flat no more hierarchical multitenancy and projects
play

Flat no more! Hierarchical multitenancy and projects acting as - PowerPoint PPT Presentation

Mar 24, 2024 •471 likes •969 views

Flat no more! Hierarchical multitenancy and projects acting as domains in OpenStack Andrey Brito, Henrique Truta and Raildo Mascena Universidade Federal de Campina Grande 1 Presenters Andrey Brito Professor - Universidade Federal de Campina

  1. Flat no more! Hierarchical multitenancy and projects acting as domains in OpenStack Andrey Brito, Henrique Truta and Raildo Mascena Universidade Federal de Campina Grande 1

  2. Presenters Andrey Brito Professor - Universidade Federal de Campina Grande (Brazil) Henrique Truta Lead Software Engineer - Universidade Federal de Campina Grande (Brazil) OpenStack ATC Raildo Mascena Software Engineer - Universidade Federal de Campina Grande (Brazil) OpenStack ATC 2

  3. Agenda ● Introduction of OpenStack ● Introduction of Keystone ● Hierarchical Multitenancy ● Nested Quotas ● Projects acting as domains ● Next steps 3

  4. 4

  5. Keystone ● The OpenStack component responsible for Identity management ○ Authorization ○ Authentication ○ Audit ● Supports multiple Identity providers ○ Federation ● Support for auth backends and frameworks such as LDAP and OAuth ● Enables Multitenancy 5

  6. Multitenancy: “A single instance of software that runs on a server and serves multiple tenants. A tenant is a group of users who share a common access with specific privileges to the software instance” 6

  7. A bit of history 7

  8. Multitenancy in OpenStack ● From Austin to Cactus: ○ One user → One tenant ○ A user could not belong to more than one tenant ○ Nova handled the authentication ● From Diablo to Folsom: ○ Keystone released in Diablo with API 2.0 ○ Kept the “one user → one tenant” model ○ Simple RBAC existed: Hardcoded to admin and member operations 8

  9. Multitenancy in OpenStack ● Grizzly and Havana: ○ v3 release ■ Domains introduced: Container of projects ■ Tenants became projects ■ Users no longer belong to the tenant, but to the domain ○ One user → Many projects ○ RBAC via policy file introduced ○ “admin” role is global 9

  10. Multitenancy in OpenStack ● Icehouse and Juno: ○ First efforts to eliminate global admin ○ Improvements on domain usage ■ Domain specific backends ■ Possibility of domain policy enforcement And Kilo... ● 10

  11. Hierarchical Multitenancy 11

  12. How to better represent that? UFCG CLOUD LSD ANALYTICS SPLAB SMART FOGBOW ... OPENSTACK BIGDATA PRE DIFERENTONA CITIES DEV CI KEYSTONE IRONIC MONASCA 12

  13. Workaround in a flat way · UFCG Cloud · LSD Domain · LSD_Fogbow Project . · LSD_BigData Project . · LSD_OpenStack_Keystone Project . ‘ · LSD_OpenStack_Ironic Project . · LSD_OpenStack_Monasca Project · Analytics Domain · Analytics_Research Project . 13

  14. Hierarchical Multitenancy · UFCG Cloud · LSD Domain · OpenStack Project · Keystone Subproject Hierarchical · Monasca Subproject Multitenancy · FOGBOW Project (HMT) · Dev Subproject · CI Subproject · Analytics Domain · ... Project 14

  15. Basic operations Operation OpenStack Call Create project create <p-name> [ --parent <parent_name> ] Read project show <p-name> [ --parents ][ --subtree ] Update project set <p-name> --description <p-description> Delete project delete <p-name> 15 14

  16. How can we improve the access control? 16

  17. Usual role assignments · UFCG Cloud · LSD · OpenStack Henrique as Project Manager · Keystone Henrique as PM · Monasca How to grant a role Henrique as PM to a user on a · Fogbow project subtree? · Dev · CI · Analytics · ... 17

  18. Inherited role assignments · UFCG Cloud · LSD · OpenStack Henrique as Project Manager · Keystone Keystone Inherited · Monasca Roles Assignment · Fogbow Concept · Dev · CI · Analytics · ... 18

  19. Role assignment operations Operation OpenStack Call Create role add <r-name> --user <u-name> --project <p-name> [ --inherited ] Read role assignment list --user <u-name> [ --inherited | --effective ] role remove <r-name> --user <u-name> --project <p-name> [ --inherited ] Delete 19

