Authors: Sri Ram Pisupati (IBM PowerVC - Information Development) & Archana M Prabhakar (IBM PowerVC - System software engineer)
With release 1.3.1, PowerVC has enabled support for multiple PowerVC projects—sometimes also referred to as multi-tenancy. This allows you to isolate resources (networks, volumes, images and virtual machines) to a single project, and therefore helps you more easily control who can access resources using role-based security with the new PowerVC projects. When using Cloud PowerVC Manager, self-service users are limited to only using deploy templates for images that are assigned to their project.
Scenario without multiple projects
In the past, all resources were under a single project and projects were not exposed in the user interface. In this scenario, a user with authority to delete virtual machines could accidentally delete a set of machines that belonged to another user since all users were managing the same set of resources.
Erroneous actions similar to the one discussed above can be prevented by segregating the resources and assigning specific roles to the users working on a project or multiple projects.
Overview – Multiple Projects
Projects (sometimes referred to as tenants) allow you to separate resources into units of ownership. A project can consist of virtual machines, volumes, images and networks. Other PowerVC constructs, such as storage connectivity groups and compute templates, do not belong to a specific project. Administrators can create and manage projects by using the openstack project create and openstack project set commands respectively. To assign roles to users in a project, administrators need to use the openstack role add command. Every user can be assigned different roles in each project.
When you log in to the PowerVC user interface, you only will be able to view or work with the resources that belong to your current project.
Use Case - A user arc1_vmuser with role vm_user has access to 2 projects namely Test and Development.
Scenario 1 - arc1_vmuser logs into the Test project. TestImage, TestNetwork, TestProject_VM and the volumes shown in the images below are specific to the project Test.
If you have a role on a different project, you can easily switch to the other project using the ‘Change Project’ feature from the Projects drop-down menu. You do not have to log out of the current session in order to switch to a different project.
Scenario 2 - arc1_vmuser has access to another project Development and when he logs into this project, he can view resources DevImage, DevProject_VM, DevNetwork and volumes specific to this project only. He cannot view the images, networks, volumes and virtual machines of the Test Project.
You can see the ‘Roles’ blog for more information on roles.
As mentioned earlier, each project is a group of resources. However, volumes may be moved across projects by unmanaging them and then managing them in the new project.
As you can see, projects are a useful way to control access to resources. If you have any comments or questions, be sure to submit them to our forum. And do not forget to follow us on LinkedIn, Facebook, and Twitter.