Google Git
Sign in
apache / cloudstack-docs-admin / 58697539fdf780bb613540461110cabd02c36e94 / . / source / projects.rst
blob: 7ebbaa4ae7013ccd1f29ccd541c6c6ecc526a99c [file] [log] [blame]
.. Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information#
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
Using Projects to Organize Users and Resources
==============================================
Overview of Projects
--------------------
Projects are used to organize people and resources. CloudStack users
within a single domain can group themselves into project teams so they
can collaborate and share virtual resources such as VMs, snapshots,
templates, data disks, and IP addresses. CloudStack tracks resource
usage per project as well as per user, so the usage can be billed to
either a user account or a project. For example, a private cloud within
a software company might have all members of the QA department assigned
to one project, so the company can track the resources used in testing
while the project members can more easily isolate their efforts from
other users of the same cloud
You can configure CloudStack to allow any user to create a new project,
or you can restrict that ability to just CloudStack administrators. Once
you have created a project, you become that projects administrator, and
you can add others within your domain to the project. CloudStack can be
set up either so that you can add people directly to a project, or so
that you have to send an invitation which the recipient must accept.
Project members can view and manage all virtual resources created by
anyone in the project (for example, share VMs). A user can be a member
of any number of projects and can switch views in the CloudStack UI to
show only project-related information, such as project VMs, fellow
project members, project-related alerts, and so on.
The project administrator can pass on the role to another project
member. The project administrator can also add more members, remove
members from the project, set new resource limits (as long as they are
below the global defaults set by the CloudStack administrator), and
delete the project. When the administrator removes a member from the
project, resources created by that user, such as VM instances, remain
with the project. This brings us to the subject of resource ownership
and which resources can be used by a project.
Resources created within a project are owned by the project, not by any
particular CloudStack account, and they can be used only within the
project. A user who belongs to one or more projects can still create
resources outside of those projects, and those resources belong to the
users account; they will not be counted against the projects usage or
resource limits. You can create project-level networks to isolate
traffic within the project and provide network services such as port
forwarding, load balancing, VPN, and static NAT. A project can also make
use of certain types of resources from outside the project, if those
resources are shared. For example, a shared network or public template
is available to any project in the domain. A project can get access to a
private template if the templates owner will grant permission. A
project can use any service offering or disk offering available in its
domain; however, you can not create private service and disk offerings
at the project level..
Configuring Projects
--------------------
Before CloudStack users start using projects, the CloudStack
administrator must set up various systems to support them, including
membership invitations, limits on project resources, and controls on who
can create projects.
Setting Up Invitations
~~~~~~~~~~~~~~~~~~~~~~
CloudStack can be set up either so that project administrators can add
people directly to a project, or so that it is necessary to send an
invitation which the recipient must accept. The invitation can be sent
by email or through the users CloudStack account. If you want
administrators to use invitations to add members to projects, turn on
and set up the invitations feature in CloudStack.
#. Log in as administrator to the CloudStack UI.
#. In the left navigation, click Global Settings.
#. In the search box, type project and click the search button.
|Searches projects|
#. In the search results, you can see a few other parameters you need to
set to control how invitations behave. The table below shows global
configuration parameters related to project invitations. Click the
edit button to set each parameter.
.. cssclass:: table-striped table-bordered table-hover
+----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration Parameters | Description |
+============================+=======================================================================================================================================================+
| project.invite.required | Set to true to turn on the invitations feature. |
+----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| project.email.sender | The email address to show in the From field of invitation emails. |
+----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| project.invite.timeout | Amount of time to allow for a new member to respond to the invitation. |
+----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| project.smtp.host | Name of the host that acts as an email server to handle invitations. |
+----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| project.smtp.password | (Optional) Password required by the SMTP server. You must also set project.smtp.username and set project.smtp.useAuth to true. |
+----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| project.smtp.port | SMTP servers listening port. |
+----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| project.smtp.useAuth | Set to true if the SMTP server requires a username and password. |
+----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| project.smtp.username | (Optional) User name required by the SMTP server for authentication. You must also set project.smtp.password and set project.smtp.useAuth to true.. |
+----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
#. Restart the Management Server:
.. code:: bash
service cloudstack-management restart
Setting Resource Limits for Projects
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The CloudStack administrator can set global default limits to control
the amount of resources that can be owned by each project in the cloud.
