Cloudstack 4 - Accounts Isolation in a Domain

[Asmita Vagyani <As...@sigma-systems.com>]

Hi ,

I read in a blog : (Source - http://docs.cloudstack.org/index.php?title=CloudStack_Documentation/FAQ:_CloudStack/How_are_users%2C_accounts%2C_and_domains_handled_in_CloudStack%3F&action=source)
It says:

CloudStack platform users are assigned accounts. 
An account is typically a customer of the service provider or a department in a large organization. 
Accounts are the unit of isolation in the cloud. Accounts are grouped by domains.
Domains usually contain accounts that have some logical relationship to each other and a set of delegated administrators with some authority over the domain and its subdomains. 
For example, a service provider with several resellers could create a domain for each reseller.

My question is, 

In a domain D1, I have two accounts A1 and A2 in D1. 
Account A1 has a VM1 assigned and Account A2 has a VM2 assigned.
If the accounts are said to be in isolation ,then the VM1 used by account A1 and VM2  used by account A2 will not be able to talk to each other?
Is my understanding correct?
Or is the communication between VM1 and VM2 possible since they in the same domain?
Please clarify.

Thanks and Regards.

Asmita Patil Vagyani.

-----Original Message-----
From: Nitin Mehta [mailto:Nitin.Mehta@citrix.com] 
Sent: 22 January 2013 PM 03:57
To: cloudstack-users@incubator.apache.org; Sailaja Mada
Subject: Re: Issue in Creating instance on Cloudstack 4

Key thing to understand is that the ownership of resources is tied to an account. Users are mere synonyms for accessing the account resources. So any vm is also owned by an account and not a user.
All the users of the account have visibility to the resources of the account.

Little more reading on
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Accounts,+Domains,+a
nd+Admin+explained

On 22/01/13 3:49 PM, "Asmita Vagyani" <As...@sigma-systems.com>
wrote:

>Hi all,
>
>I have a doubt.
>The functionality of my application is :
>There will be lots of companies approaching my application to create 
>VMs for its employees.
>
>I have created one account for one company on CS4.
>And the company can have many employees, so is my account having many 
>users added for each employee.
>Is there any way in CS4 to associate a VM instance for a particular 
>user inside the same account?
>I mean one account will have many VMs created, each VM assigned to a 
>unique user, basically 1:1 association betwn user:VM.
>
>While creating a VM(deployVirtualMachine) I cannot pass the userId in 
>that to say only user with userId "**" can use this vm.
>I can pass only the account with domain name, what does this indicate , 
>what is the relation of vm with account?
>Does that mean all users belonging to that account and domain can use 
>this vm.
>
>Thanks and Regards.
>
>Asmita Patil Vagyani.
>
>

RE: Cloudstack 4 - Accounts Isolation in a Domain

[Clayton Weise <cw...@iswest.net>]

There is a giant shared network (albeit hidden from users) in a basic network and that is the public network which is used to assign IP addresses to instances in that zone.  I haven't done enough work with basic networks and their associated network offerings to know whether or not it's possible to create a shared network that is domain-specific in a basic zone but it's worth a shot (although it may only be available for creation through the API and not the UI).

-----Original Message-----
From: Geoff Higginbottom [mailto:geoff.higginbottom@shapeblue.com] 
Sent: Thursday, January 24, 2013 4:33 AM
To: cloudstack-users@incubator.apache.org
Subject: RE: Cloudstack 4 - Accounts Isolation in a Domain

Hi Asmita,

Yes, Shared Networks are only available in Advanced Zones

Regards

Geoff Higginbottom

D: +44 20 3603 0542 | S: +44 20 3603 0540 | M: +447968161581

geoff.higginbottom@shapeblue.com


-----Original Message-----
From: Asmita Vagyani [mailto:Asmita.Vagyani@sigma-systems.com]
Sent: 24 January 2013 10:59
To: 'cloudstack-users@incubator.apache.org'
Subject: RE: Cloudstack 4 - Accounts Isolation in a Domain

Hi Geoff,
I have used Basic zone configuration in the setups of CS4 with VMWare Cluster.
And I tried to follow steps you mentioned, but dint find the network tab in  Infrastructure/Zones/YourZone/Physical Network/YourPhysicalNetwork/Guest.

Is this the setting coming from advanced zone setup.


Thanks and Regards.

Asmita Patil Vagyani.


-----Original Message-----
From: Geoff Higginbottom [mailto:geoff.higginbottom@shapeblue.com]
Sent: 24 January 2013 PM 04:10
To: cloudstack-users@incubator.apache.org
Subject: RE: Cloudstack 4 - Accounts Isolation in a Domain

Hi Asmita,

The Network section only allows you to create new Isolated Networks based on the default 'DefaultIsolatedNetworkOfferingWithSourceNatService' offering which is used when a new Guest Network is created.

To create Networks based on custom network offerings or to create a Shared Network you need to do the following.

1. Navigate to Infrastructure/Zones/YourZone/Physical Network/YourPhysicalNetwork/Guest/Network Tab/Add Guest Network 2. Set Scope to Domain and choose the appropriate Domain 3. You may want to select the 'Sub Domain Access' box if you plan on using sub domains later 4. Choose the 'Shared Network' offering 5. Now complete the rest of the settings such as Name, Description etc

Note:
The Shared Network offering has the 'Specify VLAN' flag set so you need to specify the Guest IP Schema such as Gateway, Netmask, Start IP, End IP etc.  Ensure you choose a different IP schema to your default guest IP schema so if you create a VM and specify both the default guest network for their Account, and the Shared Network, the IPs are in different ranges.

If you have any existing VMs you cannot add them to the new Shared Network, you can only add networks at VM creation time

Regards

Geoff Higginbottom

D: +44 20 3603 0542 | S: +44 20 3603 0540 | M: +447968161581

geoff.higginbottom@shapeblue.com

-----Original Message-----
From: Asmita Vagyani [mailto:Asmita.Vagyani@sigma-systems.com]
Sent: 24 January 2013 05:59
To: '<cl...@incubator.apache.org>'
Cc: 'Nitin.Mehta@citrix.com'
Subject: RE: Cloudstack 4 - Accounts Isolation in a Domain

Thanks Geoff.

