Stack domain users are created as a result of data contained in an Orchestration template. These users exist in a separate Metacloud domain created to contain data related to the Orchestration stacks. The Orchestration service accesses a user called domain administrator to manage the lifecycle of the users in the stack domain.
The username and password for the domain administrator is set by Metacloud engineering, with
stack_domain_admin_password values. This user administers stack domain users on behalf of stack owners, so they no longer need to be administrators themselves. The risk of this escalation path is limited because the
domain_admin is only given administrator permission for that domain.
The Orchestration service uses the following:
- A special Metacloud Identity service domain called, usually named
heat. The ID is set with the
- A user with sufficient permissions to create and delete projects and users in the stack domain.
Stack domain users allow the Orchestration service to authorize and start the following operations on booted VMs:
- Provide metadata to agents inside instances—Agents poll for changes and apply the configuration from the metadata to the instance.
- Detect when an action is complete—Software configuration on a virtual machine after it is booted. Compute moves the VM state to Active as soon as it creates it, not when the Orchestration service has fully configured it.
Provide application level status from inside the instance—Allow auto-scaling actions to be performed in response to some measure of performance or quality of service.
For example, you can generate webhooks from Metacloud to connect your monitoring tool to scale up or scale down resources automatically, based on usage statistics. Use the Orchestration service to create monitoring URLs for your Metacloud AZ to plug into your organization’s choice of monitoring tool, then change resources based on either application use or CPU, memory, or disk I/O values.
To set up stack domain users:
Metacloud Support updates your Orchestration configuration with the information from these steps.
Create the domain.
$ openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 --os-\ identity-api-version=3 domain create heat --description "Owns \ users and projects created by heat"
$OS_TOKEN—A valid token, for example, the
service admintoken for a user with sufficient roles to create users and domains.
$KS_ENDPOINT_V3—The Metacloud Identity v3 endpoint.
create domaincommand returns the domain ID, which is referred to as
Create the user.
$ openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 --os-\ identity-api-version=3 user create --password $PASSWORD --domain \ $HEAT_DOMAIN_ID heat_domain_admin --description "Manages users \ and projects created by heat"
create usercommand returns the user ID, which is referred to as
Make the user a domain administrator.
$ openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 --os-\ identity-api-version=3 role add --user $DOMAIN_ADMIN_ID --domain \ $HEAT_DOMAIN_ID admin
Open a request with the domain ID, username, and password from these steps with Metacloud Support to add them to the configuration file.
stack_domain_admin_password = password stack_domain_admin = heat_domain_admin stack_user_domain = domain id returned from domain create above
See Creating and Managing Stacks to build or update stacks.