VMware Integrated OpenStack supports using either the Keystone database or LDAP as identity sources for simple user management. OpenStack administrators can leverage Projects to allocate resources (ex: vCPUs, RAM, storage, networks, etc.) to groups of related users (i.e. application developers, database administrators, etc.).
This simple resource allocation method provides users with flexibility regarding how they use available resources. That is, they have a big bucket of resources available to them instead of having to make requests to the IT administrators every time they need to spin up new VMs, networks, etc. IT administrators retain control by setting quotas in OpenStack, and they can use cost management tools like vRealize Business to chargeback/showback resource consumption to the various user groups.
The following video provides a detailed walkthrough of managing OpenStack users and projects.
OpenStack’s security groups capability is a key feature in its support for multi-tenant workloads. Security groups are sets of rules that users utilize to specify access to their application infrastructure. This access is specified either via a classless inter-domain routing (CIDR) network range or by specifying the name of another security group.
Let’s take a look at how security groups would be applied in a simple three-tier application infrastructure consisting of web, application, and database layers:
The application developer has restricted access to the various tiers of her application as follows:
Users can only access the Web tier, and that access is restricted solely to TCP 443 for HTTPS
Only instances in the Web security group can access instances in the App security group
Only instances in the App security group can access instances in the DB security group
VMware Integrated OpenStack leverages VMware NSX’s own security group functionality to implement this capability for our users. The application developers are not even aware of this advantage for their application security because they are using industry-standard open source APIs to deploy their infrastructure.
The following video provides a detailed walkthrough of using OpenStack security groups.