My next question is , how can I create a shared network across accounts in a domain.
I went to the Network tab on CS client console, I dont see an option to create a shared network for a domain.
I can see only one default network "guestNetworkForBasicZone" created in the Networks section.

But, for the domain - edit option - I can see the  Network Domain option on the Domain.
If I specify there any value, where does it get mapped to?

Thanks and Regards.

Asmita Patil Vagyani.

-----Original Message-----
From: Geoff Higginbottom [mailto:geoff.higginbottom@shapeblue.com]
Sent: 23 January 2013 PM 07:10
To: <cl...@incubator.apache.org>
Cc: cloudstack-users@incubator.apache.org; Nitin.Mehta@citrix.com
Subject: Re: Cloudstack 4 - Accounts Isolation in a Domain

Hi Asmita,

You are correct in your assessment.

If you do want to have VMs in different accounts communicating directly you can create a shared network which is linked to the Domain. The Accounts would need to belong to the same Domain for this to work.

Regards

Geoff Higginbottom
CTO / Cloud Architect

D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:+442036030540>| M: +447968161581<tel:+447968161581>

geoff.higginbottom@shapeblue.com<ma...@shapeblue.com> |www.shapeblue.com | Twitter:@shapeblue<https://twitter.com/#!/shapeblue>

ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS

Visit us on stand 291 at Cloud Expo Europe

On 23 Jan 2013, at 13:21, "Asmita Vagyani" <As...@sigma-systems.com>> wrote:

Hi ,

I read in a blog : (Source - http://docs.cloudstack.org/index.php?title=CloudStack_Documentation/FAQ:_CloudStack/How_are_users%2C_accounts%2C_and_domains_handled_in_CloudStack%3F&action=source)
It says:

CloudStack platform users are assigned accounts.
An account is typically a customer of the service provider or a department in a large organization.
Accounts are the unit of isolation in the cloud. Accounts are grouped by domains.
Domains usually contain accounts that have some logical relationship to each other and a set of delegated administrators with some authority over the domain and its subdomains.
For example, a service provider with several resellers could create a domain for each reseller.

My question is,

In a domain D1, I have two accounts A1 and A2 in D1.
Account A1 has a VM1 assigned and Account A2 has a VM2 assigned.
If the accounts are said to be in isolation ,then the VM1 used by account A1 and VM2  used by account A2 will not be able to talk to each other?
Is my understanding correct?
Or is the communication between VM1 and VM2 possible since they in the same domain?
Please clarify.

Thanks and Regards.

Asmita Patil Vagyani.

-----Original Message-----
From: Nitin Mehta [mailto:Nitin.Mehta@citrix.com]
Sent: 22 January 2013 PM 03:57
To: cloudstack-users@incubator.apache.org<ma...@incubator.apache.org>; Sailaja Mada
Subject: Re: Issue in Creating instance on Cloudstack 4

Key thing to understand is that the ownership of resources is tied to an account. Users are mere synonyms for accessing the account resources. So any vm is also owned by an account and not a user.
All the users of the account have visibility to the resources of the account.

Little more reading on
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Accounts,+Domains,+a
nd+Admin+explained

On 22/01/13 3:49 PM, "Asmita Vagyani" <As...@sigma-systems.com>>
wrote:

Hi all,

I have a doubt.
The functionality of my application is :
There will be lots of companies approaching my application to create VMs for its employees.

I have created one account for one company on CS4.
And the company can have many employees, so is my account having many users added for each employee.
Is there any way in CS4 to associate a VM instance for a particular user inside the same account?
I mean one account will have many VMs created, each VM assigned to a unique user, basically 1:1 association betwn user:VM.

While creating a VM(deployVirtualMachine) I cannot pass the userId in that to say only user with userId "**" can use this vm.
I can pass only the account with domain name, what does this indicate , what is the relation of vm with account?
Does that mean all users belonging to that account and domain can use this vm.

Thanks and Regards.

Asmita Patil Vagyani.






ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue's expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.

________________________________

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.


ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.

________________________________

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.
ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.

________________________________

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.

RE: Cloudstack 4 - Accounts Isolation in a Domain

[Asmita Vagyani <As...@sigma-systems.com>]

Thanks Geoff, for  answering all my questions. :)

Thanks and Regards.

Asmita Patil Vagyani. 


-----Original Message-----
From: Geoff Higginbottom [mailto:geoff.higginbottom@shapeblue.com] 
Sent: 24 January 2013 PM 06:03
To: cloudstack-users@incubator.apache.org
Subject: RE: Cloudstack 4 - Accounts Isolation in a Domain

Hi Asmita,

Yes, Shared Networks are only available in Advanced Zones

Regards

Geoff Higginbottom

D: +44 20 3603 0542 | S: +44 20 3603 0540 | M: +447968161581

geoff.higginbottom@shapeblue.com


-----Original Message-----
From: Asmita Vagyani [mailto:Asmita.Vagyani@sigma-systems.com]
Sent: 24 January 2013 10:59
To: 'cloudstack-users@incubator.apache.org'
Subject: RE: Cloudstack 4 - Accounts Isolation in a Domain

Hi Geoff,
I have used Basic zone configuration in the setups of CS4 with VMWare Cluster.
And I tried to follow steps you mentioned, but dint find the network tab in  Infrastructure/Zones/YourZone/Physical Network/YourPhysicalNetwork/Guest.

Is this the setting coming from advanced zone setup.


Thanks and Regards.

Asmita Patil Vagyani.


-----Original Message-----
From: Geoff Higginbottom [mailto:geoff.higginbottom@shapeblue.com]
Sent: 24 January 2013 PM 04:10
To: cloudstack-users@incubator.apache.org
Subject: RE: Cloudstack 4 - Accounts Isolation in a Domain

Hi Asmita,

The Network section only allows you to create new Isolated Networks based on the default 'DefaultIsolatedNetworkOfferingWithSourceNatService' offering which is used when a new Guest Network is created.

