Check-in
Authentication and Authorization integration
This section provides information on how to set up a Resource Centre providing cloud resources in the EGI infrastructure. Integration with FedCloud requires a working OpenStack installation as a pre-requirement. EGI supports any recent OpenStack version (tested from OpenStack Mitaka).
The following OpenStack services are expected to be available and accessible from outside the site:
The integration is performed by a set of EGI components that interact with the OpenStack services APIs:
cASO and SSM releases can be be obtained from GitHub:
The following services must be accessible to allow access to an OpenStack-based FedCloud site (default ports listed below, can be adjusted to your installation).
Port | Application | Note |
---|---|---|
5000/TCP | OpenStack/Keystone | Authentication to your OpenStack. |
8776/TCP | OpenStack/cinder | Block Storage management. |
8774/TCP | OpenStack/nova | VM management. |
9696/TCP | OpenStack/neutron | Network management. |
9292/TCP | OpenStack/glance | VM Image management. |
The EGI Cloud components require the following outgoing connections open:
Port | Host | Note |
---|---|---|
443/TCP | msg.argo.grnet.gr | ARGO Messaging System (used to send accounting records by SSM). |
8443/TCP | msg.argo.grnet.gr | AMS authentication (used to send accounting records by SSM). |
In order to get accounting information from your OpenStack, cASO needs to be run
with a user that is a member of the projects to extract accounting information
from and it’s allowed to access identity:list_users
and
identity:list_projects
in Keystone. Check
cASO documentation
for further information.
Regular user accounts will be managed by the
Federated Identity
features of OpenStack. These users are created into a specific OpenStack domain
for every configured identity provider. All users within the egi.eu
domain
will have a unique username. For users whose community identity is managed by
Check-in, this identifier is of the form <uniqueID>@egi.eu
. The <uniqueID>
portion is an opaque identifier issued by Check-in, for example:
$ openstack domain list
+----------------------------------+----------------------------------+---------+---------------------------------------------------------------+
| ID | Name | Enabled | Description |
+----------------------------------+----------------------------------+---------+---------------------------------------------------------------+
| 0125ed0ebc8045a49ed8c34c2a78740d | 0125ed0ebc8045a49ed8c34c2a78740d | True | Auto generated federated domain for Identity Provider: egi.eu |
| default | Default | True | The default domain |
+----------------------------------+----------------------------------+---------+---------------------------------------------------------------+
$ openstack user list --domain 0125ed0ebc8045a49ed8c34c2a78740d
+------------------------------------------------------------------+-------------------------------------------------------------------------+
| ID | Name |
+------------------------------------------------------------------+-------------------------------------------------------------------------+
| 2c096b11a1410d44e3936fa40479ad26eaa649cfd6887f06b3c6669e5d6c03d0 | efb8534478028XXXXXXXXXXXXXXXfeed9766fafc@sram.surf.nl |
| 933c692b53192e4d893e5ed5c026aa444acb4d75f6ee6c304422861207ce1ea5 | e9c37aa0d1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX2867bc43581b835c@egi.eu |
| d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c | 529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907@egi.eu |
+------------------------------------------------------------------+-------------------------------------------------------------------------+
If you have set the email of the user in the mapping, you will be able to also get this information:
$ openstack user show d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c
+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
| domain_id | 0125ed0ebc8045a49ed8c34c2a78740d |
| email | XXXX-redacted@example.com |
| enabled | True |
| federated | [{'idp_id': 'egi.eu', 'protocols': [{'protocol_id': 'openid', 'unique_id': '529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907%40egi.eu'}]}] |
| id | d52112709a37975903576f80f37dde4604d1a227c53cb1fef43c45981673640c |
| name | 529a87e5ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXe714cb1309cc3907@egi.eu |
| options | {} |
| password_expires_at | None |
+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------+
Every VO has a VO identity card available via the Operations Portal, where you can also get contact information for the VO managers.
VMs created by EGI’s Infrastructure Manager have additional metadata properties that can help to identify the workload:
$ openstack server show 0f3e1420-4480-4bea-95f1-9920a70b324d -c properties -f yaml
properties:
eu.egi.cloud.orchestrator: es.upv.grycap.im
eu.egi.cloud.orchestrator.id: 0afdc7ba-bf5d-11ed-9e89-86ce117c3fcf
eu.egi.cloud.orchestrator.url: https://appsgrycap.i3m.upv.es:31443/im
eu.egi.cloud.orchestrator.user: __OPENID__XXXXXXredacted
Authentication and Authorization integration
Accounting integration
cloud info provider configuration
Configuring GPU flavours
Summary of steps for configuring new VOs in OpenStack
Collection of useful resources for OpenStack administrators