  20. Set Up · Projects Hierarchy · UFCG Cloud · LSD domain create lsd · OpenStack Henrique as PM project create openstack --domain lsd · Keystone project create keystone --domain lsd --parent openstack · Monasca project create monasca --domain lsd --parent openstack · User & Grant ● user create henrique --domain lsd --password tough_password ● role add project_manager --user henrique --project openstack --inherited 20

  21. Enforcing quota 21

  22. The current quota implementation ● The existing driver is useful to enforce quotas when projects are independent, but... ○ A quota for a subproject can exceed its parent’s quota ○ The project manager cannot control the subprojects’ quotas ● Others services do not support domains ○ Consequently, there are no quotas for domains ○ If you want project admins to handle their own users (i.e., give them domains), then you cannot control their quotas 22

  23. Current Quota Driver · UFCG Cloud · LSD · OpenStack Quota Instance = 50 · Keystone Quota Instance = 60 · Monasca Quota Instance = 10 Nested · Fogbow Quota Instance = 100 Quota · Dev Quota Instance = 30 · CI Quota Instance = 70 · Analytics · ... 23

  24. Nested Quota ● New driver that enforces quotas in nested projects ● Allocate part of the parents’ quota to their subtree ○ The project manager shares his quota: split his resources among his subprojects ○ Quota for a subproject will always be lower than its parent project 24

  25. Current Quota Driver · UFCG Cloud · LSD · OpenStack Quota Instance = 50 · Keystone Quota Instance = 60 · Monasca Quota Instance = 10 Nested · Fogbow Quota Instance = 100 Quota · Dev Quota Instance = 30 · CI Quota Instance = 70 · Analytics · ... 25

  26. Nested Quota · UFCG Cloud · LSD · OpenStack Quota Instance = 50 · Keystone Quota Instance = 30 · Monasca Quota Instance = 10 Nested · Fogbow Quota Instance = 100 Quota · Dev Quota Instance = 30 · CI Quota Instance = 70 · Analytics · ... 26

  27. What is the expected visibility of the cloud admin? 27

  28. Cloud admin delegating control Cloud admin creates domain and gives to the PM PM creates users, hierarchies and is able to set unlimited quotas PM CA A domain creates Domain S Sets quota=100.000 e t s q u o t a = 1 0 0 . 0 0 0 P P CA 28

  29. Cloud admin controlling Cloud admin creates domain, but it will not be a PM contacts CA when needs an operation like project creation and quota sets black box anymore PM CA contacts CA creates A domain Domain Sets quota=100 S e t s q u o t a = 2 0 P P 29

  30. Challenge: Give project managers the control of their resources, without giving them all resources of the cloud 30

  31. Projects acting as domains 31

  32. Representing with HMT · UFCG Cloud · LSD Domain · OpenStack Project · Keystone Subproject · Monasca Subproject HMT · Fogbow Project · Dev Subproject · CI Subproject · Analytics Domain · ... Project 32

  33. New Representation with PAAD · UFCG Cloud · LSD Project that acts as Domain · OpenStack Project · Keystone Subproject Projects · Monasca Subproject Acting as · Fogbow Project Domains (PAAD) · Dev Subproject · CI Subproject · Analytics Project that acts as a Domain · ... Project 33

  34. What has changed ● “LSD” is now a project (but also a domain) ○ Internally represented by the flag “is_domain” ○ It is still the container of users and projects ● But now the cloud admin is able to set its quota ● And the project managers can distribute their quota across the tree, as they creates subprojects 34

  35. Creating a new hierarchy 35

  36. Step 1: Cloud admin creates the project that acts as a domain POST /v3/projects is_domain=True LSD parent_id=None Body: domain_id=None { “name”: “LSD”, “description”: “My root project that acts as a domain”, “is_domain”: true } 36

  37. Alternative step 1: Using the domain API POST /v3/domains is_domain=True Body: LSD parent_id=None { domain_id=None “name”: “LSD”, “description”: “My root project that acts as a domain” } In the CLI: domain create lsd --description “My root project that acts as a domain” 37