To create Networks based on custom network offerings or to create a Shared Network you need to do the following.

1. Navigate to Infrastructure/Zones/YourZone/Physical Network/YourPhysicalNetwork/Guest/Network Tab/Add Guest Network 2. Set Scope to Domain and choose the appropriate Domain 3. You may want to select the 'Sub Domain Access' box if you plan on using sub domains later 4. Choose the 'Shared Network' offering 5. Now complete the rest of the settings such as Name, Description etc

Note:
The Shared Network offering has the 'Specify VLAN' flag set so you need to specify the Guest IP Schema such as Gateway, Netmask, Start IP, End IP etc.  Ensure you choose a different IP schema to your default guest IP schema so if you create a VM and specify both the default guest network for their Account, and the Shared Network, the IPs are in different ranges.

If you have any existing VMs you cannot add them to the new Shared Network, you can only add networks at VM creation time

Regards

Geoff Higginbottom

D: +44 20 3603 0542 | S: +44 20 3603 0540 | M: +447968161581

geoff.higginbottom@shapeblue.com

-----Original Message-----
From: Asmita Vagyani [mailto:Asmita.Vagyani@sigma-systems.com]
Sent: 24 January 2013 05:59
To: '<cl...@incubator.apache.org>'
Cc: 'Nitin.Mehta@citrix.com'
Subject: RE: Cloudstack 4 - Accounts Isolation in a Domain

Thanks Geoff.

My next question is , how can I create a shared network across accounts in a domain.
I went to the Network tab on CS client console, I dont see an option to create a shared network for a domain.
I can see only one default network "guestNetworkForBasicZone" created in the Networks section.

But, for the domain - edit option - I can see the  Network Domain option on the Domain.
If I specify there any value, where does it get mapped to?

Thanks and Regards.

Asmita Patil Vagyani.

-----Original Message-----
From: Geoff Higginbottom [mailto:geoff.higginbottom@shapeblue.com]
Sent: 23 January 2013 PM 07:10
To: <cl...@incubator.apache.org>
Cc: cloudstack-users@incubator.apache.org; Nitin.Mehta@citrix.com
Subject: Re: Cloudstack 4 - Accounts Isolation in a Domain

Hi Asmita,

You are correct in your assessment.

If you do want to have VMs in different accounts communicating directly you can create a shared network which is linked to the Domain. The Accounts would need to belong to the same Domain for this to work.

Regards

Geoff Higginbottom
CTO / Cloud Architect

D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:+442036030540>| M: +447968161581<tel:+447968161581>

geoff.higginbottom@shapeblue.com<ma...@shapeblue.com> |www.shapeblue.com | Twitter:@shapeblue<https://twitter.com/#!/shapeblue>

ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS

Visit us on stand 291 at Cloud Expo Europe

On 23 Jan 2013, at 13:21, "Asmita Vagyani" <As...@sigma-systems.com>> wrote:

Hi ,

I read in a blog : (Source - http://docs.cloudstack.org/index.php?title=CloudStack_Documentation/FAQ:_CloudStack/How_are_users%2C_accounts%2C_and_domains_handled_in_CloudStack%3F&action=source)
It says:

CloudStack platform users are assigned accounts.
An account is typically a customer of the service provider or a department in a large organization.
Accounts are the unit of isolation in the cloud. Accounts are grouped by domains.
Domains usually contain accounts that have some logical relationship to each other and a set of delegated administrators with some authority over the domain and its subdomains.
For example, a service provider with several resellers could create a domain for each reseller.

My question is,

In a domain D1, I have two accounts A1 and A2 in D1.
Account A1 has a VM1 assigned and Account A2 has a VM2 assigned.
If the accounts are said to be in isolation ,then the VM1 used by account A1 and VM2  used by account A2 will not be able to talk to each other?
Is my understanding correct?
Or is the communication between VM1 and VM2 possible since they in the same domain?
Please clarify.

Thanks and Regards.

Asmita Patil Vagyani.

-----Original Message-----
From: Nitin Mehta [mailto:Nitin.Mehta@citrix.com]
Sent: 22 January 2013 PM 03:57
To: cloudstack-users@incubator.apache.org<ma...@incubator.apache.org>; Sailaja Mada
Subject: Re: Issue in Creating instance on Cloudstack 4

Key thing to understand is that the ownership of resources is tied to an account. Users are mere synonyms for accessing the account resources. So any vm is also owned by an account and not a user.
All the users of the account have visibility to the resources of the account.

Little more reading on
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Accounts,+Domains,+a
nd+Admin+explained

On 22/01/13 3:49 PM, "Asmita Vagyani" <As...@sigma-systems.com>>
wrote:

Hi all,

I have a doubt.
The functionality of my application is :
There will be lots of companies approaching my application to create VMs for its employees.

I have created one account for one company on CS4.
And the company can have many employees, so is my account having many users added for each employee.
Is there any way in CS4 to associate a VM instance for a particular user inside the same account?
I mean one account will have many VMs created, each VM assigned to a unique user, basically 1:1 association betwn user:VM.

While creating a VM(deployVirtualMachine) I cannot pass the userId in that to say only user with userId "**" can use this vm.
I can pass only the account with domain name, what does this indicate , what is the relation of vm with account?
Does that mean all users belonging to that account and domain can use this vm.

Thanks and Regards.

Asmita Patil Vagyani.






ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue's expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.

________________________________

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.


ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.

________________________________

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.
ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.

________________________________

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.

