Users and Groups
HyperCX includes a complete user & group management system. Users in an HyperCX infrastructure are classified in four types:
- Administrators an admin user belongs to an admin group (oneadmin or otherwise) and can perform manage operations.
- Regular users that may access most HyperCX functionality.
- Public Users only basic functionality (and public interfaces) are open to public users.
- Service users a service user account is used by the HyperCX services (i.e. cloud APIs like EC2 or GUI’s like Web Portal) to proxy auth requests.
The resources a user may access in HyperCX are controlled by a permissions system that resembles the typical UNIX one. By default, only the owner of a resource (e.g. a VM or an image) can use and manage it. Users can easily share the resources by granting use or manage permissions to other users in her group or to any other user in the system. Upon group creation, an associated admin user can be created. By default this user will be able to create users in the new group, and manage non owned resources for the regular group, through HyperCX portal. This group can also be assigned to VDC, what is basically a pool of HyperCX physical resources (hosts, datastores and virtual networks).
Along with the users & groups the Auth Subsystem is responsible for authentication and authorization of user’s requests. Each operation generates an authorization request that is checked against the registered ACL rules. The core then can grant permission, or reject the request. HyperCX comes with a default set of ACL rules that enables a standard usage. You don’t need to manage the ACL rules unless you need the level of permission customization if offers.
HyperCX supports user accounts and groups. This guide shows how to manage users, groups are explained in their own guide. To manage user rights, visit the Managing ACL Rules guide. A user in HyperCX is defined by a username and password. HyperCX users are authenticated using a session string included in every operation, which is checked by the HyperCX core.
Each user has a unique ID, and belongs to a group. After acquiring a HyperCX cluster, two administrative accounts will exist by default, oneadmin and serveradmin; and two default groups.
Adding and Deleting Users
User accounts within the HyperCX system are managed by oneadmin or a group administrator using the web portal.
To create a new user:
Go to System > Users > ADD User
Adjust username and password.
Authentication should be set to core.
Select main group and secondary group only if the user should belong to two groups.
Existing users can be seen in System > Users.
Serveradmin and oneadmin accounts are internal accounts required for the cluster. Do not delete.
A group in HyperCX makes it possible to isolate users and resources. A user can optionally see and use the shared resources from other users belonging to the same group. The group is an authorization boundary for the users, but you can also partition your cloud infrastructure and define what resources are available to each group using Virtual Data Centers (VDC).
Adding and Deleting Groups
There are two special groups created by default. The oneadmin group allows any user in it to perform any operation, allowing different users to act with the same privileges as the oneadmin user. The users group is the default group where new unprivileged users are created. To create new groups:
Click System > Groups > ADD Groups.
Adjust name for Groups.
Choose view for the group.
To create an administrator for the group, just check under “Create an administrator user”.
User can allow member of groups to see the VM of another member and user can manage the access of the group too.
Managing Groups and Virtual Resources
You can make the following virtual resources available to group users:
Virtual Machine Templates.
Files & Kernels
To make a virtual resource owned by oneadmin available to users of the new group, you have two options:
Change the resource group, and give it GROUP USE permissions. This will make the resource only available to users in that group. The recommended practice to assign golden resources to groups is to first clone the resource and then assign it to the desired group for their users’ consumption.
Leave the resource in the oneadmin group, and give it OTHER USE permissions. This will make the resource available to every user in HyperCX.
When a new group is created the cloud administrator can define if the users of this view will be allowed to view the VMs and Services of other users in the same group. If this option is checked a new ACL rule will be created to give users in this group access to the VMS and Services in the same group. Users will not able to manage these resources but they will be included in the list views of each resource.
Most HyperCX resources have associated permissions for the owner, users in the group, and others. For each one of these groups, there are three rights that can be set: USE, MANAGE and ADMIN. These permissions are very similar to those of UNIX file system.
The resources with associated permissions are VMs, Templates, Images and Virtual Networks. The exceptions are Users, Groups and Hosts.