  38. Step 2: User creates a regular project POST /v3/projects is_domain=True LSD parent=None Body: domain=None { “name”: “OpenStack”, “description”: “Project of OpenStack group”, is_domain=False OpenStack “is_domain”: false, parent=LSD domain=LSD “parent_id”: <lsd id> } In the CLI: project create openstack --parent lsd --domain lsd 38

  39. Step 3: User creates subprojects POST /v3/projects is_domain=True LSD parent=None Body: domain=None { “name”: “National marketing”, “description”: “Project of keystone team”, is_domain=False “is_domain”: false, OpenStack parent=LSD “parent_id”: <openstack id> domain=LSD } is_domain=False Keystone In the CLI: parent=OpenStack domain=LSD project create keystone --parent openstack --domain lsd 39

  40. Summary & Next steps 40

Recommend

On Flat versus Hierarchical Classification in Large-Scale Taxonomies R. Babbar, I. Partalas,

On Flat versus Hierarchical Classification in Large-Scale Taxonomies R. Babbar, I. Partalas,

On Flat versus Hierarchical Classification in Large-Scale Taxonomies R. Babbar, I. Partalas, E. Gaussier, M.-R. Amini Gargantua (CNRS Mastodons) - November the 26 th , 2013 2/21 Challenges Proposed approach Hierarchy Pruning Experiments

588 views • 21 slides
MULTITENANCY IN KUBERNETES WHAT COMPANIES CARE ABOUT Velocity Cost 2 Hello! I AM KATHARINA

MULTITENANCY IN KUBERNETES WHAT COMPANIES CARE ABOUT Velocity Cost 2 Hello! I AM KATHARINA

MULTITENANCY IN KUBERNETES WHAT COMPANIES CARE ABOUT Velocity Cost 2 Hello! I AM KATHARINA PROBST Im a Senior Engineering Manager at Google. You can find me at www.linkedin.com/in/katharina.probst 3 WHY MULTITENANCY 4 KUBERNETES AT

558 views • 35 slides
Chapter 7: Clustering (Unsupervised Data Organization) 7.1 Hierarchical Clustering 7.2 Flat

Chapter 7: Clustering (Unsupervised Data Organization) 7.1 Hierarchical Clustering 7.2 Flat

Chapter 7: Clustering (Unsupervised Data Organization) 7.1 Hierarchical Clustering 7.2 Flat Clustering 7.3 Embedding into Vector Space for Visualization 7.4 Applications Clustering: unsupervised grouping (partitioning) of objects into

763 views • 49 slides
Massive Multitenancy with V8 Isolates Kenton Varda - Tech Lead, Cloudflare Workers The Challenge

Massive Multitenancy with V8 Isolates Kenton Varda - Tech Lead, Cloudflare Workers The Challenge

Massive Multitenancy with V8 Isolates Kenton Varda - Tech Lead, Cloudflare Workers The Challenge 165 Locations and growing Scalability can mean... Traffic (requests) Easy: More locations = more capacity. Tenants (apps) Hard: Every tenant in

812 views • 41 slides
May the Force of hierarchical data be with you Teodor Sigaev, Oleg Bartunov PGConf.EU,

May the Force of hierarchical data be with you Teodor Sigaev, Oleg Bartunov PGConf.EU,

May the Force of hierarchical data be with you Teodor Sigaev, Oleg Bartunov PGConf.EU, 2019 Our projects in Postgres Hierarchical data Example: Web-site about astronomy TOP / | \ Science Hobbies Collections / |

1.16k views • 51 slides
Very Flat, Locally Very Flat, and Contraadjusted Modules Alexander Sl avik (joint work with

Very Flat, Locally Very Flat, and Contraadjusted Modules Alexander Sl avik (joint work with

Definitions &amp; Basics Better approximations? Locally very flat modules Very Flat, Locally Very Flat, and Contraadjusted Modules Alexander Sl avik (joint work with Jan Trlifaj) Charles University in Prague, Faculty of Mathematics and

300 views • 12 slides
On(x) ~Flat(x) START FINISH ~Flat(Spare) Intact(Spare) Off(Spare) On(Tire1) Flat(Tire1)

On(x) ~Flat(x) START FINISH ~Flat(Spare) Intact(Spare) Off(Spare) On(Tire1) Flat(Tire1)

On(x) ~Flat(x) START FINISH ~Flat(Spare) Intact(Spare) Off(Spare) On(Tire1) Flat(Tire1) Off(x) ClearHub Intact(x) Flat(x) On(x) Remove(x) Puton(x) Inflate(x) ~Flat(x) Off(x) ClearHub On(x) ~ClearHub CheckTire(x)