RE: Cloudstack 4 - Accounts Isolation in a Domain

[Geoff Higginbottom <ge...@shapeblue.com>]

Hi Asmita,

Yes, Shared Networks are only available in Advanced Zones

Regards

Geoff Higginbottom

D: +44 20 3603 0542 | S: +44 20 3603 0540 | M: +447968161581

geoff.higginbottom@shapeblue.com


-----Original Message-----
From: Asmita Vagyani [mailto:Asmita.Vagyani@sigma-systems.com]
Sent: 24 January 2013 10:59
To: 'cloudstack-users@incubator.apache.org'
Subject: RE: Cloudstack 4 - Accounts Isolation in a Domain

Hi Geoff,
I have used Basic zone configuration in the setups of CS4 with VMWare Cluster.
And I tried to follow steps you mentioned, but dint find the network tab in  Infrastructure/Zones/YourZone/Physical Network/YourPhysicalNetwork/Guest.

Is this the setting coming from advanced zone setup.


Thanks and Regards.

Asmita Patil Vagyani.


-----Original Message-----
From: Geoff Higginbottom [mailto:geoff.higginbottom@shapeblue.com]
Sent: 24 January 2013 PM 04:10
To: cloudstack-users@incubator.apache.org
Subject: RE: Cloudstack 4 - Accounts Isolation in a Domain

Hi Asmita,

The Network section only allows you to create new Isolated Networks based on the default 'DefaultIsolatedNetworkOfferingWithSourceNatService' offering which is used when a new Guest Network is created.

To create Networks based on custom network offerings or to create a Shared Network you need to do the following.

1. Navigate to Infrastructure/Zones/YourZone/Physical Network/YourPhysicalNetwork/Guest/Network Tab/Add Guest Network 2. Set Scope to Domain and choose the appropriate Domain 3. You may want to select the 'Sub Domain Access' box if you plan on using sub domains later 4. Choose the 'Shared Network' offering 5. Now complete the rest of the settings such as Name, Description etc

Note:
The Shared Network offering has the 'Specify VLAN' flag set so you need to specify the Guest IP Schema such as Gateway, Netmask, Start IP, End IP etc.  Ensure you choose a different IP schema to your default guest IP schema so if you create a VM and specify both the default guest network for their Account, and the Shared Network, the IPs are in different ranges.

If you have any existing VMs you cannot add them to the new Shared Network, you can only add networks at VM creation time

Regards

Geoff Higginbottom

D: +44 20 3603 0542 | S: +44 20 3603 0540 | M: +447968161581

geoff.higginbottom@shapeblue.com

-----Original Message-----
From: Asmita Vagyani [mailto:Asmita.Vagyani@sigma-systems.com]
Sent: 24 January 2013 05:59
To: '<cl...@incubator.apache.org>'
Cc: 'Nitin.Mehta@citrix.com'
Subject: RE: Cloudstack 4 - Accounts Isolation in a Domain

Thanks Geoff.

My next question is , how can I create a shared network across accounts in a domain.
I went to the Network tab on CS client console, I dont see an option to create a shared network for a domain.
I can see only one default network "guestNetworkForBasicZone" created in the Networks section.

But, for the domain - edit option - I can see the  Network Domain option on the Domain.
If I specify there any value, where does it get mapped to?

Thanks and Regards.

Asmita Patil Vagyani.

-----Original Message-----
From: Geoff Higginbottom [mailto:geoff.higginbottom@shapeblue.com]
Sent: 23 January 2013 PM 07:10
To: <cl...@incubator.apache.org>
Cc: cloudstack-users@incubator.apache.org; Nitin.Mehta@citrix.com
Subject: Re: Cloudstack 4 - Accounts Isolation in a Domain

Hi Asmita,

You are correct in your assessment.

If you do want to have VMs in different accounts communicating directly you can create a shared network which is linked to the Domain. The Accounts would need to belong to the same Domain for this to work.

Regards

Geoff Higginbottom
CTO / Cloud Architect

D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:+442036030540>| M: +447968161581<tel:+447968161581>

geoff.higginbottom@shapeblue.com<ma...@shapeblue.com> |www.shapeblue.com | Twitter:@shapeblue<https://twitter.com/#!/shapeblue>

ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS

Visit us on stand 291 at Cloud Expo Europe

On 23 Jan 2013, at 13:21, "Asmita Vagyani" <As...@sigma-systems.com>> wrote:

Hi ,

I read in a blog : (Source - http://docs.cloudstack.org/index.php?title=CloudStack_Documentation/FAQ:_CloudStack/How_are_users%2C_accounts%2C_and_domains_handled_in_CloudStack%3F&action=source)
It says:

CloudStack platform users are assigned accounts.
An account is typically a customer of the service provider or a department in a large organization.
Accounts are the unit of isolation in the cloud. Accounts are grouped by domains.
Domains usually contain accounts that have some logical relationship to each other and a set of delegated administrators with some authority over the domain and its subdomains.
For example, a service provider with several resellers could create a domain for each reseller.

My question is,

In a domain D1, I have two accounts A1 and A2 in D1.
Account A1 has a VM1 assigned and Account A2 has a VM2 assigned.
If the accounts are said to be in isolation ,then the VM1 used by account A1 and VM2  used by account A2 will not be able to talk to each other?
Is my understanding correct?
Or is the communication between VM1 and VM2 possible since they in the same domain?
Please clarify.

Thanks and Regards.

Asmita Patil Vagyani.

-----Original Message-----
From: Nitin Mehta [mailto:Nitin.Mehta@citrix.com]
Sent: 22 January 2013 PM 03:57
To: cloudstack-users@incubator.apache.org<ma...@incubator.apache.org>; Sailaja Mada
Subject: Re: Issue in Creating instance on Cloudstack 4

Key thing to understand is that the ownership of resources is tied to an account. Users are mere synonyms for accessing the account resources. So any vm is also owned by an account and not a user.
All the users of the account have visibility to the resources of the account.

Little more reading on
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Accounts,+Domains,+a
nd+Admin+explained

On 22/01/13 3:49 PM, "Asmita Vagyani" <As...@sigma-systems.com>>
wrote:

Hi all,

I have a doubt.
The functionality of my application is :
There will be lots of companies approaching my application to create VMs for its employees.

I have created one account for one company on CS4.
And the company can have many employees, so is my account having many users added for each employee.
Is there any way in CS4 to associate a VM instance for a particular user inside the same account?
I mean one account will have many VMs created, each VM assigned to a unique user, basically 1:1 association betwn user:VM.

