OSM Multi-tenancy: Difference between revisions

From OSM Public Wiki
Jump to: navigation, search
mNo edit summary
Line 5: Line 5:
* Create the required users and projects in SO, assigning the required privileges.
* Create the required users and projects in SO, assigning the required privileges.
* Map each SO project with a new RO tenant, with its corresponding VIMs.
* Map each SO project with a new RO tenant, with its corresponding VIMs.
* [Optional] Create a separate Juju controller for each SO project.
* Map each SO project with the existing config-agent, or create a separate Juju controllers for each SO project.
 


==Prerequisites==
==Prerequisites==
Line 47: Line 46:
  ...
  ...


==Managing SO Projects==
==Managing SO Projects and Users==
 
1. From the UI, go to Administration --> User Management, and clic on Add User.  Fill the form with the name of the users created at the previous stage, making sure to specify 'localhost' in the 'DOMAIN' field.
 
[[File:Multitenancy user mgmt.png |600px| Multitenancy user mgmt]]
 
2. Next, go to Administration --> Project Management, and clic on Add Project. 


From the UI, go to Administration --> User Management, and clic on Add User.   
Put a name, an optional description, and add users to it (from the 'localhost' domain) using the dropdown below.   


Fill the form with the users created at the previous stage, making sure to specify 'localhost' in the 'DOMAIN' field.
For each user, specify a role.  If the user needs all privileges over this project only, the role 'rw-project:project-admin' should suffice.


[[File:Multitenancy user mgmt.png |600px| Multitenancy user mgmt]]
[[File:Multitenancy project mgmt.png |600px| Multitenancy project mgmt]]
 
At this point, you can already login to the UI using the new users' credentials, the project's name will appear at the upper right corner.


==Managing RO Tenants==
==Managing RO Tenants==
1. Go to the RO container and create a new tenant.  Take note of the tenant ID.
openmano tenant-create tenant_a
2. If a datacenter needs to be added at any point, be sure to do it from RO, by setting the tenant as an evironment variable first.
export OPENMANO_TENANT=tenant_a
openmano datacenter-create ...
openmano datacenter-attach ...
An example on how to create datacenters/VIMs from RO, can be found at the following links:
* [[Openstack_configuration_(Release_THREE)#Adding directly in the RO|OpenStack]]
* [[Configuring VMware vCloud Director for OSM Release THREE#Add vCloud at OSM|VMWare]]
* [[Configuring_AWS_for_OSM_Release_THREE#Add AWS to OSM|AWS]]
3. Go to the UI with the new user, and from the 'Accounts' tab, create and configure the new RO tenant.
[[File:Multitenancy ro mgmt.png |600px| Multitenancy RO mgmt]]
At this point, new NS/VNFs can be instantiated from this tenant.
==Associating new SO Projects to VCA==
In simple scenarios, a single Juju controller instance can be shared by multiple SO Projects. 
Using the Juju config-agent credentials obtained before (as specified in the prerequisites section), create a new 'Config Agent' Account to associate the existing Juju controller.
The Juju controller IP address can be obtained by accesing VCA container and listing the LXC containers (machine name ending in '0' (zero) is the juju controller)
root@VCA:~# lxc list
[[File:Multitenancy_juju_mgmt.png |600px| Multitenancy juju mgmt]]


==Working with multiple Juju controllers==
==Working with multiple Juju controllers==
Even though multiple SO projects can share a single Juju con




[work in progress]
[work in progress]

Revision as of 20:10, 26 January 2018

This is an experimental feature which allows to use a single instance of OSM for a set of different projects and users. Full support will be available in Release FOUR.

The required steps are:

  • Enable PAM authentication at SO, to support multiple users.
  • Create the required users and projects in SO, assigning the required privileges.
  • Map each SO project with a new RO tenant, with its corresponding VIMs.
  • Map each SO project with the existing config-agent, or create a separate Juju controllers for each SO project.

Prerequisites

Since all the existing data will be cleared from SO as part of enabling PAM authentication, be sure to:

1. Backup any relevant descriptors.

2. Delete any existing instances.

3. Retrieve the current config-agent password, using the OSM client:

osm config-agent list

Enabling PAM authentication

PAM can use a local user database, as well as external ones, like for example LDAP. This example covers the interaction with a local user database only.

1. Edit /usr/rift/etc/default/launchpad, replacing "--start-auth-svc" for "--start-pam-svc"

...
# set this to any options you want passed to launchpad.py
LP_OPTS=" --start-pam-svc "
...

2. Clear the existing SO configuration, please note that this will delete all the data (descriptors, accounts, instances, etc.)

rm -rf /usr/rift/var/rift

3. Restart the service

systemctl stop launchpad
systemctl start launchpad

4. Create the local user database inside the SO container

adduser user_a
...
adduser user_b
...

Managing SO Projects and Users

1. From the UI, go to Administration --> User Management, and clic on Add User. Fill the form with the name of the users created at the previous stage, making sure to specify 'localhost' in the 'DOMAIN' field.

Multitenancy user mgmt

2. Next, go to Administration --> Project Management, and clic on Add Project.

Put a name, an optional description, and add users to it (from the 'localhost' domain) using the dropdown below.

For each user, specify a role. If the user needs all privileges over this project only, the role 'rw-project:project-admin' should suffice.

Multitenancy project mgmt

At this point, you can already login to the UI using the new users' credentials, the project's name will appear at the upper right corner.

Managing RO Tenants

1. Go to the RO container and create a new tenant. Take note of the tenant ID.

openmano tenant-create tenant_a

2. If a datacenter needs to be added at any point, be sure to do it from RO, by setting the tenant as an evironment variable first.

export OPENMANO_TENANT=tenant_a
openmano datacenter-create ...
openmano datacenter-attach ...

An example on how to create datacenters/VIMs from RO, can be found at the following links:

3. Go to the UI with the new user, and from the 'Accounts' tab, create and configure the new RO tenant.

Multitenancy RO mgmt

At this point, new NS/VNFs can be instantiated from this tenant.

Associating new SO Projects to VCA

In simple scenarios, a single Juju controller instance can be shared by multiple SO Projects.

Using the Juju config-agent credentials obtained before (as specified in the prerequisites section), create a new 'Config Agent' Account to associate the existing Juju controller.

The Juju controller IP address can be obtained by accesing VCA container and listing the LXC containers (machine name ending in '0' (zero) is the juju controller)

root@VCA:~# lxc list

Multitenancy juju mgmt

Working with multiple Juju controllers

Even though multiple SO projects can share a single Juju con


[work in progress]