Accounts: CloudStack

Description

Apache Cloudstack provides Accounts as a way to allocate resources within your cloud infrastructure. Upon delivery, you received a pre-configured domain with resources and a domainadmin account (with 1 user added to it). To get maximum benefits from your cloud infrastructure, please review the fundamental concepts behind accounts and resources:

  • An account is an administrative container that can contain multiple users.
  • An account can be of two types: Admin (domainadmin) or User. Once you set the role, it cannot be changed. Users added to an account will inherit the account's role (account type).
  • A domainadmin type account has full rights for that domain. A user type account has less privileges. Most important distinctions are that a user can only manage allocated resources, and has no right over other users. A domainadmin has full privileges within the domain, including over other accounts and users.
  • Users within an account have their own password for accessing the UI, and can have their own API keys to use the API. You do not login with the account name, instead, you must login as a user belonging to an account. Note: A username within an account can be identical to the account name.
  • An account has resources (within the limits of the domain resources of course) assigned to it.
  • Using accounts is a way to segment the available resources within your domain. 
  • Upon creation of an account, the resource limits for the account are set to unlimited (-1). However, the resource for an account cannot exceed the total allocated resource for the domain.


Contents

Adding an Account

Perform the following steps to add an account:

  1. On the left panel, click Accounts.
    The Accounts page displays.
     
  2. Click + Add Account.
    The  Add Account dialog box displays.
  3. Enter the following information and click OK.


    Field Name Description
    Account Enter the name of the account you are creating. Note: Once the account is created, you can add multiple users to it.
    Domain Select the domain name under which you are creating the account. Note: Currently, LeaseWeb provides only one domain.
    Type

    Select the account type. It can either be ADMIN (domainadmin) or USER.

    Notes:

    When you add users to this account, all users will inherit the same role as you set in this field. For example, if you select ADMIN, all users added to this account will have domain-admin privileges.
    Once you set the type for an account, it cannot be edited.
    If you select the type USER for this account, when you add a user to this account and when the user logs in, the user will not be able to view some of the panels in CloudStack, such as Accounts, Domains, Projects, and Service Offerings.
    Username Enter the user name that will be used to log in to the Apache CloudStack platform.
    Password Enter a password for the user to log in to the Apache CloudStack platform.
    Confirm password Re-enter the password to confirm it.
    Email Enter the email address of the user.
    First Name Enter the first name of the user you are creating for the account.
    Last Name Enter the last name of the user you are creating.
    Timezone Select a time zone corresponding to the locale of the account.
    Network Domain Enter the prefix, if any, for the domain name for all networks created within your account. Example: If you enter "test", your network domain will become "test.leasewebcloud.com". If you do not enter a value, the network domain will display "leasewebcloud.com".

Viewing an Account

Perform the following steps to view an account:

  1. On the left panel, click Accounts.
    The Accounts page displays.
  2. You can view the following information on this page:


    Column Name Description
    Name Displays the name of the account.
    Role Displays the account type (role). Note: Based on the account type, all users added to this account with inherit the same role.
    Domain Displays the domain name.
    State Displays the current state of the account.
    Quickview Displays an overview of the account, the tasks that can be performed, and a quick link to users within the account.

Editing an Account

Perform the following steps to edit an account:

  1. On the left panel, click Accounts.
    The Accounts page displays.
     
  2. Click the account that you want to edit.
    The Details tab displays.
  3. Click the Edit icon.
    The editable fields allow you to enter new value.
     

  4. Update the values and click Apply.
    The updated values display. 

    Editable fields: Name, Network Domain, Instance Limits, Public IP Limits, Volume Limits, Snapshot Limits, Template Limits, VPC Limits, CPU Limits, Memory Limits (MiB), Network Limits, Primary Storage Limits (GiB), Secondary Storage Limits (GiB)

Updating Resource Count

For each account, CloudStack maintains usage information such as network traffic, storage used, or instances created. Updating resource count fetches the latest data from CloudStack.

Perform the following steps to update the resource count for an account: 

  1. On the left panel, click Accounts.
    The Accounts page displays.
  2. Click the account for which you want to update the resource count.
    The Details tab displays.
  3. Click the Update Resource Count icon.
    A Confirmation dialog box displays. 
  4. Click Yes to confirm updating the resource count.
    The updated values of resource count for the specific account displays.

Disabling an Account

If you want to temporarily disallow an account to perform any actions on the CloudStack platform, you can disable the account. All users within that account cannot perform any tasks. All instances associated with this account will be shut down.

Perform the following steps to disable an account:

  1. On the left panel, click Accounts.
    The Accounts page displays.
  2. Click the account that you want to disable.
    The Details tab displays.
  3. Click the Disable account icon.
    A Confirmation dialog box displays.
  4. Click Yes to confirm disabling the account.
    The state of the account displays as disabled.

To enable the account, click the Enable account icon. In the Confirmation dialog box, click Yes.


