Identity for Users

The Metacloud Identity service manages authentication, authorization, and the service catalog. Even though most Identity functions are administrative, there are some user-level controls and concepts to consider, such as:

  • local authentication
  • external authentication
  • catalog of services and their API endpoints

Understanding Metacloud Identity

Your Metacloud user account is a part of a Metacloud domain defined by your cloud administrator. Metacloud essentially has two roles: admin and member. Roles can be assigned to individual user accounts or a group of users. You have been assigned to at least one project that compartmentalizes domain resources. The domain resources available to you depend on your project and role assignment. See Using Identity Features in the Administrator Guide for more specific descriptions of Identity assets.

Available authentication methods:

  • Password—The member credentials provided to you for accessing the Metacloud Dashboard include a user name and password. They may also include a domain if you are using Metacloud 4.0 with Identity v3 API. Once logged in, you can manage your user settings and password in the Dashboard; see Logging in to the Dashboard. You can also use your credentials to access the CLI, see Providing Metacloud Credentials to CLI tools.
  • Token—Tokens authenticate and authorize API access. When you log in to Metacloud, you are granted an authentication token based on your project and role assignment. In a multi-domain environment, you have scoped tokens that authorize access to resources within a domain and a project. See Using Tokens.
  • Alternative Service—Authentication and authorization actions can be delegated to an alternative service, like an LDAP system.
  • External Authentication—Your Metacloud administrator may have chosen to integrate an Identity Provider (IdP), which requires you to authenticate your credentials using a source outside of the Metacloud environment using Security Assertion Markup Language (SAML), like Okta Single Sign-On.

The Metacloud Dashboard login window presents an Authenticate Using drop-down list so you can choose to enter Keystone credentials or credentials managed by an IdP. The Keystone credentials exist for local login, specifically for automated services or emergency access. You must choose the authenticator designated for your user account.

Although you can change your user settings in the Dashboard, do not change your password in Metacloud when using an alternative service or external authentication. Follow the password maintenance guidelines for your organization.

The Metacloud administrator is responsible for your project and role assignment. If you do not have access to expected resources, contact your administrator.

Viewing the Catalog of Services

The service catalog is a collection of services available in your Metacloud deployment. Each service can have one or more endpoints of three types: admin, internal, or public. Endpoint types can reside on separate networks to restrict exposure to different types of users for security reasons. Examples include allowing the public API network visibility from the Internet, restricting an admin API network to operators within the organization that manage cloud infrastructure, or restricting the internal API network to hosts that contain certain Metacloud services.

You can see a list of API endpoints in the Dashboard on the PROJECT > ACCESS & SECURITY > API Access tab, or use the CLI catalog command:

$ openstack catalog list
| Name                     | Type     | Endpoints                                       |
| Network Service          | network  | test1                                           |
|                          |          |   public: https://<API-AZ.METACLOUD.NET>:9696   |
|                          |          | test1                                           |
|                          |          |   admin: http://<API-AZ.METACLOUD.NET>:9696     |
|                          |          | test1                                           |
|                          |          |   internal: http://<API-AZ.METACLOUD.NET>:9696  |
|                          |          |                                                 |
| Block Storage Service v2 | volumev2 | test1                                           |