Users

There are four main user types in the Binero.cloud platform:

  • Main user

  • Account management portal users (either the same as the main user or a newly create one)

  • Cloud management portal user (the same as the main user)

  • API users (setup from the cloud management portal)

  • Application Credentials (setup from OpenStack Horizon using an API user)

The main user is the user you registered when signing up for the service. It will be an e-mail address, probably of the person that setup the account. The main user can be used to login to both the account management portal and the cloud management portal but cannot be used for either Horizon, the OpenStack terminal client or the API which all require an API user.

For more details, see information on each section below.

Account management portal

To create a user through the Account management portal, follow these steps:

  • From the home screen press “New contact” under the “Contacts” dialog to the right.

  • Press “User management”, again to the right.

  • Press “Invite new user”. Here you are able to select what permissions the new user should have in the account management portal or select all available permissions.

  • Input the users e-mail address.

  • Press “send invite”.

The user will receive and e-mail with instructions on how to enroll themselves.

Note

Users created in the account management portal are not synced to the cloud management portal, see below.

To instead add a contact which is mainly usefull for sending out information from the platform (for instance invoices to the billing department) without allowing for logging in to the portal, follow these steps:

  • From the home screen press “New contact” under the “Contacts” dialog to the right.

  • Input the contact details.

  • Under e-mail settings, choose what types of e-mails the new contact should receive.

  • Press “save changes”.

Cloud management portal

The cloud management portal has only one user (as opposed to the account management portal) which is the main user. It can login with its credentials directly or use single sign on from the account management portal. If you setup multiple users in the account management portal, each user will use single sign on to the main user in the cloud management portal.

Tip

Because you may want to limit access to your infrastructure to the essential personell, a good first step is to setup additional users in the account management portal and reserve the main login for those that need access to the infrastructure in the cloud management portal.

API users

In the cloud management portal, you are able to setup API users under “Access and Security” in the main menu. An API user is a native OpenStack Keystone user that has access to your project, you can use it in the OpenStack Horizon Dashboard or to connect to any of the OpenStack API endpoints. An API user, however, cannot login directly to the cloud management portal.

To create an api user through the Cloud management portal, follow these steps:

  • Under “Access and security” in the main menu, press “API-users”.

  • Press the “+” icon in the lower right corner.

  • Select a username (part of the username will be selected for you), password and optionally add a description.

  • Press “Create”

The API user will be created with the username style “mainuser@domain.com_choosenusername” (that is, the username you chose when creating the user will only be part of the total username).

Tip

Provided you want to only use the Horizon interface or work via API, its possible to setup API users as personal users for the people managing the infrastructure. The main user should then be limited to the super admin which would use it, only to provision API users.

Application Credentials

By using application credentials, its possible to grant a subset of your API-users access to a certain application. The scope of an application credential, thus, is the same as an API user (see above) but with limited access. This is useful for when wanting to assign access to an application (as opposed to a human) to a certain part of the platform (or more correctly, to the API) while limiting for instance the ability to login to the portal. Application credentials can only be created using OpenStack Horizon and they are always tied to the privileges of the user that created them.

To create an application credential user through the OpenStack Horizon, follow these steps:

  • Under “Identity” in the main menu, select “application credentials”.

  • Press “+Create application credentials” to the top right.

  • Input a name and optionally a description.

  • In the secret field, either input a secret (the “password”). If you don’t, one will be generated for you (which is recommended)

  • Optionally provide an expiration date and time for when to (automatically) deactivate the account.

  • Under roles, select the appropriate access level. If you don’t select a level, the same level as your account will be used (which is member). Creator will allow creation of some objects where as reader is read only.

  • Under access rules you are able to give even more granular accesses to various API functions. There is information on how this works in the interface. If you don’t enter anything here, your user will be able to access all functions.

  • The “unrestricted” box will enable creating additional users. This is not recommended.

  • Finally, press “create application credential”.

Important

Once you create the credential, you will be given a one time opportunity to save the information by copy/paste or downloading in openrc or YAML format. Once you press close, the secret will only be available in the database encrypted and new credentials will have to be created if you forget them.

See also