10.3. Managing domains, users, and projects

Acronis Cyber Infrastructure uses the administrative hierarchy of domains and projects with Role-Based Access Control (RBAC) to manage virtual objects of the compute cluster, such as virtual machines, volumes, and virtual networks. A domain is an isolated container of projects and users with assigned roles. Each project and user can only belong to one domain. A project is an isolated container of virtual objects with defined limits for virtual resources, such as vCPU, RAM, storage and floating IP addresses, and assigned users. A role is global and defines all of the possible tasks the user may perform at the level of the entire cluster, a specific domain, or project:

  • Within the cluster, you can perform system administration tasks.
  • Within a domain, you can create and manage user accounts, and assign them to projects.
  • Within a project, you can create and manage virtual objects.

Such an implementation provides an administrative environment with its own users and virtual objects, and ensures their isolation from other users and virtual objects.

10.3.1. Managing domains

During the primary node deployment, the unique Default domain is created along with the default user account and project. This domain is used by the system for different services. It is marked with the System tag and cannot be modified or deleted. Only within the Default domain can you create system administrators with access to the admin panel.

To create a new domain, do the following:

  1. On the Settings > Projects and users screen, click Create domain.

  2. In the Create domain window, specify the domain name and, optionally, description.

    ../_images/managing_domains1_ac.png
  3. Click Create.

Enabling and disabling a domain means allowing and prohibiting access to it, respectively, in the self-service panel.

To edit, disable/enable, or delete a domain, click the ellipsis button next to it and select the desired action. A domain cannot be deleted if it has projects.

10.3.2. Managing domain users

A user can be assigned one of the following roles:

  • A system administrator has access to the admin panel and can perform system administration tasks depending on the assigned permissions. It is the only role that enables creating projects and defining quotas for them. Additionally, a system administrator with domain permissions can manage virtual objects in all projects within the Default domain, as well as project and user assignment in the self-service panel.
  • A domain administrator can manage virtual objects in all projects within the assigned domain, as well as project and user assignment in the self-service panel. A domain administrator can only be assigned to one domain.
  • A project member acts as a project administrator in a specific domain in the self-service panel. A project member can be assigned to different projects and can manage virtual objects in them.

Within the Default domain, the default administrator account is created with the unique Superuser permission. The user name for this account is admin and the password is specified during the primary node deployment. This account cannot be deleted or disabled and its permissions cannot be changed. Other than that, admin does not differ from a user who is assigned the System administrator role.

The Default domain also contains system users, they are used by the system for different services. Such users are marked with the System tag and cannot be modified or deleted in the admin panel.

To view and edit existing users of a domain or create new ones, click the desired domain and go to the Domain users tab. Creating a user account differs slightly depending on the user role and is described in the sections below.

To edit the user credentials or permissions, click the ellipsis button next to the user, and then click Edit. Any system administrator can also change their password by clicking the user icon in the top right corner of the admin panel, and then clicking Change password.

Enabling and disabling a user account means allowing and prohibiting user login, respectively.

To enable/disable or remove a user, click the corresponding ellipsis button and select the desired action.

10.3.2.1. Creating system administrators

Note

System administrators can be created only within the Default domain.

To create a system administrator, do the following:

  1. On the Settings > Projects and users screen, click the Default domain.
  2. Go to the Domain users tab, and then click Create user.
  3. In the Create user window, specify the user name, password, and, if required, a user email address and description. The user name must be unique within a domain.
  4. Select the System administrator role from the Role drop-down menu.
  5. Choose the permissions to be granted to the user account from the System permission set section:
    • Full (System administrator): has all permissions and can perform all management operations, including creating projects and managing other users.
    • Compute: can create and manage the compute cluster.
    • ISCSI: can create and manage iSCSI targets, LUNs, and CHAP users.
    • S3: can create and manage the S3 cluster.
    • ABGW: can create and manage the Backup Gateway cluster.
    • NFS: can create and manage NFS shares and exports.
    • Cluster: can create the storage cluster, join nodes to it, and manage (assign and release) disks.
    • Network: can modify networks and traffic types.
    • Update: can install updates.
    • SSH: can add and remove SSH keys for cluster nodes access.
    • None (Viewer): can monitor cluster performance and parameters but cannot change any settings.
  6. Optionally, enable the Domain permissions set to be able to manage virtual objects in all projects within the Default domain and other users in the self-service panel.
  7. Click Create.
../_images/managing_users1_ac.png

10.3.2.2. Creating domain administrators

To create a domain administrator, do the following:

