Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Sub-Pages and Page Search

Page Tree
expandCollapseAlltrue
root@self
searchBoxtrue

Use Cases

IDTitlePrimary ActorSecondary ActorDescription
NTT-1

Hierarchical Admin roles


Supervisor/ High level adminsRegional Support team members

In a large operator with multi-location, multi-tenant environment, there are requirements for multiple operator/support teams looking after their local user/customers, and high level administrators who are supervising multiple of those teams.

Example use case

"regional support team A" is looking after customers #1 to #1000 in their location and have access to customer's resources.

"regional support team B" is looking after customers #1001 to #2000 in their location and have access to customer's resources.

"Supervisor A" is a manager responsible for regional support team A and B and has "admin" access to resources of customers #1 to #2000

"Supervisor B" is a manager responsible for other support teams(C and D) and has "admin" access to resources of customers #2001 to #4000

Regional support team A can not access to resources of customers #1001 to #2000 and vice versa.


NTT-2Managed VMsService providertenant user/customer

Service provider provides "Service VMs" to customers.

”Service VMs” adds functions/ capabilities to customer's tenant network, i.e. FW, Storage, LB

Service VMs are managed by service providers and customers do no have direct access to VMs including control over Nova APIs and console. 

Example customer network

  • VM1: customer's server
  • VM2: customer's server
  • VM3: ServiceVM1(FW)  managed by provider1
  • VM4: Service VM2(IDS) managed by provider2

VM3 and 4 are created by service providers based on service order from the customer.

Customer have control over VM1 and 2 but can not control(e.g. delete/update/detach/console access) VM3 and 4.

VM3 and VM4 have web-based control GUI for customers to config.

NTT-3API filteringOperatorEnd users/customers

A cloud operator exposes OpenStack APIs to end customers.

The operator wants to restrict users to access immature functions. (e.g. New/experimental functions not well tested by the community/operator)

The operator wants to make APIs invisible to the end users, or restrict users to access to the APIs (granularity of request parameters is necessary for APIs like /servers/{id}/action)

*Note: This can be achieved by editing policy.json but not sure if every projects have implemented policy enforcement to every API/features so this might end up checking all APIs in every projects...

Related LCOO Session, OpenStack Submissions/efforts/projects

...

 Todo: For any requirements or development type items: Create work items for each item below in the Jira which is a dedicated JIRA project that has been created for managing the various work items through their life-cycle.

TaskDescriptionAssigneesStatusReference