Configuring multitenancy

To configure multitenancy for the compute cluster, you need to create domains and projects, assign users to them, and define project quotas.

Limitations

  • You can set project quotas only after deploying the compute cluster.

Prerequisites

  • A clear understanding of the concept Multitenancy.
  • As quotas can exceed the existing virtual resources and virtual resources are not reserved for each project, the compute cluster must have enough virtual resources for all projects in all domains.

To create a domain

Admin panel

  1. On the Settings > Projects and users screen, click Create domain.

  2. In the Create domain window, specify the domain name and, optionally, description.

  3. Click Create.

Command-line interface

Use the following command:

vinfra domain create [--description <description>] [--enable | --disable] <name>
--description <description>
Domain description
--enable
Enable domain
--disable
Disable domain
<name>
Domain name

For example, to create the domain mydomain, run:

# vinfra domain create mydomain

The created domain will appear in the vinfra domain list output:

# vinfra domain list
+--------------+----------+---------+--------------------+
| id           | name     | enabled | description        |
+--------------+----------+---------+--------------------+
| default      | Default  | True    | The default domain |
| 24986479e<…> | mydomain | True    |                    |
+--------------+----------+---------+--------------------+

To create a project

Admin panel

  1. On the Settings > Projects and users screen, click a domain within which the project will be created.
  2. On the Projects tab, click Create project.
  3. In the Create project window, specify the project name and, optionally, description. The project name must be unique within a domain.

  4. Clear the Enabled check box to disable the created project.

  5. Define quotas for virtual resources that will be available inside the project. To specify a certain value for a resource, clear the Unlimited check box next to it first.

    The default storage policy must be shared with projects that will use the Kubernetes-as-a-service feature.

  6. Click Create.

Command-line interface

Use the following command:

vinfra domain project create [--description <description>] [--enable | --disable]
                             --domain <domain> <name>
--description <description>
Project description
--enable
Enable project
--disable
Disable project
--domain <domain>
Domain name or ID
<name>
Project name

For example, to create the project myproject within the domain mydomain and add a description to it, run:

# vinfra domain project create myproject --domain mydomain --description "A custom project"

The created project will appear in the vinfra domain project list output:

# vinfra domain project list --domain mydomain
+-------------+-----------+---------+------------------+--------------+
| id          | name      | enabled | description      | domain_id    |
+-------------+-----------+---------+------------------+--------------+
| 79830e3c<…> | myproject | True    | A custom project | 24986479e<…> |
+-------------+-----------+---------+------------------+--------------+

To create a self-service user

Admin panel

  1. On the Settings > Projects and users screen, click a domain within which the user will be created.
  2. Go to the Domain users tab, and then click Create user.
  3. In the Create user window, specify the user name, password, and, if required, a user email address and description. The user name must be unique within a domain.
  4. Select the user role:
      1. Select Domain administrator.

      2. Select the Image uploading check box. The state of this permission will be inherited by users created by this domain administrator.

      1. Select Project member.
      2. Select the Image uploading check box. If this option is disabled, this user will not be able to upload images.

      3. Click Assign and select a project this user will be assigned to.

  5. Click Create.

Command-line interface

Use the following command:

vinfra domain user create [--email <email>] [--description <description>]
                          [--assign <project> <role>] [--assign-domain <domain> <roles>]
                          [--domain-permissions <domain_permissions>]
                          [--enable | --disable] --domain <domain> <name>
--email <email>
User email
--description <description>
User description
--assign <project> <role>

Assign a user to a project with one or more permission sets. Specify this option multiple times to assign the user to multiple projects.

  • <project>: project ID or name
  • <role>: user role in the project (project_admin)
--assign-domain <domain> <roles>

Assign a user to a domain with one or more permission sets. Specify this option multiple times to assign the user to multiple domains. This option is only valid for service accounts.

  • <domain>: domain ID or name
  • <roles>: a comma-separated list of service account roles (compute)
--domain-permissions <domain_permissions>
A comma-separated list of domain permissions. View the list of available domain permissions using vinfra domain user list-available-roles | grep domain.
--enable
Enable user
--disable
Disable user
--domain <domain>
Domain name or ID
<name>
User name

Example 1. To create a domain administrator account called myadmin within the domain mydomain, run:

# vinfra domain user create myadmin --domain mydomain --domain-permissions domain_admin

Specify the user password when prompted.

Example 2. To create the project member myuser for the project myproject within the domain mydomain and grants this user the permission to upload images, run:

# vinfra domain user create myuser --domain mydomain --assign myproject project_admin --domain-permissions image_upload

Specify the user password when prompted.

The created users will appear in the vinfra domain user list output:

# vinfra domain user list --domain mydomain
+-------------+---------+-------+---------+-------------+--------------------+---------------------------+
| id          | name    | email | enabled | description | domain_permissions | assigned_projects         |
+-------------+---------+-------+---------+-------------+--------------------+---------------------------+
| 28aa0207<…> | myadmin |       | True    |             | - domain_admin     | []                        |
| fb9fa0b2<…> | myuser  |       | True    |             | - image_upload     | - project_id: 79830e3c<…> |
|             |         |       |         |             |                    |   role: project_admin     |
+-------------+---------+-------+---------+-------------+--------------------+---------------------------+
Related Topics Link IconSee also
Related Topics Link IconWhat's next