This serves to prevent uncontrolled usage of resources such as
snapshots, IP addresses, and virtual machine instances. Domain
administrators can override these resource limits for individual
projects with their domains, as long as the new limits are below the
global defaults set by the CloudStack root administrator. The root
administrator can also set lower resource limits for any project in the
cloud
Setting Per-Project Resource Limits
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The CloudStack root administrator or the domain administrator of the
domain where the project resides can set new resource limits for an
individual project. The project owner can set resource limits only if
the owner is also a domain or root administrator.
The new limits must be below the global default limits set by the
CloudStack administrator (as described in `“Setting
Resource Limits for Projects” <#setting-resource-limits-for-projects>`_).
If the project already owns more of a given type of resource than the
new maximum, the resources are not affected; however, the project can
not add any new resources of that type until the total drops below the
new limit.
#. Log in as administrator to the CloudStack UI.
#. In the left navigation, click Projects.
#. In Select View, choose Projects.
#. Click the name of the project you want to work with.
#. Click the Resources tab. This tab lists the current maximum amount
that the project is allowed to own for each type of resource.
#. Type new values for one or more resources.
#. Click Apply.
Setting the Global Project Resource Limits
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#. Log in as administrator to the CloudStack UI.
#. In the left navigation, click Global Settings.
#. In the search box, type max.projects and click the search button.
#. In the search results, you will see the parameters you can use to set
per-project maximum resource amounts that apply to all projects in
the cloud. No project can have more resources, but an individual
project can have lower limits. Click the edit button to set each
parameter. |Edits parameters|
.. cssclass:: table-striped table-bordered table-hover
+--------------------------+------------------------------------------------------------------------------------------------------------------------------+
| max.project.public.ips | Maximum number of public IP addresses that can be owned by any project in the cloud. See About Public IP Addresses. |
+--------------------------+------------------------------------------------------------------------------------------------------------------------------+
| max.project.snapshots | Maximum number of snapshots that can be owned by any project in the cloud. See Working with Snapshots. |
+--------------------------+------------------------------------------------------------------------------------------------------------------------------+
| max.project.templates | Maximum number of templates that can be owned by any project in the cloud. See Working with Templates. |
+--------------------------+------------------------------------------------------------------------------------------------------------------------------+
| max.project.uservms | Maximum number of guest virtual machines that can be owned by any project in the cloud. See Working With Virtual Machines. |
+--------------------------+------------------------------------------------------------------------------------------------------------------------------+
| max.project.volumes | Maximum number of data volumes that can be owned by any project in the cloud. See Working with Volumes. |
+--------------------------+------------------------------------------------------------------------------------------------------------------------------+
#. Restart the Management Server.
.. code:: bash
# service cloudstack-management restart
Setting Project Creator Permissions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can configure CloudStack to allow any user to create a new project,
or you can restrict that ability to just CloudStack administrators.
#. Log in as administrator to the CloudStack UI.
#. In the left navigation, click Global Settings.
#. In the search box, type allow.user.create.projects.
#. Click the edit button to set the parameter. |Edits parameters|
``allow.user.create.projects``
Set to true to allow end users to create projects. Set to false if
you want only the CloudStack root administrator and domain
administrators to create projects.
#. Restart the Management Server.
.. code:: bash
# service cloudstack-management restart
Creating a New Project
----------------------
CloudStack administrators and domain administrators can create projects.
If the global configuration parameter allow.user.create.projects is set
to true, end users can also create projects.
#. Log in as administrator to the CloudStack UI.
#. In the left navigation, click Projects.
#. In Select view, click Projects.
#. Click New Project.
#. Give the project a name and description for display to users, then
click Create Project.
#. A screen appears where you can immediately add more members to the
project. This is optional. Click Next when you are ready to move on.
#. Click Save.
Adding Members to a Project
---------------------------
New members can be added to a project by the projects administrator,
the domain administrator of the domain where the project resides or any
parent domain, or the CloudStack root administrator. There are two ways
to add members in CloudStack, but only one way is enabled at a time:
- If invitations have been enabled, you can send invitations to new
members.
- If invitations are not enabled, you can add members directly through
the UI.
