Ganeti Web Manager features a very flexible permission system. It’s powered by our django object permissions middleware, which grants permissions at an object level. It can grant permissions per cluster and per virtual machine. Ganeti Web Manager also supports groups, for easier management.
Groups and Users are interchangeable. Permissions and quotas can be assigned to either groups or users. At the OSL, groups represent one of the many open source projects we host. It is easier to manage access when everyone is assigned to their respective project groups.
Members of a group act on its behalf. Each groups is assigned a quota, and group members create virtual machines that consume it. The virtual machines belong to the group, not the individual. Users can choose whichever persona they want to act on behalf of, themselves or a group, and Ganeti Web Manager will permit them accordingly.
Permissions are fine grained so any set of permissions can be assigned. Here is a sample:
- Clusters – creating virtual machines.
- Virtual Machine - modifying, starting, stopping, rebooting and console access.
Admins are granted all permissions for an object. They also have the ability to manage permissions for other users. This empowers users to manage their own groups, clusters, and virtual machines freeing site admins to perform other tasks.
Admin permissions can be set at three levels:
- Virtual Machine Admins – can manage a specific virtual machine.
- Cluster Admins – can create and manage any virtual machines within that cluster.
- Site Admins (superusers) – total access to all clusters and virtual machines. Includes the ability to bypass quota and cluster restrictions.
Permissions and admins are meant to be combined in different scenarios:
- Fully managed - users have no access at all. Only admins can create, reboot, or modify.
- Partially managed - users can’t create virtual machines, but they have some limited ability to manage them.
- Self Service - users can create virtual machines on demand. They can create and manage their own virtual machines as needed.
- User Managed Cluster - a user has control of an entire cluster.
The default scenario is a fully managed (closed) system in which users must be granted permissions. A different scenario can be used for each cluster managed by a single instance of Ganeti Web Manager. At the OSL, we will be using several different scenarios. Our production web cluster is fully managed, but some clients own an entire cluster and will manage it themselves.
Ganeti Web Manager has a basic quota system that limits consumption of RAM, disk space, and virtual CPUs (threads). In a self service model quotas are used to divide the resources amongst the users. Clusters default to unlimited quota and this can be changed per cluster. Quotas can also be changed per user as needed.