318 views • 15 slides
Positional Plagiocephaly Flat Head Syndrome Positional Plagiocephaly Also known as flat

Positional Plagiocephaly Flat Head Syndrome Positional Plagiocephaly Also known as flat

Positional Plagiocephaly Flat Head Syndrome Positional Plagiocephaly Also known as flat head syndrome Most commonly found in infants Characterized by a flat spot on the back or one side of the head Caused by remaining in one

556 views • 8 slides
Flat Rail Offering a solution for your OOG Cargo Simply attach to the 40 flat rack and

Flat Rail Offering a solution for your OOG Cargo Simply attach to the 40 flat rack and

How simple! Flat Rail Offering a solution for your OOG Cargo Simply attach to the 40 flat rack and youre ready to go Flat Rail Turning breakbulk cargo into OOG Is your Cargo over-length and over-width in 12-15M range ?

540 views • 17 slides
On(x) ~Flat(x) START FINISH ~Flat(Spare) Intact(Spare) Off(Spare) On(Tire1) Flat(Tire1)

On(x) ~Flat(x) START FINISH ~Flat(Spare) Intact(Spare) Off(Spare) On(Tire1) Flat(Tire1)

On(x) ~Flat(x) START FINISH ~Flat(Spare) Intact(Spare) Off(Spare) On(Tire1) Flat(Tire1) Off(x) ClearHub Intact(x) Flat(x) On(x) Remove(x) Puton(x) Inflate(x) Off(x) ClearHub On(x) ~ClearHub ~Flat(x) L R L R S S S L R R L

268 views • 7 slides
UT DA Hierarchical and Analytical Hierarchical and Analytical Pla Placement T cement

UT DA Hierarchical and Analytical Hierarchical and Analytical Pla Placement T cement

UT DA Hierarchical and Analytical Hierarchical and Analytical Pla Placement T cement Technique echniques for s for High High- Performa Performance A nce Analog C nalog Circuit ircuits Biying Xu, Shaolan Li, Xiaoqing Xu, Nan Sun, and

506 views • 29 slides
Interlocking Forme No. 1 Flat - 520x418mm Finished - 220x307 Interlocking Forme No. 2 Flat -

Interlocking Forme No. 1 Flat - 520x418mm Finished - 220x307 Interlocking Forme No. 2 Flat -

Interlocking Forme No. 1 Flat - 520x418mm Finished - 220x307 Interlocking Forme No. 2 Flat - 532.5x401 mm Finished - 220x303 Interlocking Forme No. 3 Flat - 510x424mm Finished - 215x330 Gusset - 10mm Interlocking Forme No. 4 Flat -

1.31k views • 25 slides
Proposal of a Hierarchical Proposal of a Hierarchical Architecture for Multimodal Architecture for

Proposal of a Hierarchical Proposal of a Hierarchical Architecture for Multimodal Architecture for

Proposal of a Hierarchical Proposal of a Hierarchical Architecture for Multimodal Architecture for Multimodal Interactive Systems y Masahiro Araki* 1 Tsuneo Nitta* 2 Kouichi Katsurada* 2 Takuya Nishimoto* 3 Tetsuo Amakasu* 4 Shinnichi Kawamoto* 5

546 views • 35 slides
Flat Datacentre Storage Sumit Mokashi Why is the storage described as a flat one?

Flat Datacentre Storage Sumit Mokashi Why is the storage described as a flat one?

Flat Datacentre Storage Sumit Mokashi Why is the storage described as a flat one? In FDS, data is logically stored in blobs. ... Reads from and writes to a blob are done in units called tracts. What are blob and tracts? Are

268 views • 14 slides
An Experimental Comparison of Classification Algorithms for the Hierarchical Prediction of

An Experimental Comparison of Classification Algorithms for the Hierarchical Prediction of

An Experimental Comparison of Classification Algorithms for the Hierarchical Prediction of Protein Function Part of the BIASPROFS Project : www.cs.kent.ac.uk/projects/biasprofs Andy Secker, Alex Freitas (University of Kent) Matthew Davies,

763 views • 37 slides
Title I Programs @ Flat Rock Middle School Our Commitment in our mission at Flat Rock At

