From 0bb34975395b4ba727c3b61d140c43c27a567030 Mon Sep 17 00:00:00 2001 From: Enol Fernandez Date: Wed, 10 Jan 2024 11:31:55 +0000 Subject: [PATCH] Move user section from AAI --- .../cloud-compute/openstack/_index.md | 77 ++++++++++++++++++- .../cloud-compute/openstack/aai/_index.md | 63 --------------- 2 files changed, 73 insertions(+), 67 deletions(-) diff --git a/content/en/providers/cloud-compute/openstack/_index.md b/content/en/providers/cloud-compute/openstack/_index.md index b4339892cc..259c0f713e 100644 --- a/content/en/providers/cloud-compute/openstack/_index.md +++ b/content/en/providers/cloud-compute/openstack/_index.md @@ -79,9 +79,78 @@ The EGI Cloud components require the following outgoing connections open: -## Accounts in OpenStack +## Users -User accounts will be managed by the +### Local Users + +In order to get accounting information from your OpenStack, cASO needs to be run +with a user that is a member of the projects to extract accoutning information +from and it's allowed to access `identity:list_users` and +`identity:list_projects` in Keystone. Check +[cASO documentation](https://caso.readthedocs.io/en/stable/configuration.html#user-credentials-required) +for further information. + +### Federated Users + +Regular user accounts will be managed by the [Federated Identity](https://docs.openstack.org/keystone/latest/admin/federation/federated_identity.html) -features of OpenStack. cASO expects to be run with a user that is allowed to -access `identity:list_users` and `identity:list_projects` in Keystone. +features of OpenStack. These users are created into a specific OpenStack domain +for every configured identity provider. All users within the `egi.eu` domain +will have a unique username. For users whose community identity is managed by +Check-in, this identifier is of the form `@egi.eu`. The `` +portion is an opaque identifier issued by Check-in, for example: + +```shell +$ openstack domain list ++----------------------------------+----------------------------------+---------+---------------------------------------------------------------+ +| ID | Name | Enabled | Description | ++----------------------------------+----------------------------------+---------+---------------------------------------------------------------+ +| 0125ed0ebc8045a49ed8c34c2a78740d | 0125ed0ebc8045a49ed8c34c2a78740d | True | Auto generated federated domain for Identity Provider: egi.eu | +| default | Default | True | The default domain | ++----------------------------------+----------------------------------+---------+---------------------------------------------------------------+ + +$ openstack user list --domain 0125ed0ebc8045a49ed8c34c2a78740d ++------------------------------------------------------------------+-------------------------------------------------------------------------+ +| ID | Name | ++------------------------------------------------------------------+-------------------------------------------------------------------------+ +| 2c096b11a1410d44e3936fa40479ad26eaa649cfd6887f06b3c6669e5d6c03d0 | efb8534478028XXXXXXXXXXXXXXXfeed9766fafc@sram.surf.nl | +| 933c692b53192e4d893e5ed5c026aa444acb4d75f6ee6c304422861207ce1ea5 | e9c37aa0d1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX2867bc43581b835c@egi.eu | +| d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c | 529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907@egi.eu | ++------------------------------------------------------------------+-------------------------------------------------------------------------+ +``` + +If you have set the email of the user in the mapping, you will be able to also +get this information: + +```shell +$ openstack user show d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c ++---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Field | Value | ++---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| domain_id | 0125ed0ebc8045a49ed8c34c2a78740d | +| email | XXXX-redacted@example.com | +| enabled | True | +| federated | [{'idp_id': 'egi.eu', 'protocols': [{'protocol_id': 'openid', 'unique_id': '529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907%40egi.eu'}]}] | +| id | d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c | +| name | 529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907@egi.eu | +| options | {} | +| password_expires_at | None | ++---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+ +``` + +Every VO has a VO identity card available via the +[Operations Portal](https://operations-portal.egi.eu/vo/a/list), where you can +also get contact information for the VO managers. + +VMs