Thnak you Adam for this answer. Another easier (better?) approach would be to have one tenant per user, setting default instances quota for all tenant to 1 (using quota-defaults nova command). As users and tenants can be managed by LDAP in Havana, binding default tenant to his own tenant for each user could be LDAP driven.
Jacques Landru ----- Mail original ----- De: "Adam Young" <[email protected]> À: "Jacques LANDRU" <[email protected]> Envoyé: Lundi 13 Janvier 2014 15:59:39 Objet: Re: [Openstack] per-user quota keystone user database is LDAP based ? On 01/10/2014 12:16 PM, Jacques LANDRU wrote: Hi, I have some questions about instance quota, and instance access authorization. Openstack version is Havana (nova --version 2.15.0, keystone --version 0.3.2) I plan to use a small openstack project/tenant as an online virtual computer lab room. The project/tenant instance quota will be limited to 12 or 24 instances (as in a real lab room, there're 12 or 24 workstations). Keystone user database will point to our LDAP server where student posixaccounts are managed. Amount of potential users is around 800, ( maybe several thousand in the future when keystone will be saml/shibboleth compatible). A user will be restricted to 1 instance at a time, as in a real lab room a student can use 1 workstation at a time. The main idea is : - each student can access the online lab room.to launch an instance choosen among a small set of pre-defined images or flavors, - when tenant instance quota is reached, lab room is full, other sutdents will have to wait untill one or more instances being freed by their owners, Two questions : 1) Is there a simple way to set per-user default instance quota to 1 and tenant instance quota to 12 ? Quotas are not held in Keystone, so I don't know if you can get Quoate data from LDAP to Nova without a script. <blockquote> 2) how can I restrict instance access (console, reboot command,...) only to the owner of that instance ? </blockquote> You can't, RBAC is at Project/tenant granularity only. So unless each VM is in separate project, others can reboot. <blockquote> Some ideas ? Regards. -----oOo----- Jacques Landru mel: landru~hat~telecom-lille.fr tel: +33 (0)3 2033 5556 fax: +33 (0)3 2033 5598 Telecom Lille Cite scientifique, rue G. Marconi, BP20145 59653 VILLENEUVE D'ASCQ Cedex web: http://www.telecom-lille.fr Tel: +33 (0)3 2033 5577 Fax: +33 (0)3 2033 5599 -----oOo----- _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack </blockquote>
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
