Users and Groups
Users
VM Squared users are individuals defined by a username and a password that is used to login to the dashboard. Each user is stored with a unique ID and assigned to at least one group. Upon successful deployment of VM Squared, there will be two administrative accounts or users, the serveradmin
and the admin
.
The different types of users available in VM Squared are:
- Cloud administrators (admin) which are created when VM Squared is first started. The
admin
account has elevated privileges that allow it to perform any operation on any object within the system.
If any other users are created and assigned to the oneadmin
group, they will have these same privileges.
- Group administrators which manage a limited subset of resources and users.
- Users which are the basic individuals that have simplified views and limited access to create objects (e.g. VMs) at the group admins’ discretion.
- serveradmin which is also created during the VM Squared initialization. The password is created randomly, and the account is used by Glasshouse to communicate to the Manifold API.
Creating users
To create a new user, navigate to System -> Users on the dashboard’s left navigation menu and click the to open the wizard.
The wizard requires a few fields to be populated, as seen above.
- Provide a username
- Provide an initial password (can be changed later)
- Select authentication method
- Assign user to one main group, and optionally, many others.
If you are a service provider for a multi-tenant customer, you can be the main point of contact within the customer organization, and have membership across all their tenants.
Deleting users
If a user or group is assigned as the owner/manager of an object within VM Squared, prior to its deletion, those assignments must be voided to allow the system to cleanly remove the user’s identification and access.
Users must be free of:
- any devices owned or managed by the User such as VMs, Tempalates etc.
Groups
Groups provide a platform for resource management and access within the cloud infrastructure. To customize a newly instantiated cloud for an individual customer, the first thing to do is to create a Group, which can be found under System -> Groups. Groups are the tenancy construct that ties Users to the pools of resources that they can provision. They also let you manage the user experience for those interacting with the VM Squared.
Creating Groups
To create a Group, simply click through the sidebar menu of Systems and then Groups, then press
From here, you will need to supply a few pieces of information:
- Group Name
- The type of view to be seen by the inhabitants of the group, either User or Administrator.
- The Cloud Layout provides a relatively locked-down environment, representing the simplest way to give users a cloud-like experience. They’ll be able to provision the resources that are made available to them, but won’t be able to view anything related to the infrastructure.
- The Advanced Layout provides additional manageability of infrastructure components and the administrative layout selection provides the ability to interact with lower-level resources.
This level of control (Advanced Layout) is not something that should be provided to tenants.
- An Administrator can be created if desired. Although not required, it can be useful to have a super-user (a user with elevated authority) within a Group. For example, the Administrator could create additional Users in the Group and manage Group permissions.
- Permissions for resource creation can be set on this tab. This allows the IT Operations team control over resource usage while maintaining freedom of the Users to provision what they need.
- Default system behaviour of Images can be assigned
- If you select the option to make new Images persistent, this will break the clone relationship with the base image and will consume the entire space as advertised in the Image definition.
" All Groups are added to the default Virtual Data Center. A VDC is a hierarchical domain which contains allotted combinations of Clusters, Hosts, Virtual Networks, and Datastores.
Clusters are a container for Hosts, Virtual Networks, and Datastores; by default, all VM Squared constructs listed prior, are added to the Default cluster, and the Default cluster resides in the default Virtual Data Center.
Permissions overview
Access Control Lists (ACLs) can provide blanket rules for the cluster(s) to restrict or allow certain access and privileges.
ACLs provide granularity to the control allowed across an entire cloud infrastructure and are globally replicated across zones, which is convenient for multi-site deployment.
Creating an ACL has a similar starting point to most everything from the Dashboard. The creation screen can be found inside the Permissions of a Group, from there work through the options in the wizard and click next and the to finalize and initialize the ACL Rule.
- The ACL Rules can apply at many levels: user, group, and/or zone.
- Select affected resources
- Select resource subset filter
- Select allowed operations
Deleting groups
Within VM Squared, there is a hierarchy of access and dependencies. The different parts of the system rely on this hierarchy to restrict bleed-over of resources and visibility of the infrastructure to those not allowed or required to manage it. For this reason, if a Group is no longer needed, it must be void of all attachments before deletion.
Groups must be free of:
- any Users that are assigned to the Group and
- any devices owned or managed by the Group (e.g. VMs, Templates), etc.
Authentication Methods
When creating user accounts you have the option of settings Authentication Type. Most of the time the default of core
is correct as it will use the in-built VM Squared password management process. If you require alternative authentication types you can use on of the other options. Most use cases will use either LDAP or Core based authentication.
- Core in-built password management.
- Public Kerberos based access to Glasshouse.
- SSH key-based SSH access.
- x509 certificate-based (requires external proxy)
- LDAP Directory access mapped to local groups - see CLI section
- server cipher symmetric key for Glasshouse
- server_x509 x509 for Glasshouse
- custom custom authentication driver