Table of contents
CREATE/MODIFY PROJECT:
Project's properties:
====================================
* name(unique)/displayText
* owner of the project
* zone the project belongs to - the project can't belong to more than one zone
* resource Limits (# of snapshots, volumes, vms, etc)
* resource pool (CPU, RAM)
API: createProject. This call is always available to cloudStack Root/Domain admin and available to cloudStack regularUser only when global config "allow.user.project.creation" is set to true.
Parameters:
* zoneId - required
* owner - the owner of the project
* name - required, unique
* displayText - required
API: modifyProject - can be called only by the project owner and cloudStack domain/Root admin:
Parameters:
* displayText (optional) - new display text of the project
* newOwner (optional) - new owner of the project.
API: listProjects - will list the project and all users that belong to it
PROJECT USERS:
Project user's roles:
=============================
Project owner - can invite/remove users; change the project ownership; manage other users' resources within the project
Project admin - can manage other users' resources within the project
Project regularUser - can manage only his own resources within the project
Every project member can always list all the resources belonging to the project
Account can own multiple projects
Account can belong to multiple projects
No cross domain projects; 2 accounts from different domains can't join the same project.
Invitation process:
=============================
new global config parameter "project.invite.required"
"project.invite.required"=false:
addAccountToProject (account/projectId parameters are required) api automatically assigns account to the project
"project.invite.required"=true:
1) addAccountToProject api adds account to the project with "pending" flag set to true. While pending is true, the invitee can't see projects resources unless he confirms the invitation with joinProject api call - see next.
2) joinProject - sets "pending" flag to false, and joinee account can create/list resources within the proj
API: addAccountToProject
Parameters:
* projectId (required)
* accountName (required)
API: joinProject
Parameters:
* projectId (required)
* accountName (required)
API: removeAccountFromProject - after the account is removed from the project, all his resources stay with the project.
Parameters:
* projectId (required)
* accountName (required)
PROJECT RESOURCE LIMITS:
=====================================
API: updateResourceLimit/listResourceLimits (API already exists, can be called by root/domain admins only)- will allow to set resource limits for the project
Parameters:
* projectId(optional)
Resource limits for the project are independent of account/domain resource limits
RESOURCE CREATION WITHIN THE PROJECT
======================================
Following resources can be created within the project scope:
- network - available for the project in Advanced zone only. Allow to create only one network per Project, and it should be Guest Virtual network
- virtualMachine
- volume
- template
- snapshot
- ipAddress
- PF/LB/VPN rules
- Security groups in Basic zone
PROJECT CLEANUP:
======================================
- deleteProject (new API call, projectId is required) - cleans up all the resources belonging to the project
- deleteDomain - deletes all the projects belonging to the domain
- delete project owner (deleteAccount api call) - is not allowed. Error message saying "The account manages project(s) <name(s)> and can't be removed" would be thrown. Only after the 1) the ownership of the project changes or 2) the project(s) are removed, the account can be removed.
Usage/Events/Alerts:
==============================================================
Add projectId info to:
- Usage events
- Action events
- Alerts
Security:
==============================================================
* Add new checker - Project checker - in addition to account/domain permission checkers; exercise it for every list* API command.
Related
Comments