  1. On the Settings > Projects and users screen, click a domain for which the administrator will be created.
  2. Go to the Domain users tab, and then click Create user.
  3. In the Create user window, specify the user name, password, and, if required, a user email address and description. The user name must be unique within a domain.
  4. Select the Domain administrator role from the Role drop-down menu.
  5. Optionally, select the Image uploading check box. The state of this permission will be inherited by the users created by this domain administrator.
  6. Click Create.
../_images/managing_users2_ac.png

10.3.2.3. Creating project members

To create a project member, do the following:

  1. On the Settings > Projects and users screen, click a domain within which the user will be created.
  2. Go to the Domain users tab, and then click Create user.
  3. In the Create user window, specify the user name, password, and, if required, a user email address and description. The user name must be unique within a domain.
  4. Select the Project member role from the Role drop-down menu.
  5. Optionally, select the Image uploading check box. If this option is disabled, this user will not be able to upload images.
  6. Optionally, click Assign and select a project this user will be assigned to.
  7. Click Create.
../_images/managing_users3_ac.png

10.3.3. Managing projects

The Default domain has the default admin project, which is a bootstrap project for initializing the compute cloud. It cannot be deleted or renamed.

The Default domain also contains system projects, they are used by the system for different services. Such projects are marked with the System tag and cannot be modified or deleted in the admin panel.

To create a new project, do the following:

  1. On the Settings > Projects and users screen, click a domain within which the project will be created.

  2. On the Projects tab, click Create project.

  3. In the Create project window, specify the project name and, optionally, description. The project name must be unique within a domain.

  4. (Optional) To disable the created project, clear the Enabled check box.

  5. Define quotas for virtual resources that will be available inside the project. To specify a certain value for a resource, clear the Unlimited check box next to it first.

    If you have not yet deployed the compute cluster, you are not able to set the project’s quotas. Create the compute cluster, as described in Creating the compute cluster and return to defining the project’s quotas, as described in Editing quotas for projects.

    Note

    As quotas can exceed the existing virtual resources and virtual resources are not reserved for each project, a system administrator needs to ensure the compute cluster has enough virtual resources for all projects in all domains.

  6. Click Create.

    ../_images/managing_projects1_ac.png

    Note

    The default storage policy must be shared with projects that will use the Kubernetes-as-a-service feature.

Once the project is created, you can open its panel to view its properties on the Properties tab, list its members on the Members tab, and monitor its resource consumption on the Quotas tab.

../_images/managing_projects2_ac.png

Enabling and disabling a project means allowing and prohibiting access to it, respectively, in the self-service panel.

To edit, enable/disable, or delete a project, click the ellipsis button next to it and select the desired action. A project cannot be deleted if it has virtual objects.

10.3.3.1. Assigning members to projects

You can manage project members assignment either on the Project tab or Domain users tab.

To assign a user to a project, do one of the following:

  • Within the domain, open the Projects tab:

    1. Click the project to which you want to assign users.
    2. On the project right pane, click Assign members.
    3. In the Assign members window, select one or multiple users to assign to the project. Optionally, click Create and assign to create a new project member in a new window. Only user accounts with the Project member role are displayed.
    4. Click Assign.
    ../_images/managing_projects3_ac.png
  • Within the domain, open the Domain users tab:

    1. Click the user account with the Project member role whom you want to assign to the project.
    2. On the user right pane, click Assign to project.
    3. On the Assign user to projects window, select one or multiple projects, and then click Assign.
    ../_images/managing_projects4_ac.png

You can monitor user assignment to projects either on the Members tab of the project panel or on the Projects tab on the user panel.

To unassign a user from a project, do one of the following:

  • Within the domain, open the Projects tab:

    1. Click the project from which you want to unassign users.
    2. On the project right pane, open the Members tab.
    3. Click the cross icon next to a user you want to unassign.
    ../_images/managing_projects5_ac.png
  • Within the domain, open the Domain users tab:

    1. Click the user whom you want to unassign from the project.
    2. On the user panel, open the Projects tab.
    3. Click the cross icon next to the project from which you want to unassign the user.
    ../_images/managing_projects6_ac.png

10.3.3.2. Editing quotas for projects

To change resource quotas for a project, do the following:

  1. Click the project for which you want to edit quotas.

  2. On the project right pane, click Edit quotas.

  3. In the Edit quotas window, specify new values for the desired virtual resources.

    Note

    The default storage policy must be shared with projects that will use the Kubernetes-as-a-service feature.

  4. Click Save to apply changes.