In general these rights are associated with the following operations:
- USE: Operations that do not modify the resource like listing it or using it (e.g. using an image or a virtual network). Typically you will grant USE rights to share your resources with other users of your group or with the rest of the users.
- MANAGE: Operations that modify the resource like stopping a virtual machine, changing the persistent attribute of an image or removing a lease from a network. Typically you will grant MANAGE rights to users that will manage your own resources.
- ADMIN: Special operations that are typically limited to administrators, like updating the data of a host or deleting an user group. Typically you will grant ADMIN permissions to those users with an administrator role.
As an example, the following parameters define the operations associated to the ADMIN, MANAGE and USE permissions in the VMs:
- VM_ADMIN_OPERATIONS = "migrate, delete, recover, retry, deploy, resched"
- VM_MANAGE_OPERATIONS = "undeploy, hold, release, stop, suspend, resume, reboot, poweroff, disk-attach, nic-attach, disk-snapshot, terminate, disk-resize,snapshot, updateconf, rename, resize, update, disk-saveas"
- VM_USE_OPERATIONS = For this resource, this group is empty.
Note that some VM operations require additional permissions on other objects. Also some operations refer to a class of actions:
- disk-snapshot, includes create, delete and revert actions
- disk-attach, includes attach and detach actions
- nic-attach, includes attach and detach actions
- snapshot, includes create, delete and revert actions
- resched, includes resched and unresched actions
Primary and Secondary Groups
Users assigned to more than one group will see the resources from all their groups. e.g. a user in the groups testing and production will see VMs from both groups. Users can change their primary group to any of their secondary group without the intervention of an administrator.
This guide will show you how to set the usage quotas for users and groups.
The quota system tracks user and group usage of system resources, and allows the system administrator to set limits on the usage of these resources. Quota limits can be set for:
Users, to individually limit the usage made by a given user.
Groups, to limit the overall usage made by all the users in a given group.
Which Resource can be limited?
The quota system allows you to track and limit usage on:
Datastores, to control the amount of storage capacity allocated to each user/group for each datastore.
Compute, to limit the overall memory, cpu or VM instances.
Network, to limit the number of IPs a user/group can get from a given network. This is specially interesting for networks with public IPs, which usually are a limited resource.
Images, you can limit the how many VM instances from a given user/group are using a given image. You can take advantage of this quota when the image contains consumable resources (e.g. software licenses).
The following table explains the attributes needed to set each quota:
|ID||ID of the Datastore to set the quota for|
|SIZE||Maximum size in MB that can be used in the datastore|
|IMAGE||Maximum number of images that can be created in the datastore|
|VMS||Maximum number of VMs that can be created|
|MEMORY||Maximum memory in MB that can be requested by user/group VMs|
|CPU||Maximum CPU capacity that can be requested by user/group VMs|
|SYSTEM_DISK_SIZE||Maximum size (in MB) of system disks that can be requested by user/group VMs|
|ID||ID of the Network to set the quota for|
|LEASES||Maximum IPs that can be leased from the Network|
|ID||ID of the Image to set the quota for|
|RVMS||Maximum VMs that can used this image at the same time|
For each quota, there are two special limits: * -1: means that the default quota will be used. * -2: means unlimited.
Setting User/Group Quotas
User/group quotas can be easily set up through Sunstone. Note that you need MANAGE permissions to set a quota of user, and ADMIN permissions to set the quota of a group. In this way, by default, only oneadmin can set quotas for a group, but if you define a group manager this can set specific usage quotas for the users on her group (so distributing resources as required).
To set the quota for a user:
Click System > Users.
Select the user.
Click Quotas > Edit.
Setup the Quota for user then Apply.
Similarly, you can set the quotas for groups:
Click System > Groups.
Select the group.
Click Quotas > Edit.
Setup the Quota for group then Apply.
Checking User/Group Quotas
Quota limits and usage for each user/group is included as part of its standard information, so it can be easily check with the usual commands. We can check the user or group quotas from Sunstone with:
Go to Portal and Login as SuperAdmin or Admin group.
Click System > Users or Groups.
Quotas for User or Group can be like this picture.