openstack/openstack-manuals
Code Issues Proposed changes

Admin user guide edits

Browse Source 
Edits to the Dashboard: Manage Users and Projects section
Edits to the Manage Project Security section
All of this hopefully brings these docs in line w/ the Icehouse GUI
Closes-bug: 1194229

Reviewer comments added and niceness fixes as well.

Change-Id: Ib7ffa484eb817dbda0c046931aedea24e14404cc
This commit is contained in:
Karin Levenstein
2014-06-06 13:17:59 -05:00
parent 3f34d95148
commit a38787ed1f
3 changed files with 257 additions and 261 deletions
Download Patch File Download Diff File Expand all files Collapse all files

325
doc/user-guide-admin/section_dashboard_admin_manage_projects_security.xml
View File

@@ -5,15 +5,16 @@
xml:id="dashboard_manage_projects_security">
<?dbhtml stop-chunking?>
<title>Manage project security</title>
<para>Security groups are sets of IP filter rules that define
networking access and are applied to all project instances.
Group rules are project specific; project members can edit
the default rules for their group and add new rule sets.</para>
<para>All projects have a default security
group that is applied to any instance that has no other
defined security group. Unless you change the default, this
security group denies all incoming traffic and allows only
outgoing traffic to your instance.</para>
<para>Security groups are sets of IP filter rules that define networking
access and are applied to all instances within a project. Group rules
are project-specific; project members can edit the default rules for
their group and add new rule sets.</para>
<para>All projects have a default security group that is applied to any
instance that has no other defined security group. When unmodified, the
default security group denies all incoming traffic and allows only
outgoing traffic to your instance. A common use case is to edit the
default security group to permit SSH access and ICMP access, so that
users can log into and ping instances.</para>
<note>
<para>For information about updating global controls on the
command line, see <xref
@@ -23,15 +24,15 @@
<title>Create a security group</title>
<procedure>
<step>
<para>Log in to the dashboard as a project
member.</para>
<para>Log in to the dashboard as a project member.</para>
</step>
<step>
<para>On the <guilabel>Project</guilabel> tab, select
the appropriate project from the <guimenu>CURRENT
PROJECT</guimenu> drop-down list, and click
the <guimenuitem>Access &amp;
Security</guimenuitem> category.</para>
<para>Select a project from the drop-down menu at the top of the screen.</para>
</step>
<step>
<para>On the <guilabel>Project</guilabel> tab, click the
<guimenuitem>Access &amp; Security</guimenuitem>
category.</para>
</step>
<step>
<para>On the <guilabel>Security Groups</guilabel> tab,
@@ -51,187 +52,170 @@
<title>Add a security group rule</title>
<procedure>
<step>
<para>Log in to the dashboard as a project
member.</para>
<para>Log in to the dashboard as a project member.</para>
</step>
<step>
<para>On the <guilabel>Project</guilabel> tab, select
the appropriate project from the <guimenu>CURRENT
PROJECT</guimenu> drop-down list, and click
the <guimenuitem>Access &amp;
Security</guimenuitem> category.</para>
<para>Select a project from the drop-down menu at the top of the
screen.</para>
</step>
<step>
<para>On the <guilabel>Security Groups</guilabel> tab,
click <guibutton>Edit rules</guibutton> for the
appropriate security group.</para>
<para>On the <guilabel>Project</guilabel> tab, click the
<guimenuitem>Access &amp; Security</guimenuitem>
category.</para>
</step>
<step>
<para>To add a rule, click <guibutton>Add
Rule</guibutton>. Set the attributes for the rule,
and click <guibutton>Add</guibutton>:</para>
<para>On the <guilabel>Security Groups</guilabel> tab, click
<guibutton>Manage rules</guibutton> for the appropriate
security group.</para>
</step>
<step>
<para>To add a rule, click <guibutton>Add Rule</guibutton>. Set
the attributes for the rule, and click
<guibutton>Add</guibutton>.</para>
<para>The following attributes can be configured:</para>
<variablelist wordsize="10">
<!-- this doesn't match the UI -->
<!-- <varlistentry>
<varlistentry>
<term>Rule</term>
<listitem>
<para>The rule protocol type .
