Working with Stack Domain Users

Stack domain users are created as a result of data contained in an Orchestration template. These users exist in a separate Metacloud domain created to contain data related to the Orchestration stacks. The Orchestration service accesses a user called domain administrator to manage the lifecycle of the users in the stack domain.

The username and password for the domain administrator is set by Metacloud engineering, with stack_domain_admin and stack_domain_admin_password values. This user administers stack domain users on behalf of stack owners, so they no longer need to be administrators themselves. The risk of this escalation path is limited because the domain_admin is only given administrator permission for that domain.

The Orchestration service uses the following:

  • A special Metacloud Identity service domain called, usually named heat. The ID is set with the stack_user_domain option.
  • A user with sufficient permissions to create and delete projects and users in the stack domain.

Stack domain users allow the Orchestration service to authorize and start the following operations on booted VMs:

  • Provide metadata to agents inside instances—Agents poll for changes and apply the configuration from the metadata to the instance.
  • Detect when an action is complete—Software configuration on a virtual machine after it is booted. Compute moves the VM state to Active as soon as it creates it, not when the Orchestration service has fully configured it.
  • Provide application level status from inside the instance—Allow auto-scaling actions to be performed in response to some measure of performance or quality of service.

    For example, you can generate webhooks from Metacloud to connect your monitoring tool to scale up or scale down resources automatically, based on usage statistics. Use the Orchestration service to create monitoring URLs for your Metacloud AZ to plug into your organization’s choice of monitoring tool, then change resources based on either application use or CPU, memory, or disk I/O values.

To set up stack domain users:

Note
Metacloud Support updates your Orchestration configuration with the information from these steps.

  1. Create the domain.

    $ openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 --os-\
    identity-api-version=3 domain create heat --description "Owns \
    users and projects created by heat"
    
    • $OS_TOKEN —A valid token, for example, the service admin token for a user with sufficient roles to create users and domains.
    • $KS_ENDPOINT_V3—The Metacloud Identity v3 endpoint.

    The create domain command returns the domain ID, which is referred to as $HEAT_DOMAIN_ID below.

  2. Create the user.

    $ openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 --os-\
    identity-api-version=3 user create --password $PASSWORD --domain \
    $HEAT_DOMAIN_ID heat_domain_admin --description "Manages users \
    and projects created by heat"
    

    The create user command returns the user ID, which is referred to as $DOMAIN_ADMIN_ID below.

  3. Make the user a domain administrator.

    $ openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 --os-\
    identity-api-version=3 role add --user $DOMAIN_ADMIN_ID --domain \
    $HEAT_DOMAIN_ID admin
    
  4. Open a request with the domain ID, username, and password from these steps with Metacloud Support to add them to the configuration file.

    stack_domain_admin_password = password
    stack_domain_admin = heat_domain_admin
    stack_user_domain = domain id returned from domain create above
    

See Creating and Managing Stacks to build or update stacks.