Configuring multitenancy

To configure multitenancy for the compute or S3 cluster, you need to create domains, projects, and assign users to them.

Limitations

You can set domain and project quotas only after deploying the compute cluster.

Prerequisites

A clear understanding of the concept Multitenancy.

To create a domain

Admin panel

On the Settings > Projects and users screen, click Create domain.
In the Create domain window, specify the domain name and, optionally, description.

A description should not contain any personally identifiable information or sensitive business data.
Click Create.

Command-line interface

Use the following command:

vinfra domain create [--description <description>] [--enable | --disable] <name>

--description <description>: Domain description

A description should not contain any personally identifiable information or sensitive business data.
--enable: Enable domain
--disable: Disable domain
<name>: Domain name

For example, to create the domain mydomain, run:

# vinfra domain create mydomain

The created domain will appear in the vinfra domain list output:

# vinfra domain list
+--------------+----------+---------+--------------------+
| id           | name     | enabled | description        |
+--------------+----------+---------+--------------------+
| default      | Default  | True    | The default domain |
| 24986479e<…> | mydomain | True    |                    |
+--------------+----------+---------+--------------------+

To create a project

Admin panel

On the Settings > Projects and users screen, click a domain within which the project will be created.
On the Projects tab, click Create project.
In the Create project window, specify the project name and, optionally, description. The project name must be unique within a domain.

A description should not contain any personally identifiable information or sensitive business data.
Click Create.

Command-line interface

Use the following command:

vinfra domain project create [--description <description>] [--enable | --disable]
                             --domain <domain> <name>

--description <description>: Project description

A description should not contain any personally identifiable information or sensitive business data.
--enable: Enable project
--disable: Disable project
--domain <domain>: Domain name or ID
<name>: Project name

For example, to create the project myproject within the domain mydomain and add a description to it, run:

# vinfra domain project create myproject --domain mydomain --description "A custom project"

The created project will appear in the vinfra domain project list output:

# vinfra domain project list --domain mydomain
+-------------+-----------+---------+------------------+--------------+
| id          | name      | enabled | description      | domain_id    |
+-------------+-----------+---------+------------------+--------------+
| 79830e3c<…> | myproject | True    | A custom project | 24986479e<…> |
+-------------+-----------+---------+------------------+--------------+

To create a self-service user

Admin panel

On the Settings > Projects and users screen, click a domain within which the user will be created.
Go to the Domain users tab, and then click Create user.
In the Create user window, specify the user name, password, and, if required, a user email address and description. The user name must be unique within a domain.

A description should not contain any personally identifiable information or sensitive business data.
Select the user role:
- To create a domain administrator
  1. Select the Domain administrator role.
  2. Enable Image uploading to allow the user to upload images and configure this permission for other domain users.
  3. Enable Project and quota management to allow the user to manage projects and quotas, as well as configure this permission for other domain administrators.
- To create a project administrator
  1. Select the Project member role.
  2. Click Manage in the Projects section and select a project to assign the user to. Then, click Save.
  3. Choose project access:
    
    Full access allows managing services.
    
    Read-only access allows viewing services only.
  4. If any projects have full access, you can enable Image uploading to allow the user to upload images in those projects.
Click Create.

Command-line interface

Use the following command:

vinfra domain user create [--email <email>] [--description <description>]
                          [--assign <project> <role>] [--assign-domain <domain> <roles>]
                          [--domain-permissions <domain_permissions>]
                          [--enable | --disable] --domain <domain> <name>

--email <email>

User email

--description <description>

User description

A description should not contain any personally identifiable information or sensitive business data.

--assign <project> <role>

Assign a user to a project with one or more permission sets. Specify this option multiple times to assign the user to multiple projects.

<project>: project ID or name
<role>: user role in the project (project_admin or project_reader)

--assign-domain <domain> <roles>

Assign a user to a domain with one or more permission sets. Specify this option multiple times to assign the user to multiple domains. This option is only valid for service accounts.

<domain>: domain ID or name
<roles>: a comma-separated list of service account roles (compute)

--domain-permissions <domain_permissions>

A comma-separated list of domain permissions. View the list of available domain permissions using vinfra domain user list-available-roles | grep domain.

--enable

Enable user

--disable

Disable user

--domain <domain>

Domain name or ID

<name>

User name

Example 1. To create a domain administrator account called myadmin within the domain mydomain and grant this user the permission to manage projects and their quotas, run:

# vinfra domain user create myadmin --domain mydomain --domain-permissions domain_admin,quota_manager

Specify the user password when prompted.

Example 2. To create a project member myuser1 in the project myproject within the domain mydomain, grant full access to the project, and allow image uploads, run:

# vinfra domain user create myuser1 --domain mydomain --assign myproject project_admin --domain-permissions image_upload

Specify the user password when prompted.

Example 3. To create a project member myuser2 in the project myproject within the domain mydomain and grant read-only access to the project, run:

# vinfra domain user create myuser2 --domain mydomain --assign myproject project_reader

Specify the user password when prompted.

The created users will appear in the vinfra domain user list output:

# vinfra domain user list --domain mydomain
+-------------+---------+-------+---------+-------------+--------------------+---------------------------+
| id          | name    | email | enabled | description | domain_permissions | assigned_projects         |
+-------------+---------+-------+---------+-------------+--------------------+---------------------------+
| 28aa0207<…> | myadmin |       | True    |             | - domain_admin     | []                        |
|             |         |       |         |             | - quota_manager    |                           |
| fb9fa0b2<…> | myuser1 |       | True    |             | - image_upload     | - project_id: 79830e3c<…> |
|             |         |       |         |             |                    |   role: project_admin     |
| 6b8713d8<…> | myuser2 |       | True    |             | []                 | - project_id: 79830e3c<…> |
|             |         |       |         |             |                    |   role: project_reader    |
+-------------+---------+-------+---------+-------------+--------------------+---------------------------+