Title I Programs @ Flat Rock Middle School Our Commitment in our mission at Flat Rock At

Title I Programs @ Flat Rock Middle School Our Commitment in our mission at Flat Rock At FRMS, we always strive to exceed in everything that we do and that includes putting forth all of our efforts to assist our students and parents with

365 views • 20 slides
Flat space physics from AdS/CFT Eliot Hijano Based on arxiv:1905.02729 Approaches to flat

Flat space physics from AdS/CFT Eliot Hijano Based on arxiv:1905.02729 Approaches to flat

Flat space physics from AdS/CFT Eliot Hijano Based on arxiv:1905.02729 Approaches to flat holography Uplifting A(dS)/CFT [de Boer, Solodukhin '03] [Ball et al '19] Direct approach [Hawking, Perry, Strominger '16] BMS hair Indirect

135 views • 13 slides
Faint Object Spectrograph Flat Fielding Charles D. (Tony) Keyes 1 I. Introduction The FOS flat

Faint Object Spectrograph Flat Fielding Charles D. (Tony) Keyes 1 I. Introduction The FOS flat

Faint Object Spectrograph Flat Fielding Charles D. (Tony) Keyes 1 I. Introduction The FOS flat field calibration continues to follow the philosophy outlined in the SV- epoch report (Anderson, 1992). The calibration is intended to account for

229 views • 6 slides
Straight line drawing of a graph on the flat torus Luca Castelli Aleardi, LIX Olivier

Straight line drawing of a graph on the flat torus Luca Castelli Aleardi, LIX Olivier

Straight line drawing of a graph on the flat torus Luca Castelli Aleardi, LIX Olivier Devillers, INRIA Eric Fusy, LIX 1 Torus 2 Torus 2 Torus Flat torus 2 Torus Flat torus 2 Torus Flat torus 2 Torus Flat torus Graph 2

1.27k views • 66 slides
Separation and convexity properties of hierarchical and non hierarchical clustering Patrice

Separation and convexity properties of hierarchical and non hierarchical clustering Patrice

Plan Separation and convexity properties of hierarchical and non hierarchical clustering Patrice Bertrand 1 1 CEREMADE, Universit e Paris-Dauphine, Paris, France Joint work with Jean Diatta 2 2 LIM, Universit e de La R eunion,

401 views • 29 slides
HIERARCHICAL DESIGN IN Victor Khomenko, Danil Sokolov, Alex Yakovlev Why hierarchical? The

HIERARCHICAL DESIGN IN Victor Khomenko, Danil Sokolov, Alex Yakovlev Why hierarchical? The

HIERARCHICAL DESIGN IN Victor Khomenko, Danil Sokolov, Alex Yakovlev Why hierarchical? The only way to design large systems Requests from the engineers Natural development of Workcraft Automation of repetitive tasks by tracking

612 views • 13 slides
FeUdal Networks for Hierarchical Reinforcement Learning Alexander Sasha Vezhnevets, Simon

FeUdal Networks for Hierarchical Reinforcement Learning Alexander Sasha Vezhnevets, Simon

FeUdal Networks for Hierarchical Reinforcement Learning Alexander Sasha Vezhnevets, Simon Osindero, Tom Schaul, Nicolas Heess, Max Jaderberg, David Silver, Koray Kavukcuoglu Topic: Hierarchical RL Presenter: Thophile Gaudin Why Hierarchical

921 views • 22 slides
GLUE2 XML Renderings David Meredith GLUE2: XSD Style, Flat or Nested Flat: Entities are

GLUE2 XML Renderings David Meredith GLUE2: XSD Style, Flat or Nested Flat: Entities are

GLUE2 XML Renderings David Meredith GLUE2: XSD Style, Flat or Nested Flat: Entities are equal siblings listed in a global element bag. &lt;Associations&gt; modelled using 1 method: Element ID references (all associations defined as

158 views • 13 slides
Hierarchical Bounding Volume October 11, 2005 () Hierarchical Bounding Volume October 11, 2005

Hierarchical Bounding Volume October 11, 2005 () Hierarchical Bounding Volume October 11, 2005

Hierarchical Bounding Volume October 11, 2005 () Hierarchical Bounding Volume October 11, 2005 1 / 15 Outline Introduction to hierarchical bounding volume (HBV) Tree generation Other optimization issues () Hierarchical Bounding Volume

350 views • 16 slides

More recommend