created by +[EGI's Infrastructure Manager](../../../users/compute/orchestration/im/) have +additional metadata properties that can help to identify the workload: + +```shell +$ openstack server show 0f3e1420-4480-4bea-95f1-9920a70b324d -c properties -f yaml +properties: + eu.egi.cloud.orchestrator: es.upv.grycap.im + eu.egi.cloud.orchestrator.id: 0afdc7ba-bf5d-11ed-9e89-86ce117c3fcf + eu.egi.cloud.orchestrator.url: https://appsgrycap.i3m.upv.es:31443/im + eu.egi.cloud.orchestrator.user: __OPENID__XXXXXXredacted +``` diff --git a/content/en/providers/cloud-compute/openstack/aai/_index.md b/content/en/providers/cloud-compute/openstack/aai/_index.md index c711466712..c8828351a6 100644 --- a/content/en/providers/cloud-compute/openstack/aai/_index.md +++ b/content/en/providers/cloud-compute/openstack/aai/_index.md @@ -611,66 +611,3 @@ reconfiguration request through the Once `ops` VO is working, you can include any further VOs you want to support as documented in the [VO Configuration guide](../vo-config). - -## User identification - -Federated users are created into a specific OpenStack domain for every -configured identity provider. All users within the egi.eu domain will have a -unique username. For users whose community identity is managed by Check-in, this -identifier is of the form `@egi.eu`. The `` portion is an -opaque identifier issued by Check-in, for example: - -```shell -$ openstack domain list -+----------------------------------+----------------------------------+---------+---------------------------------------------------------------+ -| ID | Name | Enabled | Description | -+----------------------------------+----------------------------------+---------+---------------------------------------------------------------+ -| 0125ed0ebc8045a49ed8c34c2a78740d | 0125ed0ebc8045a49ed8c34c2a78740d | True | Auto generated federated domain for Identity Provider: egi.eu | -| default | Default | True | The default domain | -+----------------------------------+----------------------------------+---------+---------------------------------------------------------------+ - -$ openstack user list --domain 0125ed0ebc8045a49ed8c34c2a78740d -+------------------------------------------------------------------+-------------------------------------------------------------------------+ -| ID | Name | -+------------------------------------------------------------------+-------------------------------------------------------------------------+ -| 2c096b11a1410d44e3936fa40479ad26eaa649cfd6887f06b3c6669e5d6c03d0 | efb8534478028XXXXXXXXXXXXXXXfeed9766fafc@sram.surf.nl | -| 933c692b53192e4d893e5ed5c026aa444acb4d75f6ee6c304422861207ce1ea5 | e9c37aa0d1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX2867bc43581b835c@egi.eu | -| d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c | 529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907@egi.eu | -+------------------------------------------------------------------+-------------------------------------------------------------------------+ -``` - -If you have set the email of the user in the mapping, you will be able to also -get this information: - -```shell -$ openstack user show d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c -+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Field | Value | -+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| domain_id | 0125ed0ebc8045a49ed8c34c2a78740d | -| email | XXXX-redacted@example.com | -| enabled | True | -| federated | [{'idp_id': 'egi.eu', 'protocols': [{'protocol_id': 'openid', 'unique_id': '529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907%40egi.eu'}]}] | -| id | d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c | -| name | 529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907@egi.eu | -| options | {} | -| password_expires_at | None | -+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+ -``` - -Every VO has a VO identity card available via the -[Operations Portal](https://operations-portal.egi.eu/vo/a/list), where you can -also get contact information for the VO managers. - -VMs created by -[EGI's Infrastructure Manager](../../../users/compute/orchestration/im/) have -additional metadata properties that can help to identify the workload: - -```shell -$ openstack server show 0f3e1420-4480-4bea-95f1-9920a70b324d -c properties -f yaml -properties: - eu.egi.cloud.orchestrator: es.upv.grycap.im - eu.egi.cloud.orchestrator.id: 0afdc7ba-bf5d-11ed-9e89-86ce117c3fcf - eu.egi.cloud.orchestrator.url: https://appsgrycap.i3m.upv.es:31443/im - eu.egi.cloud.orchestrator.user: __OPENID__XXXXXXredacted -```