Locking an Account

Locking is similar to disabling an account. However, all instances associated with the account continue to run. All users within the account cannot perform any tasks. You can only lock "Enabled" accounts. 

Perform the following steps to lock an account:

  1. On the left panel, click Accounts.
    The Accounts page displays.
  2. Click the account that you want to lock.
    The Details tab displays.
  3. Click the Lock account icon.
    A Confirmation dialog box displays.
  4. Click Yes to confirm locking this account.
    The state of the account displays as locked.

    To unlock an account, click the Enable account icon. In the Confirmation dialog box, click Yes.

    The Confirmation dialog box displays. Click Yes to confirm enabling the disabled account.

Deleting an Account

On deleting an account, all users within the account and all resources associated with the account will be deleted. 

Perform the following steps to delete an account:

  1. On the left panel, click Accounts.
    The Accounts page displays.
  2. Click the account that you want to delete.
    The Details tab displays.
  3. Click the Delete account icon. 
    A Confirmation dialog box displays. 
  4. Click Yes to confirm deleting the account.

Viewing a User within an Account

Perform the following steps to view user(s) within an account:

  1. On the left panel, click Accounts.
    The Accounts page displays.
  2. Click the account for which you want to view the user details.
    The Details tab displays.
  3. Click View Users.
    The Users page displays.
  4. The following information is displayed.


    Column Name Description
    Username Displays the username for the user. Note: This username is required to log in to the user's account.
    First Name Displays the first name of the user.
    Last Name Displays the last name of the user.
    Quickview Displays an overview of the user and the tasks that can be performed on it.

Adding a User to an Account

When you add a user to an account, the user inherits the account's type (role).

Perform the following steps to add a user to an account:

  1. On the left panel, click Accounts.
    The Accounts page displays.
  2. Click the account to which you want to add a user.
    The Details tab displays.
  3. Click View Users.
    The Users page displays.
  4. Click + Add User.
    The Add User dialog box displays.
  5. Enter the following information and click OK.


    Field Name Description
    Username Enter the username using which the user can log in. Note: This is an editable field.
    Password Enter the password using which the user can log in.
    Confirm password Re-enter the password.
    Email Enter the email address. Note: This is an editable field.
    First Name Enter the first name of the user. Note: This is an editable field.
    Last Name Enter the last name of the user. Note: This is an editable field.
    Timezone Select the timezone of the user's locale. Note: This is an editable field.

Editing User Details in an Account

Perform the following steps to edit the user details in an account:

  1. On the left panel, click Accounts.
    The Accounts page displays.
  2. Click the account that contains the user you want to edit.
    The Details tab displays.
  3. Click View Users.
    The Users page displays.
  4. Click the user whose details you want to edit.
    The Details tab displays.
  5. Click the Edit icon.
    The editable fields allow you to enter/select new values.
  6. Update the values and click Apply.
    The updated values display.

    Editable fields: Name, Email, First Name, Last Name, Timezone

Changing Password for a User

Perform the following steps to change the user password:

  1. On the left panel, click Accounts.
    The Accounts page displays.
  2. Click the account that contains the user for whom you want to change the password.
    The Details tab displays.
  3. Click View Users.
    The Users page displays.
  4. Click the user for whom you want to change the password.
    The Details tab displays.
  5. Click the Change Password icon.
    The Change Password dialog box displays.
  6. Enter a new password for the user, confirm the password by re-entering it, and click OK.
    The new password is effective. 

Generating Keys for a User

You can generate keys to access the API.

Perform the following tasks to generate the API and Secret keys for a user:

  1. On the left panel, click Accounts.
    The Accounts page displays.
  2. Click the account that contains the user for whom you want to generate the keys.
    The Details tab displays.
  3. Click View Users.
    The Users page displays.


  4. Click the user for whom you want to generate the key.
    The Details tab displays.
  5. Click the Generate Keys icon.
    A Confirmation dialog box displays.
  6. Click Yes to confirm generating the keys for the user.
    The "API Key" and "Secret Key" fields display the new values.

Disabling a User

If you want to temporarily disallow a user to perform any actions on the CloudStack platform, you can disable the user. 

Perform the following steps to disable a user within an account:

  1. On the left panel, click Accounts.
    The Accounts page displays.
  2. Click the account that contains the user that you want to disable.
    The Details tab displays.
  3. Click View Users.
    The Users page displays.
  4. Click the user you want to disable.
    The Details tab displays.
  5. Click the Disable User icon.
    A Confirmation dialog box appears.
  6. Click Yes to confirm disabling the user.
    The state of the user displays as disabled.

To enable a disabled user, click the Enable icon. In the Confirmation dialog box, click Yes.