While creating a VM(deployVirtualMachine) I cannot pass the userId in that to say only user with userId "**" can use this vm.
I can pass only the account with domain name, what does this indicate , what is the relation of vm with account?
Does that mean all users belonging to that account and domain can use this vm.

Thanks and Regards.

Asmita Patil Vagyani.






ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue's expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.

________________________________

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.


ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.

________________________________

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.
ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.

________________________________

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.

RE: Cloudstack 4 - Accounts Isolation in a Domain

[Asmita Vagyani <As...@sigma-systems.com>]

Hi Geoff,
I have used Basic zone configuration in the setups of CS4 with VMWare Cluster.
And I tried to follow steps you mentioned, but dint find the network tab in  Infrastructure/Zones/YourZone/Physical Network/YourPhysicalNetwork/Guest.

Is this the setting coming from advanced zone setup.


Thanks and Regards.

Asmita Patil Vagyani. 


-----Original Message-----
From: Geoff Higginbottom [mailto:geoff.higginbottom@shapeblue.com] 
Sent: 24 January 2013 PM 04:10
To: cloudstack-users@incubator.apache.org
Subject: RE: Cloudstack 4 - Accounts Isolation in a Domain

Hi Asmita,

The Network section only allows you to create new Isolated Networks based on the default 'DefaultIsolatedNetworkOfferingWithSourceNatService' offering which is used when a new Guest Network is created.

To create Networks based on custom network offerings or to create a Shared Network you need to do the following.

1. Navigate to Infrastructure/Zones/YourZone/Physical Network/YourPhysicalNetwork/Guest/Network Tab/Add Guest Network 2. Set Scope to Domain and choose the appropriate Domain 3. You may want to select the 'Sub Domain Access' box if you plan on using sub domains later 4. Choose the 'Shared Network' offering 5. Now complete the rest of the settings such as Name, Description etc

Note:
The Shared Network offering has the 'Specify VLAN' flag set so you need to specify the Guest IP Schema such as Gateway, Netmask, Start IP, End IP etc.  Ensure you choose a different IP schema to your default guest IP schema so if you create a VM and specify both the default guest network for their Account, and the Shared Network, the IPs are in different ranges.

If you have any existing VMs you cannot add them to the new Shared Network, you can only add networks at VM creation time

Regards

Geoff Higginbottom

D: +44 20 3603 0542 | S: +44 20 3603 0540 | M: +447968161581

geoff.higginbottom@shapeblue.com

-----Original Message-----
From: Asmita Vagyani [mailto:Asmita.Vagyani@sigma-systems.com]
Sent: 24 January 2013 05:59
To: '<cl...@incubator.apache.org>'
Cc: 'Nitin.Mehta@citrix.com'
Subject: RE: Cloudstack 4 - Accounts Isolation in a Domain

Thanks Geoff.

My next question is , how can I create a shared network across accounts in a domain.
I went to the Network tab on CS client console, I dont see an option to create a shared network for a domain.
I can see only one default network "guestNetworkForBasicZone" created in the Networks section.

But, for the domain - edit option - I can see the  Network Domain option on the Domain.
If I specify there any value, where does it get mapped to?

Thanks and Regards.

Asmita Patil Vagyani.

-----Original Message-----
From: Geoff Higginbottom [mailto:geoff.higginbottom@shapeblue.com]
Sent: 23 January 2013 PM 07:10
To: <cl...@incubator.apache.org>
Cc: cloudstack-users@incubator.apache.org; Nitin.Mehta@citrix.com
Subject: Re: Cloudstack 4 - Accounts Isolation in a Domain

Hi Asmita,

You are correct in your assessment.

If you do want to have VMs in different accounts communicating directly you can create a shared network which is linked to the Domain. The Accounts would need to belong to the same Domain for this to work.

Regards

Geoff Higginbottom
CTO / Cloud Architect

D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:+442036030540>| M: +447968161581<tel:+447968161581>

geoff.higginbottom@shapeblue.com<ma...@shapeblue.com> |www.shapeblue.com | Twitter:@shapeblue<https://twitter.com/#!/shapeblue>

ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS

Visit us on stand 291 at Cloud Expo Europe

On 23 Jan 2013, at 13:21, "Asmita Vagyani" <As...@sigma-systems.com>> wrote:

Hi ,

I read in a blog : (Source - http://docs.cloudstack.org/index.php?title=CloudStack_Documentation/FAQ:_CloudStack/How_are_users%2C_accounts%2C_and_domains_handled_in_CloudStack%3F&action=source)
It says:

CloudStack platform users are assigned accounts.
An account is typically a customer of the service provider or a department in a large organization.
Accounts are the unit of isolation in the cloud. Accounts are grouped by domains.
Domains usually contain accounts that have some logical relationship to each other and a set of delegated administrators with some authority over the domain and its subdomains.
For example, a service provider with several resellers could create a domain for each reseller.

My question is,

In a domain D1, I have two accounts A1 and A2 in D1.
Account A1 has a VM1 assigned and Account A2 has a VM2 assigned.
If the accounts are said to be in isolation ,then the VM1 used by account A1 and VM2  used by account A2 will not be able to talk to each other?
Is my understanding correct?
Or is the communication between VM1 and VM2 possible since they in the same domain?
Please clarify.

Thanks and Regards.

Asmita Patil Vagyani.

-----Original Message-----
From: Nitin Mehta [mailto:Nitin.Mehta@citrix.com]
Sent: 22 January 2013 PM 03:57
To: cloudstack-users@incubator.apache.org<ma...@incubator.apache.org>; Sailaja Mada
Subject: Re: Issue in Creating instance on Cloudstack 4

Key thing to understand is that the ownership of resources is tied to an account. Users are mere synonyms for accessing the account resources. So any vm is also owned by an account and not a user.
All the users of the account have visibility to the resources of the account.