Sending Project Membership Invitations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use these steps to add a new member to a project if the invitations
feature is enabled in the cloud as described in `“Setting
Up Invitations” <#setting-up-invitations>`_. If the invitations feature is
not turned on, use the procedure in Adding Project Members From the UI.
#. Log in to the CloudStack UI.
#. In the left navigation, click Projects.
#. In Select View, choose Projects.
#. Click the name of the project you want to work with.
#. Click the Invitations tab.
#. In Add by, select one of the following:
#. Account – The invitation will appear in the user’s Invitations tab
in the Project View. See Using the Project View.
#. Email – The invitation will be sent to the user’s email address.
Each emailed invitation includes a unique code called a token
which the recipient will provide back to CloudStack when accepting
the invitation. Email invitations will work only if the global
parameters related to the SMTP server have been set. See
`“Setting Up Invitations” <#setting-up-invitations>`_.
#. Type the user name or email address of the new member you want to
add, and click Invite. Type the CloudStack user name if you chose
Account in the previous step. If you chose Email, type the email
address. You can invite only people who have an account in this cloud
within the same domain as the project. However, you can send the
invitation to any email address.
#. To view and manage the invitations you have sent, return to this tab.
When an invitation is accepted, the new member will appear in the
projects Accounts tab.
Adding Project Members From the UI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The steps below tell how to add a new member to a project if the
invitations feature is not enabled in the cloud. If the invitations
feature is enabled cloud,as described in `“Setting Up
Invitations” <#setting-up-invitations>`_, use the procedure in
`“Sending Project Membership
Invitations” <#sending-project-membership-invitations>`_.
#. Log in to the CloudStack UI.
#. In the left navigation, click Projects.
#. In Select View, choose Projects.
#. Click the name of the project you want to work with.
#. Click the Accounts tab. The current members of the project are
listed.
#. Type the account name of the new member you want to add, and click
Add Account. You can add only people who have an account in this
cloud and within the same domain as the project.
Accepting a Membership Invitation
---------------------------------
If you have received an invitation to join a CloudStack project, and you
want to accept the invitation, follow these steps:
#. Log in to the CloudStack UI.
#. In the left navigation, click Projects.
#. In Select View, choose Invitations.
#. If you see the invitation listed onscreen, click the Accept button.
Invitations listed on screen were sent to you using your CloudStack
account name.
#. If you received an email invitation, click the Enter Token button,
and provide the project ID and unique ID code (token) from the email.
Suspending or Deleting a Project
--------------------------------
When a project is suspended, it retains the resources it owns, but they
can no longer be used. No new resources or members can be added to a
suspended project.
When a project is deleted, its resources are destroyed, and member
accounts are removed from the project. The projects status is shown as
Disabled pending final deletion.
A project can be suspended or deleted by the project administrator, the
domain administrator of the domain the project belongs to or of its
parent domain, or the CloudStack root administrator.
#. Log in to the CloudStack UI.
#. In the left navigation, click Projects.
#. In Select View, choose Projects.
#. Click the name of the project.
#. Click one of the buttons:
To delete, use |Removes a project|
To suspend, use |Suspends a project|
Using the Project View
----------------------
If you are a member of a project, you can use CloudStacks project view
to see project members, resources consumed, and more. The project view
shows only information related to one project. It is a useful way to
filter out other information so you can concentrate on a project status
and resources.
#. Log in to the CloudStack UI.
#. Click Project View.
#. The project dashboard appears, showing the project’s VMs, volumes,
users, events, network settings, and more. From the dashboard, you
can:
- Click the Accounts tab to view and manage project members. If you
are the project administrator, you can add new members, remove
members, or change the role of a member from user to admin. Only
one member at a time can have the admin role, so if you set
another users role to admin, your role will change to regular
user.
- (If invitations are enabled) Click the Invitations tab to view and
manage invitations that have been sent to new project members but
not yet accepted. Pending invitations will remain in this list
until the new member accepts, the invitation timeout is reached,
or you cancel the invitation.
.. |Edits Parameters| image:: _static/images/edit-icon.png
.. |Searches projects| image:: _static/images/search-button.png
.. |Removes a project| image:: _static/images/delete-button.png
.. |Suspends a project| image:: _static/images/suspend-icon.png