Skip to content

Managing projects

Using the Resource Portal

It is a common use case that one needs to modify the users/egroups with access to a shared project, or transfer the ownership of a project. All of these and more actions can be performed from the "CERN Resources Portal". More accurately, you can access the "Cloud Infrastructure" section here

If you are logged in, a list of the OpenStack Projects owned by you will show up. For security reasons, only the owner of a project can perform actions such as adding users to a project or transferring the ownership, so if the project you are insterested in modifying does not appear, please contact the owner directly and either ask her/him to perform the desired action.

Cloud Infrastructure Projects

If you click in the '[details]' button of a shared project, a screen like this will appear:

Cloud Infrastructure Projects

From here you can perform several actions such us:

  • Editing the description of the project
  • Allow access to operators
  • Allow access to supporters
  • Change the owner of the project
  • Add or remove members (NOTE: to add a member, its username has to be introduced in the textbox, then click "validate" and once the username appears, click on add to effectively have it added.
  • Set default landb-mainuser and landb-responsible properties for the project

Setting default landb-mainuser and/or landb-responsible in a project

In the resources website, you can set the default values for landb-mainuser and landb-responsible on a project.

When a VM creation request is made, the API looks (in the field exists, it is used, if not it continues with the next step):

  1. VM metadata property specified at creation time.
  2. Project property when the VM was created.
  3. User that triggers the operation.

Note: Setting the project property does not modify already created instances. If you want to modify it on those you need to explicitely set the VM metadata property on all of them.

Using the CLI

If you are the owner of the project, or if you are one of its members, you can manage the ACLs using the CLI. As member you can view the ACLs on the project you are in. Adding or removing ACLs need always the owner role.

First you need to point your environment to the project you want to look at

$ export OS_PROJECT_NAME='My Project'

Important: You can only look at the ACLs of the project you are connected. If you receive a Unauthorized Message, please check your environment.

If you have any role in the project like owner and/or Member, you can list the ACLS by typing:

$ openstack role assignment list --names --project 'My Project'
+--------+----------------+-------------------------+-------------- -----+--------+--------+-----------+
| Role   | User           | Group                   | Project            | Domain | System | Inherited |
+--------+----------------+-------------------------+--------------------+--------+--------+-----------+
| owner  | myuser@Default |                         | My Project@Default |        |        | False     |
| Member |                | this-is-a-group@Default | My Project@Default |        |        | False     |
+--------+----------------+-------------------------+--------------------+--------+--------+-----------+

If you want to see all the members by expanding the groups you can use the --effective parameter

$ openstack role assignment list --names --project 'My Project' --effective
+--------+----------------+-------+--------------------+--------+--------+-----------+
| Role   | User           | Group | Project            | Domain | System | Inherited |
+--------+----------------+-------+--------------------+--------+--------+-----------+
| owner  | myuser@Default |       | My Project@Default |        |        | False     |
| Member | myuser@Default |       | My Project@Default |        |        | False     |
| Member | user1@Default  |       | My Project@Default |        |        | False     |
| Member | user2@Default  |       | My Project@Default |        |        | False     |
| Member | user3@Default  |       | My Project@Default |        |        | False     |
+--------+----------------+-------+--------------------+--------+--------+-----------+

If you have the owner role, you can add users or groups to the project with the Member role. At this moment the Member role is the only one available to be configured by end users.

If we want to add the user4 and my-other-group to the project, we can use the following commands.

$ openstack role add --user user4 --project 'My Project' Member
$ openstack role add --group my-other-group --project 'My Project' Member

To remove these users, we can use the following:

$ openstack role remove --user user4 --project 'My Project' Member
$ openstack role remove --group my-other-group --project 'My Project' Member

To list the roles on all projects where we have the owner or Member role:

$ openstack project list -f value -c ID | xargs -n1 -I{} OS_PROJECT_ID={} openstack role assignment list --names --project {}
Last update: December 7, 2022