How to create DAAS models and assign users to them

This guide It is composed of 2 parts:

• how to create a project using OpenStack
• how to create a DAAS model and assign user to it

If you have a project already you can jump to the second part directly.

Create a project Using OpenStack

In order to create a project and set properly quotas you can use the list of commands below:

# Authentication configuration
# Inster <--os-identity-api-version=3> if you want to use version 3 otherwise by default is 2 (Some modules could require V2)
export AUTH="<--os-identity-api-version=3> --os-project-id=<admin project id here>
--os-username=<admin username here> --os-user-domain-name=<admin user domain name here>
--os-password=<admin password here> --os-region-name=<admin region name here>
--os-project-name=<admin project name here> --os-domain-name=<admin domain name here>
--os-auth-url=<admin auth url here>"

# Creation of a new project
openstack $AUTH project create --domain <name of the domain in which the project will be created>
--description "<project description here>" <project name here>

# With this command you can set some quotas using openstack. Use help option for a complete view of parameters
# It could happen that openstack even if has a parameter in the command can't set value
# for that parameter (e.g. in order to set floating ip you have to use neutron because openstack fails).
openstack $AUTH quota set --cores <# of cores here> --ram <quantity of ram here>
--instances <# of instances here> <project name here>

# Setting quotas related to networks
# It is suggested to set security group rules quotas to -1 or to an high value since juju add
# by default some groups and rules
neutron $AUTH quota-update --floatingip <# of floating ip here> --router <# of routers here>
--network <# of networks here> --security-group <# of security groups here>
--security-group-rule <# of security group rules here> <project id here>

#Assign a role in the project to an user
openstack $AUTH role add --user-domain <member domain name> --project <project name> --user <user name> <user role>

#Below an example of security group rules creation for ICMP and SSH
openstack $AUTH security group rule create --proto icmp --src-ip 0.0.0.0/0 <sec group name>
openstack $AUTH security group rule create --proto tcp --dst-port 22:22 --src-ip 0.0.0.0/0 <sec group name>

Create a DAAS model

In order to create a DAAS model and assign it to an user you can use the list of commands below.

Dump the credentials on the current model (e.g. “DAAS”):

juju credentials GAAS --format yaml --show-secrets > juju_credentials_$(date '+%y%m%d').yaml

Add to the file the following entry:

<project-name>:
   auth-type: <authorizazion type e.g. userpass>
   project-domain-name: <name of the domain which contains the project>
   user-domain-name: <name of the domain which contains the user>
   tenant-name: <project name>
   username: <user name>
   password: <user password>

And change the first line from local-credentials: to credentials:.

Please note that the user corresponding to the username username should be a member of the OpenStack project.

Go on with the following commands:

# Add credential
$ juju add-credential GAAS -f juju_credentials_$(date '+%y%m%d').yaml --replace

# Add model
$ cat config.yaml
network: default
use-floating-ip: true
external-network: floating-ip
$ juju add-model <project name> --config config.yaml --credential <project name>

# Add user
# It will reply with a string you have to give to the new user in order to do the registration
$ juju add-user <user>

# Grant the new user with admin role
$ juju grant <user> admin <project name>

# Ask for the gui address
$ juju gui

If you want you can use the script below instead of manually insert commands related to the second part of this guide.

This script is to be run from a Juju client connected to an OpenStack cloud. The script creates a Juju user+password and a model and associates him/her to the model:

#!/bin/sh

export MODEL_NAME=<name of the model here>
export USER_NAME=<name of the user here>

export PASSWD=<user password here>
export ADMIN_PASSWD=<Juju admin password here>

# cloud configuration should include network name and whether to use floating-ip
export MYCLOUD=<name of the cloud here>
export MYCRED=<cloud credentials here>

# log out and log in as admin on default model
juju logout
echo "$ADMIN_PASSWD" | juju login admin
juju switch default

# create user, set password
juju add-user $USER_NAME
echo -e "$PASSWD\n$PASSWD" | juju change-user-password $USER_NAME

# create model and assign it to user
juju add-model $MODEL_NAME --owner $USER_NAME --credential $MYCRED $MYCLOUD

Now logout, login as $USER_NAME and switch to $MODEL_NAME to start using it!