: 0afdc7ba-bf5d-11ed-9e89-86ce117c3fcf
eu.egi.cloud.orchestrator.url: https://appsgrycap.i3m.upv.es:31443/im
eu.egi.cloud.orchestrator.user: __OPENID__XXXXXXredacted
```

0 comments on commit 0bb3497

Please sign in to comment.