Little more reading on
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Accounts,+Domains,+a
nd+Admin+explained

On 22/01/13 3:49 PM, "Asmita Vagyani" <As...@sigma-systems.com>>
wrote:

Hi all,

I have a doubt.
The functionality of my application is :
There will be lots of companies approaching my application to create VMs for its employees.

I have created one account for one company on CS4.
And the company can have many employees, so is my account having many users added for each employee.
Is there any way in CS4 to associate a VM instance for a particular user inside the same account?
I mean one account will have many VMs created, each VM assigned to a unique user, basically 1:1 association betwn user:VM.

While creating a VM(deployVirtualMachine) I cannot pass the userId in that to say only user with userId "**" can use this vm.
I can pass only the account with domain name, what does this indicate , what is the relation of vm with account?
Does that mean all users belonging to that account and domain can use this vm.

Thanks and Regards.

Asmita Patil Vagyani.






ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue's expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.

________________________________

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.


ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.

________________________________

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.

RE: Cloudstack 4 - Accounts Isolation in a Domain

[Geoff Higginbottom <ge...@shapeblue.com>]

Hi Asmita,

The Network section only allows you to create new Isolated Networks based on the default 'DefaultIsolatedNetworkOfferingWithSourceNatService' offering which is used when a new Guest Network is created.

To create Networks based on custom network offerings or to create a Shared Network you need to do the following.

1. Navigate to Infrastructure/Zones/YourZone/Physical Network/YourPhysicalNetwork/Guest/Network Tab/Add Guest Network
2. Set Scope to Domain and choose the appropriate Domain
3. You may want to select the 'Sub Domain Access' box if you plan on using sub domains later
4. Choose the 'Shared Network' offering
5. Now complete the rest of the settings such as Name, Description etc

Note:
The Shared Network offering has the 'Specify VLAN' flag set so you need to specify the Guest IP Schema such as Gateway, Netmask, Start IP, End IP etc.  Ensure you choose a different IP schema to your default guest IP schema so if you create a VM and specify both the default guest network for their Account, and the Shared Network, the IPs are in different ranges.

If you have any existing VMs you cannot add them to the new Shared Network, you can only add networks at VM creation time

Regards

Geoff Higginbottom

D: +44 20 3603 0542 | S: +44 20 3603 0540 | M: +447968161581

geoff.higginbottom@shapeblue.com

-----Original Message-----
From: Asmita Vagyani [mailto:Asmita.Vagyani@sigma-systems.com]
Sent: 24 January 2013 05:59
To: '<cl...@incubator.apache.org>'
Cc: 'Nitin.Mehta@citrix.com'
Subject: RE: Cloudstack 4 - Accounts Isolation in a Domain

Thanks Geoff.

My next question is , how can I create a shared network across accounts in a domain.
I went to the Network tab on CS client console, I dont see an option to create a shared network for a domain.
I can see only one default network "guestNetworkForBasicZone" created in the Networks section.

But, for the domain - edit option - I can see the  Network Domain option on the Domain.
If I specify there any value, where does it get mapped to?

Thanks and Regards.

Asmita Patil Vagyani.

-----Original Message-----
From: Geoff Higginbottom [mailto:geoff.higginbottom@shapeblue.com]
Sent: 23 January 2013 PM 07:10
To: <cl...@incubator.apache.org>
Cc: cloudstack-users@incubator.apache.org; Nitin.Mehta@citrix.com
Subject: Re: Cloudstack 4 - Accounts Isolation in a Domain

Hi Asmita,

You are correct in your assessment.

If you do want to have VMs in different accounts communicating directly you can create a shared network which is linked to the Domain. The Accounts would need to belong to the same Domain for this to work.

Regards

Geoff Higginbottom
CTO / Cloud Architect

D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:+442036030540>| M: +447968161581<tel:+447968161581>

geoff.higginbottom@shapeblue.com<ma...@shapeblue.com> |www.shapeblue.com | Twitter:@shapeblue<https://twitter.com/#!/shapeblue>

ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS

Visit us on stand 291 at Cloud Expo Europe

On 23 Jan 2013, at 13:21, "Asmita Vagyani" <As...@sigma-systems.com>> wrote:

Hi ,

I read in a blog : (Source - http://docs.cloudstack.org/index.php?title=CloudStack_Documentation/FAQ:_CloudStack/How_are_users%2C_accounts%2C_and_domains_handled_in_CloudStack%3F&action=source)
It says:

CloudStack platform users are assigned accounts.
An account is typically a customer of the service provider or a department in a large organization.
Accounts are the unit of isolation in the cloud. Accounts are grouped by domains.
Domains usually contain accounts that have some logical relationship to each other and a set of delegated administrators with some authority over the domain and its subdomains.
For example, a service provider with several resellers could create a domain for each reseller.

My question is,

In a domain D1, I have two accounts A1 and A2 in D1.
Account A1 has a VM1 assigned and Account A2 has a VM2 assigned.
If the accounts are said to be in isolation ,then the VM1 used by account A1 and VM2  used by account A2 will not be able to talk to each other?
Is my understanding correct?
Or is the communication between VM1 and VM2 possible since they in the same domain?
Please clarify.

Thanks and Regards.

Asmita Patil Vagyani.

-----Original Message-----
From: Nitin Mehta [mailto:Nitin.Mehta@citrix.com]
Sent: 22 January 2013 PM 03:57
To: cloudstack-users@incubator.apache.org<ma...@incubator.apache.org>; Sailaja Mada
Subject: Re: Issue in Creating instance on Cloudstack 4

Key thing to understand is that the ownership of resources is tied to an account. Users are mere synonyms for accessing the account resources. So any vm is also owned by an account and not a user.
All the users of the account have visibility to the resources of the account.

Little more reading on
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Accounts,+Domains,+a
nd+Admin+explained

On 22/01/13 3:49 PM, "Asmita Vagyani" <As...@sigma-systems.com>>
wrote:

Hi all,

I have a doubt.
The functionality of my application is :
There will be lots of companies approaching my application to create VMs for its employees.

I have created one account for one company on CS4.
And the company can have many employees, so is my account having many users added for each employee.
Is there any way in CS4 to associate a VM instance for a particular user inside the same account?
I mean one account will have many VMs created, each VM assigned to a unique user, basically 1:1 association betwn user:VM.

While creating a VM(deployVirtualMachine) I cannot pass the userId in that to say only user with userId "**" can use this vm.
I can pass only the account with domain name, what does this indicate , what is the relation of vm with account?
Does that mean all users belonging to that account and domain can use this vm.

Thanks and Regards.

Asmita Patil Vagyani.






ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue's expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.

________________________________

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.


ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue’s expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.

________________________________

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.

RE: Cloudstack 4 - Accounts Isolation in a Domain

[Asmita Vagyani <As...@sigma-systems.com>]

Thanks Geoff.

My next question is , how can I create a shared network across accounts in a domain.
I went to the Network tab on CS client console, I dont see an option to create a shared network for a domain.
I can see only one default network "guestNetworkForBasicZone" created in the Networks section.

But, for the domain - edit option - I can see the  Network Domain option on the Domain.
If I specify there any value, where does it get mapped to?

Thanks and Regards.

Asmita Patil Vagyani. 

-----Original Message-----
From: Geoff Higginbottom [mailto:geoff.higginbottom@shapeblue.com] 
Sent: 23 January 2013 PM 07:10
To: <cl...@incubator.apache.org>
Cc: cloudstack-users@incubator.apache.org; Nitin.Mehta@citrix.com
Subject: Re: Cloudstack 4 - Accounts Isolation in a Domain

Hi Asmita,

You are correct in your assessment.

If you do want to have VMs in different accounts communicating directly you can create a shared network which is linked to the Domain. The Accounts would need to belong to the same Domain for this to work.

Regards

Geoff Higginbottom
CTO / Cloud Architect

D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:+442036030540>| M: +447968161581<tel:+447968161581>

geoff.higginbottom@shapeblue.com<ma...@shapeblue.com> |www.shapeblue.com | Twitter:@shapeblue<https://twitter.com/#!/shapeblue>

ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS

Visit us on stand 291 at Cloud Expo Europe

On 23 Jan 2013, at 13:21, "Asmita Vagyani" <As...@sigma-systems.com>> wrote:

Hi ,

I read in a blog : (Source - http://docs.cloudstack.org/index.php?title=CloudStack_Documentation/FAQ:_CloudStack/How_are_users%2C_accounts%2C_and_domains_handled_in_CloudStack%3F&action=source)
It says:

CloudStack platform users are assigned accounts.
An account is typically a customer of the service provider or a department in a large organization.
Accounts are the unit of isolation in the cloud. Accounts are grouped by domains.
Domains usually contain accounts that have some logical relationship to each other and a set of delegated administrators with some authority over the domain and its subdomains.
For example, a service provider with several resellers could create a domain for each reseller.

My question is,

In a domain D1, I have two accounts A1 and A2 in D1.
Account A1 has a VM1 assigned and Account A2 has a VM2 assigned.
If the accounts are said to be in isolation ,then the VM1 used by account A1 and VM2  used by account A2 will not be able to talk to each other?
Is my understanding correct?
Or is the communication between VM1 and VM2 possible since they in the same domain?
Please clarify.

Thanks and Regards.

Asmita Patil Vagyani.

-----Original Message-----
From: Nitin Mehta [mailto:Nitin.Mehta@citrix.com]
Sent: 22 January 2013 PM 03:57
To: cloudstack-users@incubator.apache.org<ma...@incubator.apache.org>; Sailaja Mada
Subject: Re: Issue in Creating instance on Cloudstack 4

Key thing to understand is that the ownership of resources is tied to an account. Users are mere synonyms for accessing the account resources. So any vm is also owned by an account and not a user.
All the users of the account have visibility to the resources of the account.

Little more reading on
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Accounts,+Domains,+a
nd+Admin+explained

On 22/01/13 3:49 PM, "Asmita Vagyani" <As...@sigma-systems.com>>
wrote:

Hi all,

I have a doubt.
The functionality of my application is :
There will be lots of companies approaching my application to create VMs for its employees.

I have created one account for one company on CS4.
And the company can have many employees, so is my account having many users added for each employee.
Is there any way in CS4 to associate a VM instance for a particular user inside the same account?
I mean one account will have many VMs created, each VM assigned to a unique user, basically 1:1 association betwn user:VM.

While creating a VM(deployVirtualMachine) I cannot pass the userId in that to say only user with userId "**" can use this vm.
I can pass only the account with domain name, what does this indicate , what is the relation of vm with account?
Does that mean all users belonging to that account and domain can use this vm.

Thanks and Regards.

Asmita Patil Vagyani.






ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue's expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.

________________________________

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.

Re: Cloudstack 4 - Accounts Isolation in a Domain

[Geoff Higginbottom <ge...@shapeblue.com>]

Hi Asmita,

You are correct in your assessment.

If you do want to have VMs in different accounts communicating directly you can create a shared network which is linked to the Domain. The Accounts would need to belong to the same Domain for this to work.

Regards

Geoff Higginbottom
CTO / Cloud Architect

D: +44 20 3603 0542<tel:+442036030542> | S: +44 20 3603 0540<tel:+442036030540>| M: +447968161581<tel:+447968161581>

geoff.higginbottom@shapeblue.com<ma...@shapeblue.com> |www.shapeblue.com | Twitter:@shapeblue<https://twitter.com/#!/shapeblue>

ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS

Visit us on stand 291 at Cloud Expo Europe

On 23 Jan 2013, at 13:21, "Asmita Vagyani" <As...@sigma-systems.com>> wrote:

Hi ,

I read in a blog : (Source - http://docs.cloudstack.org/index.php?title=CloudStack_Documentation/FAQ:_CloudStack/How_are_users%2C_accounts%2C_and_domains_handled_in_CloudStack%3F&action=source)
It says:

CloudStack platform users are assigned accounts.
An account is typically a customer of the service provider or a department in a large organization.
Accounts are the unit of isolation in the cloud. Accounts are grouped by domains.
Domains usually contain accounts that have some logical relationship to each other and a set of delegated administrators with some authority over the domain and its subdomains.
For example, a service provider with several resellers could create a domain for each reseller.

My question is,

In a domain D1, I have two accounts A1 and A2 in D1.
Account A1 has a VM1 assigned and Account A2 has a VM2 assigned.
If the accounts are said to be in isolation ,then the VM1 used by account A1 and VM2  used by account A2 will not be able to talk to each other?
Is my understanding correct?
Or is the communication between VM1 and VM2 possible since they in the same domain?
Please clarify.

Thanks and Regards.

Asmita Patil Vagyani.

-----Original Message-----
From: Nitin Mehta [mailto:Nitin.Mehta@citrix.com]
Sent: 22 January 2013 PM 03:57
To: cloudstack-users@incubator.apache.org<ma...@incubator.apache.org>; Sailaja Mada
Subject: Re: Issue in Creating instance on Cloudstack 4

Key thing to understand is that the ownership of resources is tied to an account. Users are mere synonyms for accessing the account resources. So any vm is also owned by an account and not a user.
All the users of the account have visibility to the resources of the account.

Little more reading on
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Accounts,+Domains,+a
nd+Admin+explained

On 22/01/13 3:49 PM, "Asmita Vagyani" <As...@sigma-systems.com>>
wrote:

Hi all,

I have a doubt.
The functionality of my application is :
There will be lots of companies approaching my application to create
VMs for its employees.

I have created one account for one company on CS4.
And the company can have many employees, so is my account having many
users added for each employee.
Is there any way in CS4 to associate a VM instance for a particular
user inside the same account?
I mean one account will have many VMs created, each VM assigned to a
unique user, basically 1:1 association betwn user:VM.

While creating a VM(deployVirtualMachine) I cannot pass the userId in
that to say only user with userId "**" can use this vm.
I can pass only the account with domain name, what does this indicate ,
what is the relation of vm with account?
Does that mean all users belonging to that account and domain can use
this vm.

Thanks and Regards.

Asmita Patil Vagyani.






ShapeBlue provides a range of strategic and technical consulting and implementation services to help IT Service Providers and Enterprises to build a true IaaS compute cloud. ShapeBlue's expertise, combined with CloudStack technology, allows IT Service Providers and Enterprises to deliver true, utility based, IaaS to the customer or end-user.

________________________________

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales.

RE: Cloudstack 4 - Accounts Isolation in a Domain

[Clayton Weise <cw...@iswest.net>]

Asmita, you are correct unless you created a network that belongs to the domain and not the account (which is not what CloudStack does by default).  In the case of an advanced zone, each account would have their own isolated network and would not be able to see each other.  In the case of a basic zone there is a network shared between ALL accounts in that zone.

Assuming you're doing advanced networking there is a way for two accounts to share resources and that's through the use of projects.  If both accounts are in the same domain, you could create a project which is shared by both accounts.  Any resources created within that project are owned _by_ the project and so multiple accounts can share the same set of resources.

-----Original Message-----
From: Asmita Vagyani [mailto:Asmita.Vagyani@sigma-systems.com] 
Sent: Wednesday, January 23, 2013 5:17 AM
To: 'cloudstack-users@incubator.apache.org'; 'Nitin.Mehta@citrix.com'
Subject: Cloudstack 4 - Accounts Isolation in a Domain

Hi ,

I read in a blog : (Source - http://docs.cloudstack.org/index.php?title=CloudStack_Documentation/FAQ:_CloudStack/How_are_users%2C_accounts%2C_and_domains_handled_in_CloudStack%3F&action=source)
It says:

CloudStack platform users are assigned accounts. 
An account is typically a customer of the service provider or a department in a large organization. 
Accounts are the unit of isolation in the cloud. Accounts are grouped by domains.
Domains usually contain accounts that have some logical relationship to each other and a set of delegated administrators with some authority over the domain and its subdomains. 
For example, a service provider with several resellers could create a domain for each reseller.

My question is, 

In a domain D1, I have two accounts A1 and A2 in D1. 
Account A1 has a VM1 assigned and Account A2 has a VM2 assigned.
If the accounts are said to be in isolation ,then the VM1 used by account A1 and VM2  used by account A2 will not be able to talk to each other?
Is my understanding correct?
Or is the communication between VM1 and VM2 possible since they in the same domain?
Please clarify.

Thanks and Regards.

Asmita Patil Vagyani.

-----Original Message-----
From: Nitin Mehta [mailto:Nitin.Mehta@citrix.com] 
Sent: 22 January 2013 PM 03:57
To: cloudstack-users@incubator.apache.org; Sailaja Mada
Subject: Re: Issue in Creating instance on Cloudstack 4

Key thing to understand is that the ownership of resources is tied to an account. Users are mere synonyms for accessing the account resources. So any vm is also owned by an account and not a user.
All the users of the account have visibility to the resources of the account.

Little more reading on
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Accounts,+Domains,+a
nd+Admin+explained

On 22/01/13 3:49 PM, "Asmita Vagyani" <As...@sigma-systems.com>
wrote:

>Hi all,
>
>I have a doubt.
>The functionality of my application is :
>There will be lots of companies approaching my application to create 
>VMs for its employees.
>
>I have created one account for one company on CS4.
>And the company can have many employees, so is my account having many 
>users added for each employee.
>Is there any way in CS4 to associate a VM instance for a particular 
>user inside the same account?
>I mean one account will have many VMs created, each VM assigned to a 
>unique user, basically 1:1 association betwn user:VM.
>
>While creating a VM(deployVirtualMachine) I cannot pass the userId in 
>that to say only user with userId "**" can use this vm.
>I can pass only the account with domain name, what does this indicate , 
>what is the relation of vm with account?
>Does that mean all users belonging to that account and domain can use 
>this vm.
>
>Thanks and Regards.
>
>Asmita Patil Vagyani.
>
>