Valid types are:<itemizedlist>
<listitem>
<para><guilabel>Custom TCP
Rule</guilabel>.Typically used to
exchange data between systems, and
for end-user communication.</para>
</listitem>
<listitem>
<para><guilabel>Custom UDP
Rule</guilabel>. Typically used to
exchange data between systems,
particularly at the application
level.</para>
</listitem>
<listitem>
<para><guilabel>Custom ICMP
Rule</guilabel>. Typically used by
network devices (for example,
routers) to send error or
monitoring messages.</para>
</listitem>
<listitem>
<para><guilabel>Other
Protocol</guilabel>. Other protocol
type (for example, SCTP, which can
be used to handle application data
at the SCTP level). Only available
for OpenStack Networking security
groups.</para>
</listitem>
<para>The rule protocol type. Valid types are:<itemizedlist>
<listitem>
<para><guilabel>Custom TCP
Rule</guilabel>.Typically used to
exchange data between systems, and for
end-user communication.</para>
</listitem>
<listitem>
<para><guilabel>Custom UDP
Rule</guilabel>. Typically used to
exchange data between systems,
particularly at the application
level.</para>
</listitem>
<listitem>
<para><guilabel>Custom ICMP
Rule</guilabel>. Typically used by
network devices (for example, routers)
to send error or monitoring
messages.</para>
</listitem>
<listitem>
<para><guilabel>Other
Protocol</guilabel>: Enables you to
manually specify another rule protocol,
if it is not included in the
list.</para>
</listitem>
<listitem>
<para>Other standard IP protocols,
including: All ICMP, All TCP, All UDP,
DNS, HTTP, HTTPS, IMAP, IMAPS, LDAP, MS
SQL, MYSQL, POP3, POP3S, RDP, SMTP,
SMTPS, and SSH.</para>
</listitem>
</itemizedlist></para>
</listitem>
</varlistentry> -->
<varlistentry>
<term><guilabel>IP Protocol</guilabel></term>
<listitem>
<para>The IP protocol to which
the rule applies:</para>
<itemizedlist>
<listitem>
<para><guilabel>TCP</guilabel>.Typically
used to exchange data between
systems, and for end-user
communication.</para>
</listitem>
<listitem>
<para><guilabel>UDP</guilabel>.
Typically used to exchange data
between systems, particularly at
the application level.</para>
</listitem>
<listitem>
<para><guilabel>ICMP</guilabel>.
Typically used by network devices,
such as routers, to send error or
monitoring messages.</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<!-- not in the GUI -->
<!--<varlistentry>
<varlistentry>
<term>Direction</term>
<listitem>
<para>For OpenStack Networking. The
direction of network traffic to which
the rule applies:
<guilabel>Ingress</guilabel>
(inbound) or
<guilabel>Egress</guilabel>
(outbound).</para>
<para>The direction of network traffic to which the
rule applies: <guilabel>Ingress</guilabel>
(inbound) or <guilabel>Egress</guilabel>
(outbound). This option is available only when
<guilabel>Custom TCP Rule</guilabel>,
<guilabel>Custom UDP Rule</guilabel>,
<guilabel>Custom ICMP Rule</guilabel>,
<guilabel>All ICMP</guilabel>, <guilabel>All
TCP</guilabel>, <guilabel>All
UDP</guilabel>, or <guilabel>Other
Protocol</guilabel> is selected.</para>
</listitem>
</varlistentry> -->
</varlistentry>
<varlistentry>
<term><guilabel>Open</guilabel></term>
<term>Open Port</term>
<listitem>
<para>For TCP or UDP rules, the
<guilabel>Port</guilabel> or
<guilabel>Port Range</guilabel> to
open for the rule. Choose to open a
single port or range of ports.</para>
<para>For a range of ports, enter port
<para>The <guilabel>Port</guilabel> or
<guilabel>Port Range</guilabel> to open for
the rule. This option is available only when
<guilabel>Custom TCP Rule</guilabel> or
<guilabel>Custom UDP Rule</guilabel> is
selected.</para>
<itemizedlist>
<listitem>
<para>For a range of ports, enter port
values in the <guilabel>From
Port</guilabel> and <guilabel>To
Port</guilabel> fields.</para>
<para>For a single port, enter the port
</listitem>
<listitem>
<para>For a single port, enter the port
value in the <guilabel>Port</guilabel>
field.</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<!-- not in the GUI -->
<!--<varlistentry>
<varlistentry>
<term>Type</term>
<listitem>
<para>For ICMP rules, specifies
the ICMP message that is being
passed.</para>
<para>Specifies the ICMP message that is being
passed. This option is available only when
<guilabel>Custom ICMP Rule</guilabel> is
selected.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Code</term>
<listitem>
<para>For ICMP rules, specifies
the ICMP subtype code, which provides
further information about the
<guilabel>Type</guilabel>
message.</para>
<para>For ICMP rules, specifies the ICMP subtype
code, which provides further information about
the <guilabel>Type</guilabel> message. This
option is available only when <guilabel>Custom
ICMP Rule</guilabel> is selected.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>IP Protocol</term>
<listitem>
<para>For OpenStack Networking. For
<guilabel>Other Protocol</guilabel>
rules, specifies the IP protocol to be
used for the rule. Specify the
protocol as an integer. See <link
xlink:href="http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml"
>http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml</link>.</para>
<para>For <guilabel>Other Protocol</guilabel> rules,
specifies the IP protocol to be used for the
rule. Specify the protocol as an integer. See
<link
xlink:href="http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml"
>http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml</link>.
This option is available only when
<guilabel>Other Protocol</guilabel> is
selected.</para>
</listitem>
</varlistentry> -->
</varlistentry>
<varlistentry>
<term><guilabel>Source</guilabel></term>
<term>Remote</term>
<listitem>
<para>The source of the traffic
for this rule:</para>
<itemizedlist>
<listitem>
<para><guilabel>CIDR</guilabel>
(Classless Inter-Domain Routing).
IP address block, which limits
access to IPs within the block.
Enter the CIDR in the
<guilabel>Source</guilabel>
field.</para>
<para><guilabel>CIDR</guilabel> (Classless
Inter-Domain Routing). When selected,
access is limited only to IP addresses
within the specified block. When
selected, enter the CIDR in the
<guilabel>CIDR</guilabel> field.</para>
</listitem>
<listitem>
<para><guilabel>Security
Group</guilabel>. Source group that
enables any instance in the group
to access any other group
instance.</para>
<para><guilabel>Security Group</guilabel>.
When selected, any instance in the
selected security group can access any
other group instance. When selected,
choose the <guilabel>Security
Group</guilabel> and the <guilabel>Ether
Type</guilabel>, which can be either
<guilabel>IPv4</guilabel> or
<guilabel>IPv6</guilabel>.</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<!-- not in gui -->
<!--<varlistentry>
<term>Ether Type</term>
<listitem>
<para>For OpenStack Networking. The
traffic protocol for the rule. Either
<guilabel>IPv4</guilabel> or
<guilabel>IPv6</guilabel>.</para>
</listitem>
</varlistentry> -->
</variablelist>
</step>
</procedure>
@@ -240,24 +224,26 @@
<title>Delete a security group rule</title>
<procedure>
<step>
<para>Log in to the dashboard as a project
member.</para>
<para>Log in to the dashboard as a project member.</para>
</step>
<step>
<para>On the <guilabel>Project</guilabel> tab, select
the appropriate project from the <guimenu>CURRENT
PROJECT</guimenu> drop-down list, and click
the <guimenuitem>Access &amp;
Security</guimenuitem> category.</para>
<para>Select a project from the drop-down menu at the top of the
screen.</para>
</step>
<step>
<para>On the <guilabel>Security Groups</guilabel> tab,
click <guibutton>Edit rules</guibutton> for the
appropriate security group.</para>
<para>On the <guilabel>Project</guilabel> tab, click the
<guimenuitem>Access &amp; Security</guimenuitem>
category.</para>
</step>
<step>
<para>On the <guilabel>Security Groups</guilabel> tab, click
<guibutton>Manage rules</guibutton> for the appropriate
security group.</para>
</step>
<step>
<para>To delete a rule, select the rule and click
<guibutton>Delete Rule</guibutton>.</para>
<guibutton>Delete Rule</guibutton> and confirm that you
want to delete the rule.</para>
</step>
</procedure>
</section>
@@ -265,21 +251,22 @@
<title>Delete a security group</title>
<procedure>
<step>
<para>Log in to the dashboard as a project
member.</para>
<para>Log in to the dashboard as a project member.</para>
</step>
<step>
<para>On the <guilabel>Project</guilabel> tab, select
the appropriate project from the <guilabel>CURRENT
PROJECT</guilabel> drop-down list, and click
the <guilabel>Access &amp; Security</guilabel>
<para>Select a project from the drop-down menu at the top of the
screen.</para>
</step>
<step>
<para>On the <guilabel>Project</guilabel> tab, click the
<guimenuitem>Access &amp; Security</guimenuitem>
category.</para>
</step>
<step>
<para>On the <guilabel>Security Groups</guilabel> tab,
select the appropriate group, and click
<guibutton>Delete Security
Group</guibutton>.</para>
<para>On the <guilabel>Security Groups</guilabel> tab, select
the appropriate group, and click <guibutton>Delete Security
Group</guibutton> and confirm that you want to delete
the group.</para>
</step>
</procedure>
</section>

181
doc/user-guide-admin/section_dashboard_admin_manage_projects_users.xml
View File

@@ -5,60 +5,35 @@
xml:id="dashboard_manage_projects_users">
<?dbhtml stop-chunking?>
<title>Manage projects and users</title>
<para>As a cloud administrator, you manage both projects and
users. Projects are organizational units in the cloud to which
you can assign users. Projects are also known as <emphasis
role="italic">tenants</emphasis> or <emphasis
role="italic">accounts</emphasis>.You can manage projects
and users independently from each other.</para>
<para>Users are members of one or more projects.</para>
<para>During cloud set up, the operator defines at least one
project, user, and role. The operator links the role to the
user and the user to the project. Roles define the actions
that users can perform. As an administrator, you can create
additional projects and users as needed.</para>
<para>Learn how to add, update, and delete projects and users,
assign users to one or more projects, and change or remove the
assignment. To enable or temporarily disable a project or
user, update that project or user. You can also change quotas
at the project level. For information, see <xref
linkend="dashboard_set_quotas"/>.</para>
<para>When you create a user account, you must assign the account
to a primary project. Optionally, you can assign the account
to additional projects. Before you can delete a user account,
you must remove the user account from its primary
project.</para>
<section xml:id="disable_project">
<title>Consequences of disabling projects and users</title>
<para>When you disable a project, it has the following
consequences:</para>
<itemizedlist>
<listitem>
<para>In the dashboard, users can no longer access the
project from the <guilabel>CURRENT
PROJECT</guilabel> drop-down list on the
<guilabel>Project</guilabel> tab.</para>
</listitem>
<listitem>
<para>Users who are members of only the disabled
project can no longer log in.</para>
</listitem>
<listitem>
<para>You cannot launch instances for a disabled
project. Instances that are already running are
not automatically terminated though—you must stop
them manually.</para>
</listitem>
<listitem>
<para>The data for a disabled project is maintained so
that you can enable the project again at any
time.</para>
</listitem>
</itemizedlist>
<para>When you disable a user account, the user can no longer
log in, but the data for the user is maintained so that
you can enable the user again at any time.</para>
</section>
<para>As an OpenStack cloud administrator, you manage both
projects and users, which can be managed independently from
each other. Projects, also known as <emphasis role="italic"
>tenants</emphasis> or <emphasis role="italic"
>accounts</emphasis>, are organizational units in the
cloud to which you can assign users. Users also have roles
that determine their level of access to the project, and may
have different roles in different projects.</para>
<para>When the cloud is initially created, the operator defines at
least one project, user, and role.</para>
<para>As an administrator, you can create additional projects and users as
needed. This section documents the following project and user
administration tasks:</para>
<itemizedlist>
<listitem>
<para>Adding, updating, and deleting projects and
users.</para>
</listitem>
<listitem>
<para>Assigning users to one or more projects, and changing or
removing the assignment.</para>
</listitem>
<listitem>
<para>Enabling or temporarily disabling a project or
user.</para>
</listitem>
</itemizedlist>
<para>You can also change quotas at the project level. For information, see
<xref linkend="dashboard_set_quotas"/>.</para>
<section xml:id="dashboard_create_project">
<title>Create a project</title>
<procedure>
@@ -66,11 +41,12 @@
<para>Log in to the dashboard and choose the
<guilabel>admin</guilabel> project from the
<guilabel>CURRENT PROJECT</guilabel> drop-down
list.</para>
list at the top of the screen.</para>
</step>
<step>
<para>On the <guilabel>Admin</guilabel> tab, click the
<guilabel>Projects</guilabel> category.</para>
<para>In the <guilabel>Admin</guilabel> tab, open the
<guilabel>Identity Panel</guilabel> and click
on <guilabel>Projects</guilabel>.</para>
</step>
<step>
<para>Click <guibutton>Create
@@ -95,8 +71,8 @@
<step>
<para>Click <guibutton>Create
Project</guibutton>.</para>
<para>The <guilabel>Projects</guilabel> category shows
the project, including its assigned ID.</para>
<para>The <guilabel>Projects</guilabel> list shows the
project, including its assigned ID.</para>
</step>
</procedure>
</section>
@@ -106,12 +82,12 @@
description, and enable or temporarily disable it.</para>
<procedure>
<step>
<para>On the <guilabel>Admin</guilabel> tab, click the
<guilabel>Projects</guilabel> category.</para>
<para>In the <guilabel>Admin</guilabel> tab, open the
<guilabel>Identity Panel</guilabel> and click
on <guilabel>Projects</guilabel>.</para>
</step>
<step>
<para>Select the project that you want to update.
</para>
<para>Select the project that you want to update.</para>
</step>
<step>
<para>In the <guilabel>More</guilabel> drop-down list,
@@ -132,6 +108,34 @@
<para>Click <guibutton>Save</guibutton>.</para>
</step>
</procedure>
<section xml:id="disable_project">
<title>Consequences of disabling projects</title>
<para>When you disable a project, it has the following
consequences:</para>
<itemizedlist>
<listitem>
<para>In the dashboard, users can no longer access the
project from the <guilabel>CURRENT
PROJECT</guilabel> drop-down list on the
<guilabel>Project</guilabel> tab.</para>
</listitem>
<listitem>
<para>Users who are members of only the disabled
project can no longer log in.</para>
</listitem>
<listitem>
<para>You cannot launch instances for a disabled
project. Instances that are already running are
not automatically terminated though—you must stop
them manually.</para>
</listitem>
<listitem>
<para>The data for a disabled project is maintained so
that you can enable the project again at any
time.</para>
</listitem>
</itemizedlist>
</section>
</section>
<section xml:id="dashboard_user_assignments">
<title>Modify user assignments for a project</title>
@@ -142,16 +146,14 @@
assignments.</para>
<procedure>
<step>
<para>On the <guilabel>Admin</guilabel> tab, select
the <guilabel>Projects</guilabel> category.</para>
<para>In the <guilabel>Admin</guilabel> tab, open the
<guilabel>Identity Panel</guilabel> and click
on <guilabel>Projects</guilabel>.</para>
</step>
<step>
<para>Select a project to modify its user
assignments.</para>
</step>
<step>
<para>Select <guibutton>Modify
Users</guibutton>.</para>
<para>Click the <guilabel>Modify Users</guilabel>
button for the project that you want to
modify.</para>
<para>The <guilabel>Edit Project</guilabel> window
shows the following lists of users:</para>
<itemizedlist>
@@ -163,7 +165,7 @@
<listitem>
<para><guilabel>Project Members</guilabel>.
Users that are assigned to the current
project, </para>
project.</para>
</listitem>
</itemizedlist>
<figure xml:id="cloud_dash_users_list">
@@ -206,30 +208,34 @@
<guilabel>Projects</guilabel> category.</para>
</step>
<step>
<para>Select the projects that you want to delete.
</para>
<para>Select the projects that you want to delete.</para>
</step>
<step>
<para>Click <guibutton>Delete Projects</guibutton> to
confirm the deletion.</para>
<note>
<warning>
<para>You cannot undo the delete action.</para>
</note>
</warning>
</step>
</procedure>
</section>
<section xml:id="dashboard_create_user">
<title>Create a user account</title>
<para>When you create a user account, you must assign the account to a
primary project. You also have the option of assigning the account
to additional projects. Before you can delete a user account, you
must remove the user account from its primary project.</para>
<procedure>
<step>
<para>Log in to the dashboard and choose the
<guilabel>admin</guilabel> project from the
<guilabel>CURRENT PROJECT</guilabel> drop-down
list.</para>
list at the top of the screen.</para>
</step>
<step>
<para>On the <guilabel>Admin</guilabel> tab, select
the <guilabel>Users</guilabel> category.</para>
<para>In the <guilabel>Admin</guilabel> tab, open the
<guilabel>Identity Panel</guilabel> and click
on <guilabel>Users</guilabel>.</para>
</step>
<step>
<para>Click <guibutton>Create User</guibutton>.</para>
@@ -257,19 +263,22 @@
</section>
<section xml:id="dashboard_disable_user">
<title>Disable or enable a user</title>
<para>When you disable a user account, the user can no longer log in.
However, the data for the user is maintained so that you can enable
the user again at any time.</para>
<procedure>
<step>
<para>On the <guilabel>Admin</guilabel> tab, select
the <guilabel>Users</guilabel> category.</para>
<para>In the <guilabel>Admin</guilabel> tab, open the
<guilabel>Identity Panel</guilabel> and click
on <guilabel>Users</guilabel>.</para>
</step>
<step>
<para>Select the user that you want to disable or
enable. You can disable or enable only one user at
a time.</para>
<para>Locate the user that you want to disable or
enable in the Users list.</para>
</step>
<step>
<para>In the <guilabel>Actions</guilabel> drop-down
list, select <guilabel>Disable User</guilabel> or
<para>In the <guilabel>More</guilabel> drop-down list,
select <guilabel>Disable User</guilabel> or
<guilabel>Enable User</guilabel>.</para>
<para>In the <guilabel>Enabled</guilabel> column, the
enabled value updates to either

12
doc/user-guide/section_dashboard_access_and_security.xml
View File

@@ -5,12 +5,12 @@
xml:id="Launching_Instances_using_Dashboard">
<title>Configure access and security for instances</title>
<?dbhtml stop-chunking?>
<para>Before you launch an instance, you should add security group
rules to enable users to ping and use SSH to connect to the
instance. To do so, you either <link
xlink:href="#security_groups_add_rule">add rules to the
default security group</link> or add a security group with
rules.</para>
<para>Before you launch an instance, you should add security group rules to
enable users to ping and use SSH to connect to the instance. Security
groups are sets of IP filter rules that define networking access and are
applied to all instances within a project. To do so, you either <link
xlink:href="#security_groups_add_rule">add rules to the default
security group</link> or add a new security group with rules.</para>
<para>Key pairs are SSH credentials that are injected into an
instance when it is launched. To use key pair injection, the
image that the instance is based on must contain the