Deleting a User

Perform the following steps to delete a user:

  1. On the left panel, click Accounts.
    The Accounts page displays.
  2. Click the account that contains the user that you want to delete.
    The Details tab displays.
  3. Click View Users.
    The Users page displays.
  4. Click the user you want to delete.
    The Details tab displays.
  5. Click the Delete User icon.
    A Confirmation dialog box displays.
  6. Click Yes to confirm deleting the user.

Roles in CloudStack

From Leaseweb Cloudstack version 4.7.1-leaseweb16-2, we support a new feature called "Roles". Roles provide different access levels to different users. Currently, CloudStack supports only "Root" user who has access to everything in the system and "User" type who has only read access to the account to which the user belongs to. "Root" user belongs to Root domain and "User" belongs to "User" domain. We introduced third type of domain called "DomainAdmin" which is also similar to "RootAdmin", but with Read-only Root access. This allows users to view all parts of the system but they will not be able to update/delete anything in the Cloudstack. This allows the admin to configure different actions which can be performed by users.

This introduces a new tab in the Cloudstack console called "Roles" which can be accessed as shown in the below figure.

Root Admins by default are able to navigate there and Create / Update all roles. When creating a new role, the Root Admin is able to select the rules that apply to that role, and can define a list of APIs which they could allow or deny for the role. When the user (assigned with a specific role) issues an API request, the backend checks the requested API against configured rules for the assigned role, and the user will only be able to call the API if it’s allowed on the list. If denied or not listed it won’t be possible to call the API. Below diagram shows the view you get when you select the "Roles" tab from the Cloudstack UI.

As shown in the above diagram there is a new type of role called "Domain Admin" which will be provided by default from the Cloudstack. Users belonging to "Root Admin" have all access to the system whereas users belonging to "Domain Admin" and "User" can only perform actions which are defined by "Root Admin".


Creating a new Role

Perform the following tasks to create roles:

  1. Click on the "Roles" tab in the left side of the CloudStack UI. 
  2. In the new window, click on "Add Role" to create a new Role.
    This will display a popup as shown below.


  3. Enter the name for the new role, description for it, and the type of the role. 
  4. Once the role is created, you can view the information below. 



Once a new role is created with a certain type, it can not be changed. You have to delete the role to change the type.


Editing a Role

After creating the role, you can edit it to change the name and description of the Role. The diagram below shows how to edit the role.

Deleting a Role

To delete a role, select the role you want to delete and click on "delete role" icon.

Creating an account using new Role

After creating a new type of role, you can create user account which belongs to this category. To create an account, refer to the steps mentioned in "Creating an Account" at the beginning of this page. You can do it by logging into CloudStack UI and selecting "Accounts" tab at the left hand side.

In the account creation page, select the role type you just created above and enter the other information necessary for creating the account and a default user for the account.

Adding Rules to the Role

Once the new Role is created, you can specify the action the users can do who belongs to this Role by adding new Rules. These rules specify whether a particular action can be performed by user or not. Every rule has two actions: "Allow" and "Deny".

As the rule action specifies "allow" means this action can be performed by user and "Deny" means this action can't be performed by user and will display an error. Please make sure to mention the "Deny" actions first followed by "Allow" actions. When user performs an action, the rules are compared agains the action sequentially. So if "allow" rule is mentioned first followed by "deny" rule then the user can perform this action since "allow" is matched first even though the intended desire was not to perform was this action.

There are several actions which a user can do in the CloudStack UI and it is a very tedious process to mention "allow" or "deny" for each of the action. CloudStack provided the support of wildcards which can be used to perform certain kinds of actions belonging to same category. By default "*" means allow all actions which is available for "Root Admins". So if "root admin" decides that a normal user can perform only display operations then they can specify "list*" instead of typing all list api's. Similarly if user has to create virtual machines, networks or other resources then it can be done using "create*" followed by "Allow" action.

If the rule is "disable*" and the action is "deny" then user can't do any of the disable operations in CloudStack. The diagram shows how the above scenario is implemented in CloudStack.

There are two rules configured. The first rule is "disable*" with permission of "Deny" which means user can't perform any disable operations. This is followed by "list*" rule with "Allow" permission which means user can do all display operations in CloudStack.

Reordering the Rules

After creating the rules, you can reorder them using the drag and drop icon present at the left of the rule. Reordering the rules is useful when you want to group the rules by category. You might want to reorder the rules to ensure that all "deny" permission comes first followed by "allow", or you can use this feature to place a newly added rule to a particular place. The diagram below shows how to do this.

Changing the permission of a rule

Every rule has either "Allow" or "Deny" as the permission - which means it will either allow user to perform that action or deny. Once you have set the permission to the rule, you can later change the permission as mentioned below


Deleting a rule from a role

You can delete a rule from a role anytime by clicking on the delete rule icon


Verifying the permissions of the newly created role and account

Login to the CloudStack UI using the username, password and domain name created above. According to the above created rules, a normal user should not have the permission to disable any of the feature in CloudStack. To verify this, try to disable any of the account, and you will see this exception: