DocsAPI Explorer
ZHEN
DocumentationHCIFlagship EditionUser GuideHCI

Operational Management

Tenant Management

What is Tenant Management?

Tenant Management allows users to create and manage their organization structures based on their actual business scenarios. It also provides features such as project-based resource access control, ticket management, and independent zone management.

The Tenant Management feature is provided in a separate module. Before you can use this feature, you need to purchase the Plus License of Tenant Management, in addition to the Base License.

Definitions

Definitions related to Tenant Management:
  • Personnel and Permissions: The Tenant Management system is structured on the basis of personnel and permissions. You can create departments and roles based on your business needs, and grant a variety of permissions to your users.
  • Organization: Organization is the basic unit in Tenant Management. You can create an organization or synchronize an organization through SSO authentication. The organizations can be categorized into the default department and the customized department. You can customize a new team and a sub-department. The new team, usually a company or subcompany (subsidiary), can be used to create multi-level departments. An organizational structure tree is displayed in cascade, and you can directly get a complete picture of the organization structure.
    Note: Notice that project members can only view the organization structure where their team belongs to.
  • User: A user is a natural person that constructs the most basic unit in Tenant Management. There are local user and the SSO user on ZStack Cube Ultimate.
    • Local User: A user that is created on the Cloud. The user information is stored locally. A local user can be added to an organization or a project, and attached to a role.
    • SSO User:
      • The SSO user information is stored in the SSO server and can be synchronized to the Cloud via the SSO server.
      • The admin can create an SSO user locally. The user information is synchronized to the SSO server for cross-platform SSO.
        Note: Currently, you can create an SSO user locally only after you add a ZStack IAM server.
      • An SSO user can be added to an organization or project, attached to a role, or changed to a local user.
    Note:
    • To log in to the Cloud, tenant management users need to use the Tenant login entry.
      • Local users log in to the Cloud via the Local User entry.
      • AD/LDAP users log in to the Cloud via the AD/LDAP User entry.
      • OIDC/OAuth2/CAS/SAML users log in to the Cloud from the SSO application without the password.
        Note: If the identity provider is ZStack IAM, users log in to the Cloud from the unified login address in Region Management.
    • The admin and platform manager can view the list of all users.
    • If you created an organizational structure tree on the Cloud, platform members can view only the list of users belonging to the organizational structure. If you did not create any organizational structure tree, platform members can view all users.
  • User Group: A user group is a collection of natural persons or a collection of project members. You can use a user group to grant permissions.
  • Role: A role is a collection of permissions that can be granted to users. A user that assumes a role can call API operations based on the permissions specified by the role. Roles are categorized into platform roles and project roles.
    • Platform Role: After a user has a platform role attached, the user will have the management permission of the corresponding zone. Permissions of a platform role take effect only in the zone managed by the user.
    • Project Role: After a user joins a project and have a project role attached, the user will have the permission to use the project and manage the data in the project.
    Note:
    • One user can have both platform roles and project roles attached.
    • One user can have more than one platform role or project role attached.
    • In a project, if a user has multiple project roles attached, the user will have all the permissions attached to the project roles.
  • Single Sign-On: The Single Sign-On service provided by the Cloud. It supports seamless access to SSO systems. Through the service, related users can directly log in to the Cloud and manage cloud resources.
    • AD authentication:

      Active Directory (AD) is a directory service designed for Windows Standard Server, Windows Enterprise Server, and Windows Datacenter Server. AD provides an independent, standard login authentication system for increasingly diverse office applications.

      AD users or organizations can be synchronized to the user list or organization of ZStack Cube Ultimate via an AD server, while specified AD login attributes can be used to directly log in to ZStack Cube Ultimate.

    • LDAP authentication:

      Lightweight Directory Access Protocol (LDAP) can provide a standard directory service that offers an independent, standard login authentication system for increasingly diverse office applications.

      LDAP users can be synchronized to the user list of ZStack Cube Ultimate via an LDAP server, while specified LDAP login attributes can be used to directly log in to ZStack Cube Ultimate.

    • OIDC authentication:

      OpenID Connect (OIDC) is a set of authentication protocols based on the OAuth2 protocol, and it allows the clients to verify the user identity and obtain basic user configuration information.

      The user information can be synchronized to the Cloud according to the mapping rules via an OIDC server, and users of the OIDC authentication system can log in to the Cloud without the password.

    • OAuth2 authentication:

      Open Authorization 2.0 (OAuth2) is a set of authorization protocol standards that can authenticate and authorize users to access related resources. The Cloud currently only supports authorization through the authorization code.

      The user information can be synchronized to the Cloud according to the mapping rules via an OAuth2 server, and users of the OAuth2 authentication system can log in to the Cloud without the password.

    • CAS authentication:

      Central Authentication Service (CAS) is a set of single sign-on protocols that allow website applications to authenticate users.

      The user information can be synchronized to the Cloud according to the mapping rules via a CAS server, and users of the CAS authentication system can log in to the Cloud without the password.

    • SAML authentication:

      An SSO server based on the SAML 2.0 protocol. It enables the Cloud platform (as a Service Provider, SP) to integrate with an Identity Providers (IdP). Users from the IdP can log in to the Cloud platform without a password after authentication and authorization. User information will be synchronized to the Cloud platform according to mapping rules.

  • Project Management: Project management allows you to schedule resources based on projects. You can create an independent resource pool for a specific project. By this way, you can better manage the project lifecycle (including determining time, quotas, and permissions) to improve cloud resource utilizations at granular, automatic level and strengthen mutual collaborations between project members.
  • Project: A project is a task that needs to be accomplished by specific personnel at a specified time. In Tenant Management, you can plan resources at the project granularity and allocate an independent resource pool to a project. The word Tenant in Tenant Management mainly refers to projects. A project is a tenant.
    • When you create a project, you need to specify the resource quotas and reclaim policy, and add project members.
    • The basic resources (instance offering, image, network, and other resources) on the Cloud are suggested to shared or created in advance.
  • Ticket Management: To better provide basic resources efficiently for each project, project members (project admins, project managers, or regular project members) can apply for tickets to obtain cloud resources. Tickets are reviewed and approved according to custom ticket review processes of each project. Finally, the admin, project admins, department managers, and the customized approvers approve the tickets. Currently, five types of ticket are available: apply for VM instances, delete VM instances, modify VM configurations, modify project cycles, and modify project quotas.
  • Process Management: Process management is part of ticket management that manages the processes related to the resources of projects. Processes can be categorized into default processes and custom processes.
    • Default process: The project member submits a ticket to the admin, and then the admin approves the ticket. This process applies to the following scenarios:
      • The tickets that are not configured with a ticket process.
      • The tickets which apply for modifications on the project cycle.
      • The tickets which apply for modifications on the project quota.
      • If the custom ticket process is deleted, the tickets will be resubmitted automatically via the default ticket process.
    • Custom process: The project member submits a ticket. The project member makes process settings via process management. Finally, the admin or project admin approves the ticket. This process applies to the following scenarios:

      • The tickets created to apply for VM instances, delete VM instances, and change VM configurations will be prioritized to be submitted via the configured, custom ticket process.

      • If you modify the valid ticket process, the tickets will be automatically resubmitted via this modified, custom ticket process.
      • If you modify the invalid ticket process, you need to resubmit the tickets manually by using this modified, custom ticket process.
  • My Approval: In the Cloud, only the administrator and project administrators are granted approval permissions. the administrator and project administrators can approve or reject a ticket. If a ticket is approved, resources are automatically deployed and allocated to the specified project.
    Note: The platform admin and regular platform members do not have the permission for ticket management, and the menu My Approval is not supported for these two roles.

SSO Rename

Starting form ZStack Cube Ultimate 5.1.8, Third-party authentication is renamed to Single Sign-On (SSO). The following table describes some of the common term changes that have been updated throughout this guide as a result of the rename.
Legacy Term Current Term
Third-Party Authentication Single Sign On or SSO
Third-Party Authentication Server SSO Server
Third-Party Authentication System SSO System or SSO Authentication System
Third-Party User SSO User
Third-Party Sub-Account SSO Sub-Account
Third-Party Attribute SSO Attribute

Architecture

The Tenant Management mainly includes four subfeatures, including project management, ticket management, independent zone management, and Single Sign On.
  • Platform Management:

    To effectively manage the Cloud, the platform user (platform admin/regular platform member) can cooperate with the super administrator to manage and operate the Cloud together. ZStack Cube Ultimate provides various system roles such as Platform Admin Role and Dashboard Role. You can also satisfy various usage scenarios by creating custom roles at the API level.

  • Project Management:

    The project management is project-oriented to plan for resources. Specifically, you can create an independent resource pool for a specific project. Project lifecycles can be managed (including determining time, quotas, and permissions) to improve cloud resource utilizations at granular, automatic level and strengthen mutual collaborations between project members.

  • Ticket Management:

    To better provide basic resources efficiently for each project, project members (project admins, project managers, or regular project members) can submit tickets to obtain cloud resources. Tickets are reviewed and approved according to custom ticket review processes of each project. Finally, the admin, project admins, department managers, and the customized approvers approve the tickets. Currently, five types of ticket are available, including applying for VM instances, deleting VM instances, modifying VM configurations, modifying project cycles, and modifying project quotas.

  • Independent Zone Management:

    Usually, a zone corresponds to an actual data center in a place. If you isolated resources for zones, you can specify the corresponding zone admins for each zone to achieve independent managements of various machine rooms. In addition, the admin can inspect and manage all zones.

  • Single Sign On:

    The Single Sign On is an SSO authentication service provided by ZStack Cube Ultimate. You are allowed to seamlessly access the SSO system. The corresponding account system can directly log in to the Cloud to conveniently use cloud resources.

Differences in Roles and relevant Permissions

Definitions related to Tenant Management Account System:
  • admin: A super administrator who owns all permissions. Usually, the admin is the IT system administrator who have all the permissions.
  • Local User: A user that is created on the Cloud. A local user can be added to an organization, added to a project, and attached to a role.
  • SSO User: A user that is synchronized to the Cloud through SSO. An SSO user can be added to an organization, added to a project, and attached to a role.
  • Platform User: A user that is not added to a project yet, including platform admin and the regular platform member.
  • Platform Admin: A user that has the platform admin role attached. A platform admin who has been allocated a specified zone or all zones manages the data center of the allocated zone or zones.
  • Head of Department: The admin can assign a head for the department, and this role is used for identification only. When a head of department becomes a project member, the head of a department has the permission to check department bills.
  • Project User: A user who has joined a project, including project admin, project operator, and regular project member.
  • Project Admin: A user that has the project admin role attached. A project admin is responsible for managing users in a project, and has the highest permission in a project.
  • Project Manager: A user that has the project manager role attached. A project manager assists project admins to manage projects. One or more project members in the same project can be specified to act as project managers.
  • Department Manager: The admin can assign a department manager for the new team. It is a type of platform role and is responsible for the operation management of the entire department, including project management, ticket management, checking bills, and department critical resource monitoring.
  • Root Role: The root role is used to limit the permission scope of the custom role. The permission of a custom role is inherited from its root role, and is a subset of the root role permission.
  • Quota: A measurement standard that determines the total quantity of resources for a project. A quota mainly includes the VM instance count, CPU count, memory capacity, maximum number of data volumes, and maximum capacity of all volumes.
  • Project Reclaim Policy: You need to specify a project reclaim policy when you create a project. There are three types of project reclaim policy, including unlimited, reclaim by specifying time, and reclaim by specifying cost.
    • Unlimited: After you create a project, resources within the project will be in the enabled state by default.
    • Reclaim by Specifying Time:
      • When the expiration date for a project is less than 14 days, the smart operation assistant will prompt you for The license will be expired after a project member logs in to the Cloud.
      • After the project expired, resources within the project will be collected according to the specified policy. The policy includes disabling login, preventing project members from logging in to the Cloud, stopping resources, and deleting projects.
    • Reclaim by Specifying Cost: When the project spending reaches the maximum limit, resources within the project will be collected according to the specified policy. The policy includes disabling login, preventing project members from logging in to the Cloud, stopping resources, and deleting projects.
  • Access Control: When you create a project, you can specify whether to allow or prohibit project members to or from logging in to the project within a specified time period. There are two types of access control policy: login allowed time and login prohibited time.
    • Login Allowed Time: You can set the time when members in the project can log in to the project by day or week. After setting, the project members can log in to the project only during the login allowed time period.
    • Login Prohibited Time:You can set the time when members in the project cannot log in to the project by day or week. After setting, the project members cannot log in to the project during the login prohibited time period.
  • Security group constraint: If you enable security group constraint, when a project member creates a VM instance, the VM instance must have one or more security groups attached.
    • Before you can enable security group constraint for the project, make sure that the project security group quota is set to 1 or higher.
    • If you enable the security group constraint for the project, a default security group is created when the project is created.
The tenant management system grants users a variety of permissions. The permissions of different user roles are as follows:
  • Differences in Accounts Login in Tenant Management
    • Admin can log in to the Cloud via Account Login.

      By using Chrome or Firefox, go to the Account Login page via http://management_node_ip:5000/#/login. To log in to the Cloud, the admin must enter the corresponding user name and password.

      Figure 1. Main Login Page


    • For users (platform admin, platform user, project admin, project manager, regular project member, or department manager), log in to the Cloud via Project Login.
      By using Chrome or Firefox, go to the Project Login page via http://management_node_ip:5000/#/ project. To log in to the Cloud, enter the corresponding user name and password. Specifically, the Cloud has two login entrances for Project Login as follows:
      • Local user: the user created on the Cloud. Log in to the Cloud via Local User.
      • AD/LDAP user: the SSO user synchronized to the Cloud via the SSO. Log in to the Cloud via AD/LDAP User, as shown in Project Login Page.

      After the successful login, you can select the platform or project to be managed to log in to the corresponding management interface.

      Figure 2. Tenant Login Page


  • Feature Differences from Various Perspectives
    Feature Menu admin (System Role) Platform Admin (System Role) Regular Platform Member (Custom Role) Project Admin/ Project Manager (System Role) Department Manager (System Role) Regular Project Member (Custom Role)
    Organization Configure as needed. Configure as needed.
    User Configure as needed. Configure as needed.
    Role Configure as needed. Configure as needed.
    Project Member × × × × Configure as needed.
    User Group Configure as needed. Configure as needed.
    Single Sign On Configure as needed. × × ×
    Project Configure as needed. × ×
    Process Management Configure as needed. × × ×
    My Tickets × × × × Configure as needed.
    My Approval × × Configure as needed.
  • Differences in Permissions of Platform/Project Roles
    • Platform Roles: admin, platform admin, department manager, and regular platform user. The permissions corresponding to these roles are differentiated as follows:
      Role Difference
      admin A super administrator who owns all permissions.
      Platform Admin A platform admin is a type of administrator who has been allocated a specified zone or all zones, and assists the admin to jointly manage the Cloud. A platform admin has all the permissions that the admin has, except the following:
      • A platform admin is allocated a specified zone or all zones, and has the permissions to manage resources in the zone or zones only. Currently, a platform admin is not granted relevant permissions to create or delete zones.
      • A platform admin does not have the permissions related to ticket management, and the menu My Approval is not displayed for this role.
      • A platform admin does not have the permissions related to certificate management, and cannot perform actions such as uploading a certificate.
      Department Manager The department manager is a role who has been allocated a specified department, which can be designated by the admin for the new team and responsible for managing the whole department. A department manager has the following permissions:
      • View homepage: Allows you to view the summary of project resources in the department under the management only.
      • View the Cloud monitor: Allows you to view the monitoring information of critical resources of the department under your management.
      • View organizations: Allows you to view the organizational structure of the Cloud, but not to perform related operations.
      • View users: Allows you to view the user information on the Cloud, but not to perform related operations.
      • View user groups: Allows you to view the user group information, but not to perform related operations.
      • Viewing roles: Allows you to view the system project roles of the Cloud, the project roles whose owner is the admin, and the project roles whose owner is the management department (and sub-departments).
      • View projects and project-based operations: For projects under the managed department (and sub-departments), you can view, edit, and add project members. Setting a department, changing billing prices, generating project templates, and setting logon time limits for projects are not supported.
      • Ticket approval: Supports ticket approval, but the menu Process Management is not displayed.
      • View/Export bills: Allows you to view or export project bills and departmental bills of the department (and sub-departments) under your management.
      Regular Platform Member Platform members other than the platform admin. A Platform member has all the permission that the admin has, except the following:
      • A regular platform member does not have the permissions related to ticket approval, and the menu My Approval is not displayed for this role.
      • A regular platform member can view users who are in the same organizational structure only.
      • Ungranted permissions.
    • Project Roles: project admin, project manager, and project member. The permissions corresponding to these roles are differentiated as follows:
      • A project admin can specify one or more project members in the same project to act as project managers, assisting project admins to manage projects.
      • A project manager has all the permissions that a project admin has, but

Advantages

The Tenant Management of ZStack Cube Ultimate has the following advantages:
  • Full-featured: Tenant Management provides users with a range of features such as organization structure managements, project-based resource access control, ticket management, and independent zone management.
  • User-friendly: Tenant Management allows you to manage the operation permissions of different roles in a multi-level organizational structure, making the organizational management more flexible and user-friendly.
  • Cost-effective: Each organization has different kinds of departments. In a traditional IT company, resources are allocated to these departments based on their actual needs, and permissions are assigned as needed as well. Against the backdrop of cloud migration, the management over the departments is achieved on the cloud to minimize the management costs.

Scenarios

Each organization has its own administrative departments. In a traditional IT company, resources are allocated to administrative departments based on their actual needs, and permissions are assigned as needed as well. After companies migrate their business to the cloud, they expect to enjoy the same experience in resources allocation and permissions assignment on the cloud, which is compatible with the management by administrative departments.

The Tenant Management of ZStack Cube Ultimate provides users with a range of features such as organization structure managements, project-based resource access control, ticket management, and independent zone management. Through the division of the organizational structure, it provides the same management as the administrative department and minimizes the management costs.

Organization

Create an Organization

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Personnel and Permissions > Organization. On the Organization page, click the plus sign to the right of Organization. Then, the Create Organization page is displayed.

On the displayed page, set the following parameters:
  • Name: Enter a name for the organization.
  • Description: Optional. Enter a description for the organization.
  • Type: Choose the type of the organization. You can add a new team (by default) or add a subdepartment.
    Note: To add Subdepartment, you need to specify Upper Department from the subdepartment or new team that are already added.
  • Admin: Optional. Specify an appropriate user as the admin.
  • Department Manager: Optional. Specify a department manager for the new team to assist the admin to manage the department.
    Note:
    • A department manager is in charge of the operational management of the whole department, including project management, ticket approval, bill checks, and key resource monitoring.
    • A user cannot be specified as the department manager if the user is already attached to other roles.
    • A user cannot be attached to other roles if the user is specified as the department manager.
  • Quota Setting: The quota settings can be configured manually, and you can configure the quota settings for the following resources:
    • Compute Resource: including memory, and the number of VM instances, running VM instances, CPU, GPU devices, elastic baremetal instances, and VM scheduling polices.
    • Storage Resource: including the quantity of data volume, volume snapshot, available storage capacity, image, total image size, backup data, and available backup capacity.
    • Network Resource: including the quantity of VXLAN network, L3 network, security group, VIP, EIP, port forwarding, load balancer, and listener.
    • Other: including scheduled job, scheduler, resource alarm, event alarm, endpoint, and tag.
Figure 1. Create Organization


Manage an Organization

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Personnel and Permissions > Organization. Then, the Organization page is displayed.

The following table lists the actions that you can perform on an organization.
Action Description
Add Sub-Department Add a sub-department to the current organization.
Edit Organization Edit the name and description of an organization.
Change Department Admin Reassign a user as the department admin.
Remove Department Change the upper-department of a sub-department.
Add User Add one or more users to an organization.
Remove User Remove one or more users from an organization.
Note: Removing a department admin from an organization also removes its role of department admin.
Join Project Add one or more immediate members to a specified project.
Delete Organization Delete an organization.
Note: Deleting departments also deletes all their sub-departments. Proceed with caution.

User

Create a Local User

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Personnel and Permissions > User > Local User. On the Local User page, click Create User. Then, the Create User page is displayed.
Note: If you add a ZStack IAM server, you cannot create a local user. Create an SSO user instead.
ZStack Cube Ultimate allows you to create a local user by one of the following methods:
  • Custom
  • Template Import

Custom

On the Create User page, select Custom and set the following parameters:
  • Name: Enter a name for the user.
  • DescriptionOptional. Enter a name and description for the user
  • User Name: Specify a user name for the user as an unique identifier for logging in to the Cloud.
  • Password: Specify a password for login.
  • Confirm Password: Enter again the password for confirmation.
  • Immediate Department: Optional. You can add the user directly to an corresponding department.
  • Phone Number: Optional. Enter a phone number of the user.
  • Email Address: Optional. Enter a email address of the user.
  • Identifier: Optional. Enter an identifier of the user, such as an employee ID.
  • Platform Role: Optional. You can specify one or multiple platform role for a user. If specified, you need to set the management zone.
    Note:
    • After the platform role is bound to users, these users can act as the manager to manage the Cloud. The platform role that has the zone attribute can manage data centers of the assigned zones.
    • After the platform role is bound to users, these users can log in to the Cloud via Project Login.
    • Management Zone: Specify a zone to the platform role.
      Note:
      • After a zone is specified to users, these users can only manage the zones specified to them.
      • One platform role can manage a group of zones, while one zone can be co-managed by multiple platform roles.
  • Project: Optional. You can add a user to one or multiple projects.
    Note: After a user is bound to a project, this user will have corresponding permissions of the project, and manage corresponding data within the project.
Figure 1. Create User with Custom Method


Template Import

On the Create User page, select Template Import as the method to create a user. The detailed steps are as follows:
  1. Download the template.
    Click Download Template to download a template in the .csv format.
    Figure 2. Template


    Note: User name, name, and password are required parameters, and the user name must be globally unique.
  2. Fill in the configuration information of users according to the prescribed format.

    The user template includes a header and an example row, which needs to be deleted or overwritten when editing the template.

    On the template, set the following parameters:
    • Name: Enter a name for the user.
    • User Name: Enter the user name as an unique identifier for logging in to the Cloud.
    • Password: Set a user login password.
    • Description: Optional. Enter a description for the user.
    • Phone Number: Optional. Enter a phone number of the user.
    • Email Address: Optional. Enter an email address of the user.
    • Identifier: Optional. Enter a user ID, such as the job ID.
    • Organization: Optional. A user can be added to one or multiple organizations.
      Note:
      • The organization that you fill in has to be an existing organization. Note that organizations must be separated by /. For example: Company/Dev.
      • If the organization path duplicates, attach the UUID of a upper-department, such as Company(f11444d42701483791370e9f8b9300b9)/Dev.
      • If a user is added to multiple organizations simultaneously, separate these organizations by &&, such as Company/Dev&&Company/QA.
    • Project: Optional. A user can be added to one or multiple projects.
      Note:
      • The project that you fill in has to be an existing project. When a single project is added, enter the project name directly, such as project-01.
      • If a user is added to multiple projects simultaneously, separate these projects by &&, such as project-01&&project-02.
  3. After finishing the configurations in the template, you can directly upload the template to the Cloud by the browser. Confirm the template and click OK. The Cloud automatically creates users according to the uploaded template configuration file.
    Figure 3. Upload Template


Manage a Local User

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Personnel and Permissions > User. Then, the Local User page is displayed.

The following table lists the actions that you can perform on a local user.
Action Description
Create User Create one or more local users.
Edit User Edit the name and description of a user.
Change Password Modify the user login password.
Join Department Add one or more users to one or more departments.
Join User Group Add a user to one or more user groups.
Modify Platform Role Associate one or more roles for a user.
Join Project Add one or more users to one or more projects.
Set Zone for User Set a zone for a user. After a zone is specified to users, these users can only manage the zone specified to them.
Delete User Delete a user.
Note:
  • If a user is Department Admin, Project Admin, or Project Manager, deleting this user will deprive him of these roles (Department Admin, Project Admin, or Project Manager).
  • If a user is part of a ticket flow, removing this user will disable this ticket flow, and all tickets associated with this flow will be recalled.

Create an SSO User

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Personnel and Permissions > User > SSO User. On the SSO User page, click Create User. Then, the Create User page is displayed.
Note: You can create an SSO user only after you add a ZStack IAM server.
On the displayed page, set the following parameters:
  • Name: Enter a name for the user.
  • DescriptionOptional. Enter a name and description for the user
  • User Name: Specify a user name for the user as an unique identifier for logging in to the Cloud.
  • Password: Specify a password for login.
  • Confirm Password: Enter again the password for confirmation.
  • Immediate Department: Optional. You can add the user directly to an corresponding department.
  • Phone Number: Optional. Enter a phone number of the user.
  • Email Address: Optional. Enter a email address of the user.
  • Identifier: Optional. Enter an identifier of the user, such as an employee ID.
  • Platform Role: Optional. You can specify one or multiple platform role for a user. If specified, you need to set the management zone.
    Note: After the platform role is bound to users, these users can act as the manager to manage the Cloud. The platform role that has the zone attribute can manage data centers of the assigned zones.
    • Management Zone: Specify a zone to the platform role.
      Note:
      • After a zone is specified to users, these users can only manage the zones specified to them.
      • One platform role can manage a group of zones, while one zone can be co-managed by multiple platform roles.
  • Project: Optional. You can add a user to one or multiple projects.
    Note: After a user is bound to a project, this user will have corresponding permissions of the project, and manage corresponding data within the project.
Figure 1. Create SSO User


Manage an SSO User

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Personnel and Permissions > User. On the User page, click SSO User. Then, the SSO User tab is displayed.

The following table lists the actions that you can perform on an SSO user.
Action Description
Join Department Add one or more users to one or more departments.
Join User Group Add a user to one or more user groups.
Modify Platform Role Associate one or more roles for a user.
Join Project Add one or more users to one or more projects.
Set Zone for User Set a zone for a user. After a zone is specified to users, these users can only manage the zone specified to them.
Change to Local User After synchronizing an AD server, the non-existent users are in the deleted state and cannot be used to log in. You can change the deleted AD users to local users.
Note:
  • After SSO users are changed to local users, they will inherit and continue to use the original user data, such as original project and original permissions.
  • After SSO users are changed to local users, modify their passwords. Otherwise, you cannot log in to the Cloud via these local users.
Delete User Delete a user.
Note:
  • If a user is Department Admin, Project Admin, or Project Manager, deleting this user will deprive him of these roles (Department Admin, Project Admin, or Project Manager).
  • If a user is part of a ticket flow, removing this user will disable this ticket flow, and all tickets associated with this flow will be recalled.
  • If you delete an SSO user, the source user in the SSO server is not affected.

User Group

Create a User Group

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Personnel and Permissions > User Group. On the User Group page, click Create User Group. Then, the Create User Group page is displayed.

On the displayed page, set the following parameters:
  • Name: Enter a name for the user group.
  • Description: Optional. Enter a description for the user group.
  • User: Optional. Select one or more users to the user group.
  • Project: Optional. Add one or more projects for the user group.
Figure 1. Create User Group


Manage a User Group

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Personnel and Permissions > User Group. Then, the User Group page is displayed.

The following table lists the actions that you can perform on a user group.
Action Description
Create User Group Create a user group to manage users in groups.
Edit User Group Edit the name and description of a user group.
Add User Add one or more users to a user group.
Join Project Add a user group to a specified project.
Delete User Group Deleting a user group also removes the group relationships among relevant users.

Role

Create a Role

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Personnel and Permissions > Role. On the Role page, click Create Role. The Create Role page appears.

To create a role, follow these three steps:
  1. Configure basic info.
    Set the following parameters:
    • Name: Enter a name for the role.
    • Description: Optional. Enter a description for the role.
    • Role Type: Select a role type for the role. Valid values: Platform Role and Project Role.
      Note:
      • Platform Role: After a user has a platform role attached, the user will have the management permission of the corresponding zone. Permissions of a platform role take effect only in the zone managed by the user.
      • Project Role: After a user joins a project and have a project role attached, the user will have the permission to use the project and manage the data in the project.
      • Notice:
        1. One user can have two types of role attached.
        2. One user can have more than one platform role or project role attached.
        3. In a project, if a user has multiple project roles attached, the user will have all the permissions attached to the project roles.
    • Root Role: Specify a root role to limit the permission range of custom roles whose permissions are inherited from the root role. Permissions of these custom roles are a sub-collection of those of the root role.
    Figure 1. Configure Basic Info


  2. Specify UI permissions.
    Specify permission services for the role.
    Note: Permission services are a collection of permissions categorized by resources, and there may be dependencies between different permission services. We recommend that you use the system roles preset in the Cloud or select all permissions.
    Figure 2. Specify UI Permissions


  3. Preview.
    Confirm the role that you are about to create. You can modify the configurations by clicking the Edit icon.
    Figure 3. Preview


Manage a role

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Personnel and Permissions > Role. Then, the Role page is displayed.

The following table lists the actions that you can perform on a role.
Action Description
Create Role Create a role.
Edit Role Edit the name and description of a role.
Modify UI Permissions Modify the UI permissions of a role.
Delete Role Delete a role.
Note: After a role is deleted, the related users will automatically unbind the role. Proceed with caution.

SSO

Add an SSO Server

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Personnel and Permissions > Single Sign On. On the Single Sign On page, click Add SSO Server. Then, the Add SSO Server page is displayed.

The following lists the SSO servers that you can add:
  • Add an AD server.
  • Add a LDAP server.
  • Add an OIDC server | other identity provider.
  • Add an OIDC/OAuther server | ZStack IAM.
  • Add an OAuth2 server | other identity provider.
  • Add a CAS server.
  • Add a SAML server.

Add an AD Server

On the displayed page, set the following parameters:
  1. Type: Select AD.
  2. Server Configurations: Set the basic information and configuration of an AD server.
    Set the following parameters:
    • Name: Enter a name for the AD server.
    • Description: Optional. Enter a description for the AD server.
    • Type: AD is displayed.
    • Primary Server IP/Domain: Enter an IP address or domain of the primary server.
    • Primary Server Port: Enter the corresponding port of the primary server.
    • SSL/TLS Encryption: Choose whether to select SSL/TLS encryption. By default, the SSL/TLS encryption is selected.
      • If selected, the SSL/TLS encryption is used, which uses port 636 by default and supports custom modification.
      • If not selected, no encryption is used, which uses port 389 by default and supports custom modification.
    • Secondary Server IP/Domain: Optional. Enter an IP address or domain of the secondary server.
    • Secondary Server Port: Optional. Enter the corresponding port of the secondary server.
    • Configuration Info: To configure related range information of synchronizing AD users, set the following parameters:
      • Base DN: Enter a base DN to specify the root for search AD users and organization structures and defining the range of synchronizing them.
      • User DN: Enter a user DN. A particular user who owns all user permissions to check the base DN range. It can be used to access AD servers and obtain associated data.
      • Password: Specify the login password associated with the user DN.
      • Filter Policy: Choose whether to filter user information during synchronization. By default, the filter is disabled.
      • Filter Mechanism: Choose to apply the filtering mechanisms of blocklist and allowlist.
        Note:
        • If you select Blocklist, when synchronizing user information, the user information configured in the filter rule will not be synchronized to the Cloud.
        • If you select Allowlist, when synchronizing user information, only the user information configured in the filter rule can be synchronized to the Cloud.
      • Filter Rule: Enter a filter rule for the authentication server.
        Note:
        • The filter rule length is subject to the configurations of AD servers. Exceeding the length will filter rules not to take effect. Make sure that the user-defined length falls within the length.
        • The following are examples of the filter rule:
          • Single rule: (name=filterName)
          • Combination rule: (&(name=filterName)(description=departure))
    Figure 1. AD Server Configurations


    After the AD server configurations are completed, click Next and the Cloud automatically tests the connection and goes to the next step, or you can manually click Test Connection to test the configuration accuracy and connection of AD servers.
    • If the connection test succeeds, you can click Next to configure other parameters.
    • If the connection test fails, you can edit the configuration according to the error messages on the upper-right corner until the connection test succeeds.
  3. Synchronize Mapping Rule: Specify login attribute, user mapping rule, and synchronize organization mapping.
    Set the following parameters:
    • Login Attribute: Specify AD user attributes for Cloud logins.

      For example, if cn is used as the login attribute, AD users can use the value (such as John) matching cn as their login name in the Cloud.

    • User Mapping Rule: Select or enter a rule to map AD user attributes to Cloud attributes. Set the following parameters:
      • User Name: Specify a rule to map AD usernames to Cloud usernames.

        For example: If a User Name maps cn, the User Name whose user is created in the Cloud can use the value (such as John) matching cn to log in to the Cloud.

        Note: The user name of ZStack Cube Ultimate users cannot be duplicated. If the synchronized AD users has the identical user name with that of Cloud users, the Cloud will automatically adds a random code in the user name of the synchronized AD users.
      • Name: Specify a rule to map the name of AD users to that of Cloud users.

        For example: If a Name maps name, the Name whose user is created in the Cloud can use the value (such as Jack) matching name.

      • Mobile Phone: Optional. Specify a rule to map the mobile phone of AD users to that of Cloud users.

        For example: If a Mobile Phone maps telephoneNumber, the Mobile Phone whose user is created in the Cloud can use the value (such as 13800000000) matching telephoneNumber.

      • Email: Optional. Specify a rule to map the email of AD users to that of Cloud users.

        For example: If a Email maps mail, the Email whose user is created in the Cloud can use the value (such as xxx@xxx.xx) matching mail.

      • Identifier: Optional. Specify a rule to map the identifier of AD users to that of Cloud users.

        For example: If a Identifier maps employeeID, the Identifier whose user is created in the Cloud can use the value (such as 001) matching employeeID.

      • Description: Optional. Specify a rule to map the description of AD users to that of Cloud user.

        For example: If a Description maps description, the Description whose user is created in the Cloud can use the value (such as dev-John) matching description.

      • Custom Attribute: You can customize a rule to map SSO attributes of an SSO user to Cloud attributes.
        • System User Attribute: Specify a system user attribute, which can be identical with the original attribute, such as Identifier.
        • AD/LDAP User Attribute: Specify an AD/LDAP user attribute, such as employeeID.
    • Synchronize Organization Mapping: Choose whether to synchronize organization. By default this option is disabled. If enabled, AD organizations in the user-based DN range will be synchronized to the organization list in the Cloud.
      • Organization Mapping Method: Select a organization mapping method.
        • Group: Subtrees of an organization tree are distinguished by Group parameters, and AD groups will be synchronized to the organizational list in the Cloud (Recommended).
        • OU: Subtrees of an organization structure tree can be distinguished by OU parameters, and AD groups will be synchronized to the organizational list in the Cloud.
      • Organization Mapping Rule:
        • Name: Specify a rule to map the name of AD organizations to that of Cloud organizations.

          For example: If an organization name maps cn, the organization name whose organization is created in the Cloud can use the value (such as dev-department) matching cn.

        • Description: Optional. Specify a rule to map the description of AD organizations to that of Cloud organizations.

          For example: If an organization description maps description, the organization description whose organization is created in the Cloud can use the value (such as dev-backend) matching description.

    Figure 2. Synchronize Mapping Rule


    Click Next, and the Cloud automatically tests whether the login attribute, user mapping rule, and synchronize organization mapping can be successfully created. After the test succeeds, the Cloud automatically adds the mapping rules.
    Note: Make sure that all AD attributes are specified. Otherwise, the test may fails. If the test fails, you need to edit the mapping rule configurations according to the error messages until the mapping rules are successfully added.
  4. Preview: Confirm the relevant information and configurations of the AD server to be added. You can edit the configuration by clicking the edit icon.
    Figure 3. Preview


    Click Complete to add an AD server, create SSO users, and add organizations.

Add a LDAP Server

On the displayed page, set the following parameters:
  1. Type: Select LDAP.
  2. Server Configurations: Set the basic information and configuration of a LDAP server.
    Set the following parameters:
    • Name: Enter a name for the LDAP server.
    • Description: Optional. Enter a description for the LDAP server.
    • Type: LDAP is displayed.
    • Primary Server IP/Domain: Enter an IP address or domain of the primary server.
    • Primary Server Port: Enter the corresponding port of the primary server.
    • SSL/TLS Encryption: Choose whether to select SSL/TLS encryption. By default, the SSL/TLS encryption is selected.
      • If selected, the SSL/TLS encryption is used, which uses port 636 by default and supports custom modification.
      • If not selected, no encryption is used, which uses port 389 by default and supports custom modification.
    • Secondary Server IP/Domain: Optional. Enter an IP address or domain of the secondary server.
    • Secondary Server Port: Optional. Enter the corresponding port of the secondary server.
    • Configuration Info: To configure related range information of synchronizing LDAP users, set the following parameters:
      • Base DN: Enter a base DN to specify the root for search LDAP users and organization structures and defining the range of synchronizing them.
      • User DN: Enter a user DN. A particular user who owns all user permissions to check the base DN range. It can be used to access LDAP servers and obtain associated data.
      • Password: Specify the login password associated with the user DN.
      • Filter Policy: Choose whether to filter user information during synchronization. By default, the filter is disabled.
      • Filter Mechanism: Choose to apply the filtering mechanisms of blocklist and allowlist.
        Note:
        • If you select Blocklist, when synchronizing user information, the user information configured in the filter rule will not be synchronized to the Cloud.
        • If you select Allowlist, when synchronizing user information, only the user information configured in the filter rule can be synchronized to the Cloud.
      • Filter Rule: Enter a filter rule for the authentication server.
        Note:
        • The filter rule length is subject to the configurations of LDAP servers. Exceeding the length will filter rules not to take effect. Make sure that the user-defined length falls within the length.
        • The following are examples of the filter rule:
          • Single rule: (name=filterName)
          • Combination rule: (&(name=filterName)(description=departure))
    Figure 4. LDAP Server Configuration


    After the LDAP server configurations are completed, click Next and the Cloud automatically tests the connection and goes to the next step, or you can manually click Test Connection to test the configuration accuracy and connection of LDAP servers.
    • If the connection test succeeds, you can click Next to configure other parameters.
    • If the connection test fails, you can edit the configuration according to the error messages on the upper-right corner until the connection test succeeds.
  3. Synchronize Mapping Rule: Specify login attribute and user mapping rule.
    Set the following parameters:
    • Login Attribute: Specify LDAP user attributes for Cloud logins.

      For example, if cn is used as the login attribute, LDAP users can use the value (such as John) matching cn as their login name in the Cloud.

    • User Mapping Rule: Select or enter a rule to map LDAP user attributes to Cloud attributes. Set the following parameters:
      • User Name: Specify a rule to map LDAP usernames to Cloud usernames.

        For example: If a User Name maps cn, the User Name whose user is created in the Cloud can use the value (such as John) matching cn to log in to the Cloud.

        Note: The user name of ZStack Cube Ultimate users cannot be duplicated. If the synchronized LDAP users has the identical user name with that of Cloud users, the Cloud will automatically adds a random code in the user name of the synchronized LDAP users.
      • Name: Specify a rule to map the name of LDAP users to that of Cloud users.

        For example: If a Name maps cn, the Name whose user is created in the Cloud can use the value (such as Jack) matching cn.

      • Mobile Phone: Optional. Specify a rule to map the mobile phone of LDAP users to that of Cloud users.

        For example: If a Mobile Phone maps mobile, the Mobile Phone whose user is created in the Cloud can use the value (such as 13800000000) matching mobile.

      • Email: Optional. Specify a rule to map the email of LDAP users to that of Cloud users.

        For example: If an Email maps mail, the Email whose user is created in the Cloud can use the value (such as xxx@xxx.xx) matching mail.

      • Identifier: Optional. Specify a rule to map the identifier of LDAP users to that of Cloud users.

        For example: If an Identifier maps employeeNumber, the Identifier whose user is created in the Cloud can use the value (such as 001) matching employeeNumber.

      • Description: Optional. Specify a rule to map the description of LDAP users to that of Cloud user.

        For example: If a Description maps description, the Description whose user is created in the Cloud can use the value (such as dev-John) matching description.

      • Custom Attribute: You can customize a rule to map SSO attributes of an SSO user to Cloud attributes.
        • System User Attribute: Specify a system user attribute, which can be identical with the original attribute, such as Identifier.
        • AD/LDAP User Attribute: Specify an AD/LDAP user attribute, such as employeeNumber.
    Figure 5. Synchronize Mapping Rule


    Click Next, and the Cloud automatically tests whether login attribute and user mapping rules can be successfully created. After the test succeeds, the Cloud automatically adds the mapping rules.
    Note: Make sure that all LDAP attributes are specified. Otherwise, the test may fails. If the test fails, you need to edit the mapping rule configurations according to the error messages until the mapping rules are successfully added.
  4. Preview: Confirm the relevant information and configuration of the LDAP server to be added. You can edit the configuration by clicking the edit icon.
    Figure 6. Preview


    Click Complete to add an LDAP server and create SSO users.

Add an OIDC Server | Other Identity Provider

On the displayed page, set the following parameters:
  1. Type: Select OIDC.
  2. Server Configurations: Set the basic information and configuration of an OIDC server.
    Set the following parameters:
    • Name: Enter a name for the OIDC server.
    • Description: Optional. Enter a description for the OIDC server.
    • Type: OIDC is displayed.
    • Identity Provider: An IdP collects and stores user identity information, such as usernames and passwords, and authenticates user during login. Supported identity providers include default, ZFIAM, Alibaba Cloud IDaaS (Private), MaxKey SSO System, and uploaded SSO plugins.
    • Cloud API URL: The URL used to redirect to the Cloud platform when the authentication server is certified.
      Note:
      • If the Cloud platform API service uses a reserve proxy, replace the original address and port with the proxied ones while keeping the path and parameters.
        Example:
        • Original: https://192.168.1.100:8080/api/auth/callback
        • With reverse proxy: https://api.example.com:8443/api/auth/callback
      • This URL must match the callback address configured on the authentication server.
    • Cloud UI URL: The redirect template for password-free login within the Cloud platform.
      Note:
      • If the Cloud platform UI address uses a reverse proxy, replace only the original address and port with the proxied ones while keeping the path and parameters.
        Example:
        • Original: https://192.168.1.200:80/login/sso?token=<token>
        • With reverse proxy: https://portal.example.com/login/sso?token=<token>
      • This template directly affects login redirection. Incorrect configuration will cause SSO failure.
    • Configuration Info: To configure the required information of synchronizing an OIDC authentication server, set the following parameters:
      • Client ID: Enter the unique ID that the authentication system assigns to the Cloud.
      • Client Secret: Enter the secret that the authentication system assigns to the Cloud.
      • Scope: The Scope is used to specify the scope of user attributes to be obtained when requesting an access token or ID token, such as name, email, phone number, and so on. After specifying the scope, the returned token will contain the corresponding attributes.
      • Authorization Request URL: Enter the request URL used to obtain an authorization grant in authorization code mode.
      • Token Request URL: Enter the request URL used to obtain an access token from the authentication server.
      • Userinfo Request URL: The request URL used to obtain the user information from the authentication server.
      • Logout URL: The URL used to log off sessions after logging out of the Cloud. When logging in to the Cloud again, you need to re-enter the authentication server. If left blank, the login information will not be immediately cleared after logging out of the Cloud, and you can still log in to the Cloud without a password as long as the session is valid.
    Figure 7. OIDC Server Configuration


  3. Synchronize Mapping Rule: Specify user mapping rules for an OIDC authentication server.
    Set the following parameters:
    • User Mapping Rule: Through the mapping rule, the SSO user has local user attributes after it is synced to the Cloud. The rule is used to map SSO attributes of an SSO user to Cloud attributes.
      • User Name: Specify a rule to map the attribute of OIDC users to the username of Cloud users. The username is the unique identification of a user. Make sure that the username that you fill in also has a unique identity in the authentication system.

        For example: If a User Name maps username, the User Name whose user is synced to the Cloud can use the value (such as John) matching username.

      • Name: Specify a rule to map the attribute of OIDC users to the name of Cloud users.

        For example: If a Name maps name, the Name whose user is created in the Cloud can use the value (such as Jack) matching name.

      • Mobile Phone: Optional. Specify a rule to map the attribute of OIDC users to the mobile phone of Cloud users.

        For example: If a Mobile Phone maps telephoneNumber, the Mobile Phone whose user is created in the Cloud can use the value (such as 13800000000) matching telephoneNumber.

      • Email: Optional. Specify a rule to map the attribute of OIDC users to the email of Cloud users.

        For example: If an Email maps mail, the Email whose user is created in the Cloud can use the value (such as xxx@xxx.xx) matching mail.

      • Identifier: Optional. Specify a rule to map the attribute of OIDC users to the identifier of Cloud users.

        For example: If an Identifier maps employeeID, the Identifier whose user is created in the Cloud can use the value (such as 001) matching employeeID.

      • Description: Optional. Specify a rule to map the attribute of OIDC users to the description of Cloud users.

        For example: If a Description maps description, the Description whose user is created in the Cloud can use the value (such as dev-backend) matching description.

      • User Group: Optional. Specify a rule to map the user group of an SSO server to the user group of the Cloud.

        For example: If a User Group maps usergroup, the User Group created in the Cloud can use the value (such as group-1, group-2) matching usergroup.

        Note: If the Cloud has multiple user groups that share the same name as the mapped user group, the SSO user will directly join the existing user groups after logging in to the Cloud. If you do not want the synced user to be added to multiple user groups, you can edit the user group name or delete unnecessary user groups.
    Figure 8. Synchronize Mapping Rule


  4. Preview: Confirm the relevant information and configuration of the OIDC server to be added.
    Figure 9. Preview


    Click Complete to add an OIDC server and synchronize SSO user information.

Add an OIDC/OAuth2 Server | ZStack IAM

  1. Type: Select OIDC or OAuth2.
  2. On the displayed page, set the following parameters:
    • Name: Enter the name for the SSO server.
    • Description: Optional. Enter a description for the SSO server.
    • Type: OIDC or OAuth2 is displayed.
    • Identity Provider: Select ZStack IAM
      Note: The ZStack IAM server is dedicated for SSO across multiple regions.
    • Server Address: Enter the address of the ZStack IAM server. Enter a complete URL.
    Figure 10. Add SSO Server | ZStack IAM


Add an OAuth2 Server

On the displayed page, set the following parameters:
  1. Type: Select OAuth2.
  2. Server Configurations: Set the basic information and configuration of an OAuth2 server.
    Set the following parameters:
    • Name: Enter a name for the OAuth2 server.
    • Description: Optional. Enter a description for the OAuth2 server.
    • Type: OAuth2 is displayed.
    • Identity Provider: An IdP collects and stores user identity information, such as usernames and passwords, and authenticates user during login. Supported identity providers include default, ZFIAM, Alibaba Cloud IDaaS (Private), MaxKey SSO System, and uploaded SSO plugins.
    • Cloud API URL: The URL used to redirect to the Cloud platform when the authentication server is certified.
      Note:
      • If the Cloud platform API service uses a reserve proxy, replace the original address and port with the proxied ones while keeping the path and parameters.
        Example:
        • Original: https://192.168.1.100:8080/api/auth/callback
        • With reverse proxy: https://api.example.com:8443/api/auth/callback
      • This URL must match the callback address configured on the authentication server.
    • Cloud UI URL: The redirect template for password-free login within the Cloud platform.
      Note:
      • If the Cloud platform UI address uses a reverse proxy, replace only the original address and port with the proxied ones while keeping the path and parameters.
        Example:
        • Original: https://192.168.1.200:80/login/sso?token=<token>
        • With reverse proxy: https://portal.example.com/login/sso?token=<token>
      • This template directly affects login redirection. Incorrect configuration will cause SSO failure.
    • Configuration Info: To configure the required information of synchronizing an OAuth2 authentication server, set the following parameters:
      • Client ID: Enter the unique ID that the authentication system assigns to the Cloud.
      • Client Secret: Enter the secret that the authentication system assigns to the Cloud.
      • Scope: The Scope is used to specify the scope of user attributes to be obtained when requesting an access token or ID token, such as name, email, phone number, and so on. After specifying the scope, the returned token will contain the corresponding attributes.
      • Authorization Request URL: Enter the request URL used to obtain an authorization grant in authorization code mode.
      • Token Request URL: Enter the request URL used to obtain an access token from the authentication server.
      • Userinfo Request URL: The request URL used to obtain the user information from the authentication server.
      • Logout URL: The URL used to log off sessions after logging out of the Cloud. When logging in to the Cloud again, you need to re-enter the authentication server. If left blank, the login information will not be immediately cleared after logging out of the Cloud, and you can still log in to the Cloud without a password as long as the session is valid.
    Figure 11. OAuth2 Server Configuration


  3. Synchronize Mapping Rule: Specify user mapping rules for an OAuth2 authentication server.
    Set the following parameters:
    • User Mapping Rule: Through the mapping rule, the SSO user has local user attributes after it is synced to the Cloud. The rule is used to map SSO attributes of an SSO user to Cloud attributes.
      • User Name: Specify a rule to map the attribute of OAuth2 users to the username of Cloud users. The username is the unique identification of a user. Make sure that the username that you fill in also has a unique identity in the authentication system.

        For example: If a User Name maps username, the User Name whose user is synced to the Cloud can use the value (such as John) matching username.

      • Name: Specify a rule to map the attribute of OAuth2 users to the name of Cloud users.

        For example: If a Name maps name, the Name whose user is created in the Cloud can use the value (such as Jack) matching name.

      • Mobile Phone: Optional. Specify a rule to map the mobile phone of OAuth2 users to that of Cloud users.

        For example: If a Mobile Phone maps telephoneNumber, the Mobile Phone whose user is created in the Cloud can use the value (such as 13800000000) matching telephoneNumber.

      • Email: Optional. Specify a rule to map the attribute of OAuth2 users to the email of Cloud users.

        For example: If an Email maps mail, the Email whose user is created in the Cloud can use the value (such as xxx@xxx.xx) matching mail.

      • Identifier: Optional. Specify a rule to map the attribute of OAuth2 users to the identifier of Cloud users.

        For example: If an Identifier maps employeeID, the Identifier whose user is created in the Cloud can use the value (such as 001) matching employeeID.

      • Description: Optional. Specify a rule to map the attribute of OAuth2 users to the description of Cloud users.

        For example: If a Description maps description, the Description whose user is created in the Cloud can use the value (such as dev-backend) matching description.

      • User Group: Optional. Specify a rule to map the user group of an SSO server to the user group of the Cloud.

        For example: If a User Group maps usergroup, the User Group created in the Cloud can use the value (such as group-1, group-2) matching usergroup.

        Note: If the Cloud has multiple user groups that share the same name as the mapped user group, the SSO user will directly join the existing user groups after logging in to the Cloud. If you do not want the synced user to be added to multiple user groups, you can edit the user group name or delete unnecessary user groups.
    Figure 12. Synchronize Mapping Rule


  4. Preview: Confirm the relevant information and configuration of the OAuth2 server to be added.
    Figure 13. Preview


    Click Complete to add an OAuth2 server and synchronize SSO user information.

Add a CAS Server

On the displayed page, set the following parameters:
  1. Type: Select CAS.
  2. Server Configurations: Set the basic information and configuration of an CAS server.
    Set the following parameters:
    • Name: Enter a name for the CAS server.
    • Description: Optional. Enter a description for the CAS server.
    • Type: CAS is displayed.
    • Configuration Info: To configure the required information of synchronizing a CAS authentication server, set the following parameters:
      • Server Login URL: Enter the login address of the CAS authentication server, for example, https://sso.cloud.com/login.
      • Server Login Prefix: Enter the prefix of the CAS authentication server address, for example, https://sso.cloud.com/.
      • Cloud API URL: Enter the Cloud API URL. IP addresses, domain names, or reverse proxy addresses are supported. The system will automatically process it by default.
    Figure 14. CAS Server Configuration


  3. Synchronize Mapping Rule: Specify user mapping rules for a CAS authentication server.
    Set the following parameters:
    • User Mapping Rule: Through the mapping rule, the SSO user has local user attributes after it is synced to the Cloud. The rule is used to map SSO attributes of an SSO user to Cloud attributes.
      • User Name: Specify a rule to map the username of OIDC users to that of Cloud users. The username is the unique identification of a user. Make sure that the username that you fill in also has a unique identity in the authentication system.

        For example: If a User Name maps username, the User Name whose user is synced to the Cloud can use the value (such as John) matching username.

      • Name: Specify a rule to map the attribute of CAS users to the name of Cloud users.

        For example: If a Name maps name, the Name whose user is created in the Cloud can use the value (such as Jack) matching name.

      • Mobile Phone: Optional. Specify a rule to map the attribute of CAS users to the mobile phone of Cloud users.

        For example: If a Mobile Phone maps telephoneNumber, the Mobile Phone whose user is created in the Cloud can use the value (such as 13800000000) matching telephoneNumber.

      • Email: Optional. Specify a rule to map the attribute of CAS users to the email of Cloud users.

        For example: If an Email maps mail, the Email whose user is created in the Cloud can use the value (such as xxx@xxx.xx) matching mail.

      • Identifier: Optional. Specify a rule to map the attribute of CAS users to the identifier of Cloud users.

        For example: If an Identifier maps employeeID, the Identifier whose user is created in the Cloud can use the value (such as 001) matching employeeID.

      • Description: Optional. Specify a rule to map the attribute of CAS users to the description of Cloud users.

        For example: If a Description maps description, the Description whose user is created in the Cloud can use the value (such as dev-backend) matching description.

    Figure 15. Synchronize Mapping Rule


  4. Preview: Confirm the relevant information and configuration of the CAS server to be added.
    Figure 16. Preview


    Click Complete to add a CAS server and synchronize SSO user information.

Add a SAML Server

On the displayed page, set the following parameters:
  1. For sever type, select SAML.
  2. Server Configurations: Set the basic information and configurations of a SAML server.
    Set the following parameters:
    • Name: Enter a name for the SAML server.
    • Description: Optional. Enter a description for the SAML server.
    • Type: SAML.
    • Cloud API URL: The URL used to redirect to the Cloud platform when the authentication server is certified.
      Note:
      • If the Cloud platform API service uses a reserve proxy, replace the original address and port with the proxied ones while keeping the path and parameters.
        Example:
        • Original: https://192.168.1.100:8080/api/auth/callback
        • With reverse proxy: https://api.example.com:8443/api/auth/callback
      • This URL must match the callback address configured on the authentication server.
    • Cloud UI URL: The redirect template for password-free login within the Cloud platform.
      Note:
      • If the Cloud platform UI address uses a reverse proxy, replace only the original address and port with the proxied ones while keeping the path and parameters.
        Example:
        • Original: https://192.168.1.200:80/login/sso?token=<token>
        • With reverse proxy: https://portal.example.com/login/sso?token=<token>
      • This template directly affects login redirection. Incorrect configuration will cause SSO failure.
    • IdP Metadata: Upload the metadata file obtained from the Identity Provider (IdP). This file includes the IdP's login service URL and X.509 public key certificate, which are used to verify the validity of SAML assertions issued by the IdP.
    Figure 17. Configure a SAML Server


  3. Synchronize Mapping Rules: Specify user mapping rules for a SAML authentication server.
    Set the following parameters:
    • User Mapping Rule: Through the mapping rule, the SSO user has local user attributes after it is synced to the Cloud. The rule is used to map SSO attributes of an SSO user to Cloud attributes.
      • User Name: Specify a rule to map the attribute of SAML users to the username of Cloud users. The username is the unique identification of a user. Make sure that the username that you fill in also has a unique identity in the authentication system.

        For example: If a User Name maps username, the User Name whose user is synced to the Cloud can use the value (such as John) matching username.

      • Name: Specify a rule to map the attribute of SAML users to the name of Cloud users.

        For example: If a Name maps name, the Name whose user is created in the Cloud can use the value (such as Jack) matching name.

      • Mobile Phone: Optional. Specify a rule to map the attribute of SAML users to the mobile phone of Cloud users.

        For example: If a Mobile Phone maps telephoneNumber, the Mobile Phone whose user is created in the Cloud can use the value (such as 13800000000) matching telephoneNumber.

      • Email: Optional. Specify a rule to map the attribute of SAML users to the email of Cloud users.

        For example: If an Email maps mail, the Email whose user is created in the Cloud can use the value (such as xxx@xxx.xx) matching mail.

      • Identifier: Optional. Specify a rule to map the attribute of SAML users to the identifier of Cloud users.

        For example: If an Identifier maps employeeID, the Identifier whose user is created in the Cloud can use the value (such as 001) matching employeeID.

      • Description: Optional. Specify a rule to map the attribute of SAML users to the description of Cloud users.

        For example: If a Description maps description, the Description whose user is created in the Cloud can use the value (such as dev-backend) matching description.

      • User Group: Optional. Specify a rule to map the user group of an SSO server to the user group of the Cloud.

        For example: If a User Group maps usergroup, the User Group created in the Cloud can use the value (such as group-1, group-2) matching usergroup.

        Note: If the Cloud has multiple user groups that share the same name as the mapped user group, the SSO user will directly join the existing user groups after logging in to the Cloud. If you do not want the synced user to be added to multiple user groups, you can edit the user group name or delete unnecessary user groups.
    Figure 18. Set Mapping Rules


  4. Preview: Confirm the relevant information and configuration of the SAML server to be added.
    Figure 19. Preview


  5. Click Complete to add a SAML server.
  6. On the SSO page, click Download to get the SAML SP metadata file. This file is used to configure the Cloud platform as a trusted SAML service provider on the IdP side.
    Figure 20. Download SAML SP Metadata


Manage an SSO Server

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Single Sign On. Then, the Single Sign On page is displayed.

Manage an AD/LDAP Server

The following table lists the actions that you can perform on an AD/LDAP server.
Action Description
Edit SSO Server Edit the name and description of an SSO server.
Synchronize SSO Server Synchronizing the SSO server will reacquire the latest user list and organization structures.
Note: After synchronization, the non-existent users will be placed into Deleted state and cannot be used to log in to the Cloud.
Test Connection Test the connection of an SSO server. If the connection test fails, it may be the following reasons:
  • The SSO server fails to verify the IP port. Check whether the SSO server is working properly and whether there is an IP address or port change.
  • User DN or password connection fails. Replace it with the latest user DN and password that has the permission to query all users within the base.
Delete SSO Server Delete an SSO server.
Note: Deleting an SSO server also deletes the related SSO user information. The source user and organization information is not affected.

Manage an OIDC/OAuth2/CAS/SAML Server

The following table lists the actions that you can perform on an OIDC/OAuth2/CAS/SAML server.
Action Description
Edit Name and Description Edit the name and description of an SSO server.
Delete SSO Server Delete an SSO server.
Note: Deleting an SSO server also deletes the related SSO user information. The source user and organization information is not affected.

Configure SSO

Configure SSO Using Google

In this section, we will show you how to use Google as an identity provider (IdP) in ZStack Cube Ultimate.

Prerequisites

You will need the following resources or permissions to proceed with this section:
  • An admin permission on Google console. For more information, refer to Google Cloud Documentation.
  • A valid Tenant Management plus license is required.

Procedure

  1. Get OAuth 2.0 client credentials.
    1. Open the Google Cloud console, and then on the Credentials page, choose Create credentials.
    2. Choose OAuth client ID.
    3. On the Create OAuth Client ID page, for Application type, choose Web application.
    4. For name, enter a name for your OAuth client ID.
    5. In the OAuth client dialog box, note the client ID and client secret to use in a later step.
  2. Add SSO Server on ZStack Cube Ultimate.
    1. Log in to ZStack Cube Ultimate.
    2. On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Single Sign-On > Add SSO Server.
    3. On the Select Server Type dialog box, choose OAuth2, and then click OK.
    4. On the Add SSO Server page, there are three steps to finish: server configurations, synchronize mapping rules, and preview.
      1. Under Server Configurations, enter the following information:
        • For Identity Provider, choose Default.
        • For Client ID, enter the client ID that you noted.
        • For Client Secret, enter the client secret that you noted.
        • For Scope, enter the value from scopes_supported, for example, openid, email, and profile.
        • For Authorization Request URL, enter https://accounts.google.com/o/oauth2/v2/auth.
        • For Token Request URL, enter https://oauth2.googleapis.com/token.
        • For Userinfo Request URL, enter https://openidconnect.googleapis.com/v1/userinfo.
      2. Under Synchronize Mapping Rule, map the Local Attributes to the Google Attributes.
      3. Under Preview, check your configuration and click Complete.
    5. After you successfully add the SSO server, copy the Password-free Login URL.
  3. Configure OAuth 2.0 client credentials.
    1. Open the Google Cloud console, and then on the Credentials page, click the name of the OAuth 2.0 client ID.
    2. Under Authorized redirect URIs, click the Add URI button.
    3. For Authorized redirect URIs, enter the Password-free Login URL that you obtained from ZStack Cube Ultimate.
  4. Assign a role to the SSO user or join a project.
    1. Log in to ZStack Cube Ultimate.
    2. On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > User > SSO User.
    3. On the SSO User page, select the synchronized SSO user and click Actions > Join Project.
    4. On the Join Project dialog box, choose a project and project role for the SSO user and then click OK.

What to do next

Now, you have completed the SSO configurations. You can access ZStack Cube Ultimate by entering the Password-free Login URL in a browser.

Project

Create a Project

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Project Management > Project. On the Project page, click Create Project. Then, the Create Project page is displayed.

On the displayed page, set the following parameters:
  • Name: Enter a name for the project.
  • Description: Optional. Enter a description for the project.
  • Project Configuration: You can choose manual or project template for the project configuration.
    If you choose Manual for the project configuration, set the following parameters:
    • Quota Setting: Specify quota settings to control the total resources in the project.
      • Compute Resource: including memory, and the number of VM instances, running VM instances, CPU, GPU devices, elastic baremetal instances, and VM scheduling polices.
      • Storage Resource: including the quantity of data volume, volume snapshot, available storage capacity, image, total image size, backup data, and available backup capacity. Notice that the Backup Service Plus License is required for the quota settings of backup data and available backup capacity.
      • Network Resource: including the quantity of VXLAN network, L3 network, security group, VIP, EIP, port forwarding, load balancer, and listener.
      • Other: including scheduled job, scheduler, resource alarm, event alarm, endpoint, and tag.
      Figure 1. Quota Setting


    If you choose Project Template for the project configuration, set the following parameters:
    • Project Template: If you choose the project template for the project configuration, you need to select an existing project template, which is used to directly apply the quota settings defined in that template for the project.
      Figure 2. Project Template


  • Zone: Specify a zone to which the project belongs, and a project can only belong to one zone.
  • Reclaim Policy: Default values: Unlimited. You can also select Reclaim by specifying time and Reclaim by specifying cost.
    • Unlimited::

      After you create a project, resources within the project will be in the enabled state by default.

    • Reclaim by specifying time:
      • When the expiration date for a project is less than 14 days, a project member will receive a project expiration reminder that the project is about to expire after logging in to the Cloud.
      • After the project expired, resources within the project will be reclaimed according to the specified reclaim policy.
      To reclaim by specifying time, you need to set the following parameters:
      • Deadline: Set a deadline for the project.
      • Reclaim Policy: Three reclaim policies are supported:
        • Disable Project Member Login: After the project is expired, all project members are prohibited from logging in to the project, and the resources (VM instances and VPC vRouters) in the project are still running normally.
        • Disable Project Member Login and Stop Project Resource: After a project is expired, all project members are prohibited from logging in to the project, and all the resources (VM instances and VPC vRouters) in the project are in the stopped state.
        • Delete Project: A project is deleted after expiration, and the project is in the Deleted status. All project members are prohibited from logging in to the project, and all the resources (VM instances and VPC vRouters) in the project are in the stopped state.
        Note: After the VPC vRouter in the project is stopped, the network services it provides will stop correspondingly, and VM instances cannot access the external network.
    • Reclaim by specifying cost

      A project is expired when the project total spending reaches the maximum limit. After the project is expired, the resources within the project will be reclaimed according to the specified reclaim policy.

      To reclaim by specifying cost, you need to set the following parameters:
      • Spending Limit: Set a spending limit for the project.
      • Reclaim Policy: Three reclaim policies are supported:
        • Disable Project Member Login: After the project is expired, all project members are prohibited from logging in to the project, and the resources (VM instances and VPC vRouters) in the project are still running normally.
        • Disable Project Member Login and Stop Project Resource: After the project is expired, all project members are prohibited from logging in to the project, and all the resources (VM instances and VPC vRouters) in the project are in the stopped state.
        • Delete Project: A project is deleted after expiration, and the project is in the Deleted status. All project members are prohibited from logging in to the project, and all the resources (VM instances and VPC vRouters) in the project are in the stopped state.
        Note: After the VPC vRouter in the project is stopped, the network services it provides will stop correspondingly, and VM instances cannot access the external network.
  • Access Control: Optional. You can specify whether to allow or prohibit project members to or from logging in to the project within a specified time period.
    If not set, the time for project members to login in to the project is unlimited. You can configure the access control by setting the login allowed time and login prohibited time.
    • Login Allowed Time: You can set the time when members in the project can log in to the project by day or week. After setting, the project members can log in to the project only during the login allowed time period.
    • Login Prohibited Time: You can set the time when members in the project cannot log in to the project by day or week. After setting, the project members cannot log in to the project during the login prohibited time period.
    Note:
    • If the time period you set is earlier than or includes the current platform time, the access control policy takes effect in the next time period.
    • If you apply both the reclaim policy and access control policy, the reclaim policy has a higher priority.
  • Project Admin: Optional. Assign a corresponding user as the project admin.
  • Member: Optional. Add relevant users into the project as project members
  • Department: Optional. Load the project to the department,and then the billing is made by departments.
  • Pricing List: Optional. Select the pricing list used by the project. If not specified, the default pricing list is applied.
  • Security Group Constraint: By default, the security group constraint is disabled. If you enable security group constraint, when a project member creates a VM instance, the VM instance must have one or more security groups attached.
    Note:
    • Before you can enable security group constraint for the project, make sure that the project security group quota is set to 1 or higher.
    • If you enable the security group constraint for the project, a default security group is created when the project is created.
    • You can use the Project Security Group Constraint setting in Global Setting to make the setting take effect globally. By default, the Project Security Group Constraint setting is disabled. If you enable the setting, projects are enabled the security group constraint by default when they are created.
    • Rule: Optional. If you enable the security group constraint for the project, you can directly set the rules of security group when you create the project, or set the rules later.
Figure 3. Create Project


Manage a Project

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Project Management > Project. Then, the Project page is displayed.。

The following table lists the actions that you can perform on a project.
Action Description
Create Project Create a project.
Edit Project Edit the name and description of a project.
Enable Project Enable a disabled project.
Disable Project Disable a enabled project.
Restore Expired Project Restore an expired project. After an expired project is restored, the project is normal for logging in and the resources in the project work properly.
Set Access Control Specify whether to allow or prohibit project members to or from logging in to the project within a specified time period.
Generate Project Template Generate a project template from an existing project. When creating a project, you can use a project template to set project quotas.
Add Project Member Add one or more users to a project.
Set Project Admin Specify a user as the project admin.
Set Department After a project is attached to a department, you can view department bills. Removing department also removes project bills from the department bills.
Change Pricing List Change a pricing list for a project and bills according to the latest pricing list.
Disable All Resources Disabling resources of a project disables all VM instances and router resources in this project. Proceed with caution.
Delete Project Delete a project.
  • After a project is deleted, this project will be placed into the Deleted state. Hence, project members in this project cannot log in to the Cloud, and all resources within this project will be disabled, including VM instances and VPC vRouter.
  • After VPC vRouters in this project stopped, all network services running on these vRouters will be stopped, and then VM instances cannot reach the outside network.

Project Details

Project Associated Resource

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Project Management > Project. On the Project page, click the name of a project and enter its details page. On the details page, click Member. Then, the Member tab page is displayed.

The following table lists the actions that you can perform on a project member.
Action Description
Add Project Member Add users as project members.
Remove Project Member Remove project members from a project.
Modify Role Modify the roles of a project member.

Click User Group and enter the User Group tab page.

The following table lists the actions that you can perform on a user group.
Action Description
Add User Group Add user groups to projects.
Remove User Group Remove user groups from projects.
Modify Role Modify the roles of a user group.

Click Associated Resource and enter the Associated Resource tab page.

VM Instance

This page displays the list of VM instances created within the current project. Click the corresponding operation buttons to perform various operations related to the VM instances. For more information, see Manage a VM Instance.

Volume

This page displays the list of volumes created within the current project. Click the corresponding operation buttons to perform various operations on the volumes. For more information, see Manage a Data Volume.

Security Group

This page displays the list of security groups created within the current project. Click the corresponding operation buttons to perform various operations on the security groups. The following table lists the actions that you can perform on a security group.
Action Description
Enable Security Group Enable a security group. Once the security group is enabled, all security group rules and related services will be activated.
Edit Security Group Change the name and description of a security group.
Disable Security Group Disable a security group. Once a security group is disabled, all security group rules and related services will be deactivated.
Delete Security Group Delete a security group. Once a security group is deleted, all security group rules and related services will be removed automatically.
Note: If the project has the security group constraint switch enabled:
  • Before deleting the project's default security group, make sure you disable the security group constraint switch.
  • Before deleting a project's custom security group, make sure you disassociate the NICs from this security group or disable the security group constraint switch.

VPC vRouter

This page displays the list of VPC vRouters created within the current projects. Click the corresponding operation buttons to perform various operations on the VPC vRouters. For more information, see Manage a VPC vRouter.

Process Management

Create a Ticket Process

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Ticket Approval > Process Management. On the Process Management page, click Create Ticket Process. Then, the Create Ticket Process page is displayed.

On the displayed page, set the following parameters:
  • Name: Enter a name for the ticket process.
  • Description: Optional. Enter a description for the ticket process.
  • Project: Select a project for the ticket process.
  • Ticket Type: Select one or more ticket types for the ticket process. Valid values: Apply for VM Instance, Delete VM Instance, and Modify VM Configuration.
    Note:
    • You can use the same ticket process for multiple ticket types, including Apply for VM Instance, Delete VM Instance, and Modify VM Configuration.
    • Tickets of the same ticket type correspond to one ticket process.
  • Process Setting: Display the details of the ticket process.
    The initial process setting interface includes two basic steps: Submit Ticket and Execution Flow. You can select admin, project admin, and department manager as the approver of the execution flow.
    • Execution Flow: Select an approver. Valid values: admin, project admin, and department manager.
      Note:
      • when admin is selected as the approver of the execution flow, you need to add flow in the process setting. When project admin or department manager is selected, you can skip the flow addition in the process setting.
      • For tickets that apply for VM instances, admin can configure advanced settings by clicking Advanced Deployment, while project admin cannot configure advanced settings.
    You can add a flow by click the plus sign in the process setting. Set the following parameters:
    • Flow Name: Enter a name for the added flow.
    • Approver: Select an approver for the ticket. You can select an approver from the specified project.
    Note: You can delete a flow by click the delete sign to the right of the Flow Name.
Figure 1. Create Ticket Process


Manage a Ticket Process

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Ticket Approval > Process Management. Then, the Process Management page is displayed.

The following table lists the actions that you can perform on a ticket process.
Action Description
Create Ticket Process Create a ticket process.
Edit Ticket Process Edit the name and description of a ticket process.
Enable Ticket Process Enable a disabled ticket process.
Disable Ticket Process Disable a enabled ticket process. After a ticket process is disabled, you cannot perform actions on the unfinished ticket until the ticket process is enabled.
Modify Ticket Process Add or delete one or more ticket types and ticket flows.
Note:
  • After an enabled ticket process is modified, the ticket will be automatically re-submitted using the modified custom ticket process.
  • After a disabled ticket process is modified, you need to re-submit the ticket using the modified custom ticket process.
  • Deleting a ticket type in the ticket process equals to deleting a custom ticket process of this ticket type. After modification, the ticket will be automatically re-submitted according to the default process.
  • Adding a ticket type in the ticket process equals to creating a custom ticket process of this ticket type. After modification, the ticket will be re-submitted according to the modified custom ticket process.
Delete Ticket Process After a ticket process is deleted, the projects using this process will use the default process (Submit->admin). All tickets associated with this process will be resubmitted based on the default process.

My Approval

On the main menu of ZStack Cube Ultimate, choose Operational Management > Tenant Management > Ticket Approval > My Approval. Then, the My Approval page is displayed.

On the My Approval page, there are three tabs including Pending, Resolved, and Archived.
  • Pending:

    This tab displays pending tickets that can be approved or rejected.

  • Resolved:

    This tab displays resolved tickets, including approved or rejected tickets.

  • Archived:

    This tab displays archived tickets. When a project member deletes a resolved ticket, admin can view this ticket on the Archived tab.

Admin can approve or reject a ticket on the My Approval page.
  • Approve: Approve a ticket. The Cloud automatically creates resources for the applicant according to the applied configuration.
    Note: When deploying resources, admin can set advanced configurations on resources.
  • Reject: Reject a ticket with remarks.

Billing Management

What is Billing Management?

ZStack Cube Ultimate provides a quasi-public cloud billing experience. You can customize the unit price for different resources by using a pricing list and obtain related bills after you associate the pricing list with a project or an account. Currently, the following resources in the Cloud can be billed: CPU, memory, root volume, data volume, GPU device, elastic baremetal instances, and public IP (VM IP), and public IP (VIP).

Concepts

  • Pricing list: A pricing list is a list of unit prices of different resources. The unit price of a resource is set based on the specification and usage time of the resource.
  • Bill: A bill is the expense of resources totaled at a specified time period. Billing is accurate to the second. Bills can be categorized into project bills, department bills, and account bills.

Characteristics

ZStack Cube Ultimate Billing Management has the following characteristics:
  • You can centrally and efficiently manage the unit price of a group of resources by using a pricing list.
  • A pricing list includes the unit price of multiple resources. You can set a unit price for root volumes and data volumes, respectively, by disk performance.
  • You can create multiple pricing lists and use separate pricing lists for projects and accounts. Note that you can associate a pricing list with multiple projects and accounts.
  • After you configure a pricing list, bills can be generated in real time by account.
  • After you configure a pricing list, bills can be generated in real time by project. You can also add the project to a department. Then, bills are generated by department.
  • You can customize the time when the billing details are generated. You can also view the billing details by resource.
  • You can set the currency symbol displayed on the UI by modifying the value of Currency Symbol in the global setting. Default value: ¥. Valid values: ¥, $, €, £, A$, HK$, ¥, CHF, C$, and Rp.

Billing Mechanism

  • If you disable Billing in the global setting, the system stops billing resources and bills are no longer generated.
  • If a VM instance is deleted but not expunged, the compute resources (memory and CPU) and IP resources that the VM instance occupied are released but storage resources are still occupied. Therefore, CPU, memory, and public IP resources are not billed but the root volume is still billed.
  • If a VM instance is stopped, the compute resources of the VM instance are released but the storage and IP resources are still occupied. Therefore, CPU and memory resources are not billed but the root volume and public IP resources are still billed.
  • Elastic baremetal instances are created from and function based on baremetal nodes. If you power off and release a baremetal node, the system stops billing the associated elastic baremetal instance.
  • If a volume is deleted but not expunged, the storage resources are still occupied. Therefore, the data volume is still billed. If the volume is expunged, the system stops billing the volume.
  • A public IP address is billed based on the bandwidth consumed by the IP address. You need to set QoS for public IPs (VIPs) or public IPs (VM IPs) before you can set unit prices for the public IP addresses.
  • Uninstantiated volumes are not billed. If you instantiate a volume, the volume is billed even if the volume is not attached to a VM instance.
  • If you change the owner of a resource, the bills generated for the resource usage before the owner change is reserved in the previous account or project and the bills generated for the resource usage after the owner change is reserved in the new account or project,.

Pricing List

Create a Pricing List

Create Pricing List

On the main menu of ZStack Cube Ultimate, choose Operational Management > Billing Management > Pricing List. On the Pricing List page, click Create Pricing List. Then, the Create Pricing List page is displayed.

On the displayed page, set the following parameters:
  • Name: Enter a name for the pricing list.
  • Description: Optional. Enter a description for the pricing list.
  • Unit Price: Click Add Unit Price and add unit prices for resources.

    The resources include CPU, memory, root volume, data volume, GPU device, elastic baremetal instances, public IP of VM instance, and public VIP.

    • To set unit price for CPU, configure the following:
      • Price: 0 to 10000, accurate to five decimal points.
      • Time Unit: second, minute, hour, day, week, and month (30 days).
    • To set unit price for memory, configure the following:
      • Price: 0 to 10000, accurate to five decimal points.
      • Resource Unit: MB, GB, and TB.
      • Time Unit: second, minute, hour, day, week, and month (30 days).
    • To set unit price for root volume, configure the following:
      • Advanced: Configure advanced parameters in JSON format based on disk performance.
        Sample:
        {
    "priceUserConfig": {
        "priceKeyName": "Enter a value for the priceKeyName field."
    }
}
        Note: Make sure the value of the priceUserConfig parameter is consistent with the configuration in the advanced parameter settings in the instance offering. Otherwise, bills cannot be generated.
      • Price: 0 to 10000, accurate to five decimal points.
      • Resource Unit: MB, GB, and TB.
      • Time Unit: second, minute, hour, day, week, and month (30 days).
    • To set unit price for data volume, configure the following:
      • Advanced: Configure advanced parameters in JSON format based on disk performance.
        Sample:
        {
    "priceUserConfig": {
        "priceKeyName": "Enter a value for the priceKeyName field."
    }
}
        Note: Make sure the value of the priceUserConfig parameter is consistent with the configuration in the advanced parameter settings in the disk offering. Otherwise, bills cannot be generated.
      • Price: 0 to 10000, accurate to five decimal points.
      • Resource Unit: MB, GB, and TB.
      • Time Unit: second, minute, hour, day, week, and month (30 days).
    • To set unit price for GPU, configure the following:
      • GPU Type: Select Desktop GPU or Compute GPU.
      • GPU Model: Enter the model of the passed-through GPU.
      • Price: 0 to 10000, accurate to five decimal points.
      • Time Unit: second, minute, hour, day, week, and month (30 days).
    • To set unit price for public IP, configure the following:
      • Resource Type: Select Public IP (VM IP) or Public IP (VIP).
        • If you select Public IP (VM IP), you can bill public IP addresses of VM instances that are created by using public networks. You can set QoS for VM NICs. Then the IP addresses are billed.
        • If you select Public IP (VIP), you can bill VIPs that are created by using public networks and are used to provide network services. You can set QoS for the VIPs. Then the VIPs are billed.
      • Upstream Bandwidth price: 0 to 10000, accurate to five decimal points.
      • Downstream Bandwidth price: 0 to 10000, accurate to five decimal points.
        Note: If you configure unit price for public IP addresses, you must configure upstream bandwidth, downstream bandwidth, or both for the public IP addresses.
      • Resource Unit: Kbps, Mbps, and Gbps.
      • Time Unit: second, minute, hour, day, week, and month (30 days).
      Note: VM public IP addresses and public VIPs are billed based on the consumed bandwidth resources. Before you configure unit prices for the public IP addresses, note that:
      • You need to set QoS for the public IP addresses.
      • IPv6 VIPs do not support billing.
    • To set unit price for elastic baremetal instance, configure the following:
      • Elastic Baremetal Offering: Select an elastic baremetal offering and set a unit price for the offering.
      • Price: 0 to 10000, accurate to five decimal points.
      • Time Unit: second, minute, hour, day, week, and month (30 days).
Figure 1. Create Pricing List




Access Control

Console Proxy

Console proxy allows you to log in to a VM instance by using the IP address of a proxy. You can view the information about the proxy used to launch your VM console.

  • The console proxy address only needs to be modified on the management node.
  • The address of default proxy is the IP address of the management node.
  • You can launch the VM console properly only when the state and status is Enabled and Connected, respectively.

AccessKey Management

An AccessKey pair is a security credential that one party authorizes another party to call API operations and access its resources in the Cloud. AccessKey pairs shall be kept confidential.

ZStack Cube Ultimate provides two types of AccessKey: local AccessKey and third-party AccessKey.
  • Local AccessKey:

    A local AccessKey pair consists of an AccessKey ID and AccessKey secret. It is a security credential that the Cloud authorizes a third-party user to call API operations and access its cloud resources. AccessKey pairs shall be kept confidential. An AccessKey pair has the full permissions of its creator.

  • Third-party AccessKey:

    A third-party AccessKey pair consists of an AccessKey ID and AccessKey secret. It is a security credential that a third-party user authorizes the Cloud to call API operations and access its cloud resources. AccessKey pairs shall be kept confidential.

Note:
  • AccessKey is a key factor for the Cloud to perform security authentication on API requests. We recommend that you keep your AccessKey confidential to maintain securities.
  • If your AccessKey is at risk of leakage, we recommend that you delete it in time and create a new one.

IP Allowlist/Blocklist

An IP allowlist or blocklist identifies and filters IP addresses that access the Cloud. You can create an IP allowlist or blocklist to improve access control of the Cloud.
Note: You can enable the IP allowlist and blocklist feature as needed. To configure it, follow these steps:

Go to Settings > Platform Setting > Global Setting > Basic > Platform Policy > Platform Login Policy. Set IP Allowlist/Blocklist to true. By default, this setting is set to false.

How IP Allowlist and Blocklist Work

  • No IP allowlist or blocklist added: By default, login requests from any IP address are allowed.
  • Only blocklist added: IPs in the blocklist are denied access to the platform, while all other IPs are allowed.
  • Both allowlist and blocklist added: The allowlist takes precedence over the blocklist.
    • IPs in the allowlist are permitted to access to the platform.
    • If the same IP is added to both the allowlist and blocklist, the allowlist takes precedence, allowing login requests from that IP.
Note:
  • If a login attempt is made from an IP address that is not allowed, the system will block the request during the login process.
  • If a load balancer forwards login requests to the platform, ensure that the X-Forwarded-For header is properly configured on the load balancer. If not configured, the platform cannot retrieve the actual client IP and will not be able to accurately allow or block access from that client.
  • The allowlist cannot be used independently. Before using it, ensure that at least one entry is added to the blocklist. Otherwise, the allowlist will not take effect.

Add IP Allowlist and Blocklist

On the IP allowlist and blocklist page, you can choose to add an IP allowlist or an IP allowlist. The process is the same for both. The following section introduces adding an IP blocklist.

On the main menu of ZStack Cube Ultimate, choose Operational Management > Access Control > IP Allowlist/Blocklist. On the IP Allowlist/Blocklist page, click Add IP Blocklist. Then, the Add IP Blocklist page is displayed.

On the displayed page, set the following parameters:
  • Name: Set a name for the IP blocklist.
  • Description: Optional. Enter a description for the blocklist.
  • IP Address: Enter the IP address to be added to the blocklist.
    Note:
    • You can enter fixed IP addresses, IP address ranges, and IP/mask formats. Separate multiple entries with English commas.
    • Supports adding up to 100 entries.
Figure 1. Add IP Blocklist


Action Description
Add IP Allowlist/Blocklist Add a new IP allowlist or blocklist.
Note: Once added, the blocklist or allowlist takes effect immediately. IP addresses in the list will be denied or allowed access to the platform. Proceed with caution.
Edit Name and Description Edit the name or description of an existing IP allowlist or blocklist.
Delete IP Allowlist/Blocklist Delete the selected IP allowlist or blocklist.
Note: Once deleted, the allowlist or blocklist will no longer be effective, and there will be no IP restrictions for logging into the platform. Proceed with caution.

Application Market

What is Application Market?

Application Market allows you to add applications to the Cloud and then access the applications with one click. It extends the functionality of the Cloud. You can add default applications through the built-in installation package or add more applications through URLs.

Default Application

Applications installed through built-in installation packages.
  • ZStack Cube Ultimate currently provides the following application packages:
    • ZStack Zaku Container Management: A simple and user-friendly container management service. After the installation, you can conveniently use container features on ZStack Cube Ultimate.
    • ZStack ZMigrate Migration Service: A hybrid cloud migration service designed for ZStack Cube Ultimate, helping smoothly and efficiently migrate VM instances from various sources, including private and public clouds, to ZStack Cube Ultimate.
    • ZStack Component Service Monitoring Suite: A monitoring suite helps visualize service process status of management and compute nodes, including UI service, monitoring collection service, zsha2 service, database service, host virtualization service, and host agent service.
    • ZStack DTS Data Transfer Service: A data transfer service that enables one-click data synchronization and migration between different databases, such as OLTP transaction databases (Oracle, MySQL, PostgreSQL, etc), OLAP analytical databases (Greenplum, Hive, etc), and NoSQL>message queues (MongoDB, Kafka, etc).
    • All-in-One System O&M Platform (SysOM): A O&M platform that provides centralized system management functionalities, including host management, system monitoring, anomaly diagnosis, auditing, and real-time analysis.
    • Grafana: An open-source metric analysis and visualization suite that supports visualization of time series data from various time sources.
    • Kylin-V10-SP3: A new-generation self-reliant server operating system which provides inherent security, cloud-native support, and deep optimization for self-reliant platforms, featuring high performance and easy management.
    • ZStack CMP: A multi-cloud management platform that allows you to manage clusters distributed in different data centers in a unified way.
    • ZStack AI Model Platform: Provides one-stop AI model management services, supporting unified model management and one-click deployment.
  • In addition to the application packages provided by ZStack Cube Ultimate, you can develop your own application packages, upload them to the specified path of ZStack Cube Ultimate, and conveniently install the applications through Application Market.

More Application

Additional applications that can be added to ZStack Cube Ultimate via URLs, allowing integrate more applications beyond default applications.

Install a Default Application

To install a default application, follow these steps:
  1. Download Application Image (Optional)
    • Generally, the system can automatically download the application image when installing the application. However, in the following scenarios, you need to manually download and upload application images in advance:
      • If you want to accelerate the application installation process, we recommend that you prepare the image in advance.
      • If your Cloud cannot access Internet, you need to prepare the image in advance.
      • If you install ZStack Zaku, you need to prepare the image in advance.
    • You can click here to download the images of applications provided by ZStack Cube Ultimate.
  2. Upload Application Image (Optional)

    After downloading the application image manually, you need upload it to the specified path with the following as guidance.

    • Rename the image to image.qcow2 and upload it to the following path on your management node and ImageStore (create the path if it does not exist)): /opt/zstack-marketplace-repo/{appName}/{Architecture}/{version}. For example, /opt/zstack-marketplace-repo/zstack_io_zaku/x86_64/3.3.0/image.qcow2
    • To ensure the correctness of the path and file name, we recommend that you contact the official technical support to execute this step.
  3. Install Application
    On the main menu of ZStack Cube Ultimate, choose Operational Management > Application Market > Default Application. On the Default Application page, locate an application and click Install Application. Then, the Install Application page appears.
    Note:
    • The parameters required for installing different applications may vary. This topic takes the installation of ZStack Zaku Container Management as an example. If you are installing another application, refer to its installation page for the actual parameters you need to configure.
    • Applications runs in VM instances. When you install an application, the system creates VM instances to run it. Different applications may need different quantities of VM instances.
On the displayed page, set the following parameters:
  • Name: Enter a name for the application.
  • CPU Architecture: Select a CPU architecture.
  • Version: Select the application version. The system acquires the application image according to the CPU architecture and the version you select.
  • CPU: Set the CPU cores of the VM instance.
  • Memory: Set the memory size of the VM instance. Unit: MB, GB, and TB.
  • Image Storage: Select an image storage.
  • Network: Select a network for the VM instance.
    Note: Make sure that this network can communicate with the management node of ZStack Cube Ultimate.
  • Root Volume: Set the VM root volume size. Unit: MB, GB, and TB.
  • Primary Storage: Optional. Specify a primary storage for the VM root volume. If not specify, the system automatically assigns one.
  • Data Volume: Set the size of the first data volume attached to the VM instance. Unit: MB, GB, and TB.
  • Data Volume: Optional. Set the size of the second data volume attached to the VM instance. Unit: MB, GB, and TB.
    Note:
    • When installing ZStack Zaku Container Management, you must configure at least one data volume for the VM instance. Additionally, you can configure a second data volume specially for storing container images.
    • If you expect to use a large number of images or images with large sizes in ZStack Zaku, we recommend that you configure the second data volume. This prevents excessive image data from filling up the root volume and causing system errors.
  • Data Volume Primary Storage: Optional. Specify a primary storage for the VM data volumes. If not specify, the system automatically assigns one.
  • DevOps: Select whether to install DevOps components for ZStack Zaku to enable DevOps-related features.
  • Cluster HA: Select whether to enable Cluster HA for ZStack Zaku
    Note:
    • If disabled, the system creates one VM instance to run ZStack Zaku.
    • If enabled, the system creates three VM instance to run ZStack Zaku. In a product environment, we recommend that you enable Cluster HA.
  • AccessKey ID: Use the Admin account to create an AccessKey on the Cloud and paste the AccessKey here. ZStack Zaku uses this AccessKey to access ZStack Cube Ultimate and call ZStack Cube Ultimate APIs.
  • AccessKey Secret: Enter the AccessKey secret corresponding to the AccessKey ID.
  • Admin Password: Enter the admin password of ZStack Cube Ultimate
  • Cloud URL: Enter the ZStack Cube Ultimate URL for the Zaku service to access ZStack Cube Ultimate.
    Note: Enter a complete URL, including the access protocol, management node IP/VIP/domain name, and port.
  • External NTP Server IP: Optional. ZStack Zaku deploys an internal NTP server for time synchronization among container cluster nodes by default. If you need to synchronize node time with an external NTP server, enter the IP address of an external NTP server here.

Now, ZStack Zaku is installed successfully. You can click Container Manager on the main menu of ZStack Cube Ultimate to quickly enter the container module and use container features. For more information, see What is Container Management?

Manage a Default Application

On the main menu of ZStack Cube Ultimate, choose Operational Management > Application Market > Default Application. Then, the Default Application page appears.

You can perform the following actions on a default application.

Action Description
Install Application Install a new application based on the provided installation package.
Note:
  • The application runs in VM instances. When installing application, the system creates corresponding VM instances simultaneously. Different applications may need different numbers of VM instances.
  • Deleting corresponding VM instance causes application abnormalities.
View Parameter Enter the Installed list to view detailed information of an application, including the application protocol, IP address, port, default username, and default password.
View VM Instance Enter the Installed list to view the information of the VM instances corresponding to an application.
Uninstall Application Uninstall an application.
Note:
  • Uninstalling an application also deletes the VM instances corresponding to this application.
  • This action expunges all data of the application. The deleted data cannot be recovered. Please exercise caution.

Add More Application

On the main menu of ZStack Cube Ultimate, choose Operational Management > Application Market > More Application. On the More Application page, click Add Application. Then, the Add Application page is displayed.

On the displayed page, set the following parameters:
  • Name: Enter an application name.

    The name must be 1 to 128 characters in length and can contain Chinese characters, letters, digits, spaces, hyphens (-), underscores (_), periods (.), parenthesis (), colons (:), and plus signs (+) and cannot begin or end with spaces.

  • Description: Optional. Enter a description for the application.
  • Application Type: Select an application type. Valid values: Storage, Database, Security, IaaS, PaaS, and SaaS.
    Note: Storage application type allows you to add a user name and password for a password-free jump to the Ceph Enterprise interface.
  • URL: Enter the URL of the application.
  • Sharing Mode: Set the sharing mode of the resource. Valid values:
    • Share globally: Share the resource with all projects and accounts.
    • Share to specified projects/accounts: Share the resource with specified projects and accounts.
    • Not share: Revoke the shared resource. If revoked, other projects and accounts cannot use the resource.
    Note:
    1. If you change the sharing mode of a resource from Share Globally to Share to Specified Projects or Accounts, the resource is visible only to the specified projects or accounts.
    2. If you modify the sharing mode, resources that are used by projects or accounts before the modification are not affected until the resources are released.
Figure 1. Add Application


PreviousTag ManagementNextContainer Management