Commit 20e55855 authored by Daniele Venzano's avatar Daniele Venzano

Second round of documentation updates

parent 9354a7b9
......@@ -99,21 +99,14 @@ Most of the ZApps expose a number of interfaces (web, REST and others) to the us
* use a proxy, like the one developed for Zoe: :ref:`proxy`
* use back-end network plugins to build custom topologies
Authentication back-end
-----------------------
Authentication back-ends
------------------------
Zoe has a simple user model: users are authenticated against an external source of truth, that assigns also one of three roles:
Zoe supports multiple user authentication back-ends. Multiple back-ends can coexist at the same time.
* guest: cannot access the API (and the command-line tools) and can run one execution at a time
* user: can use the API and has no limits on executions
* admin: can operate on executions belonging to other users, can delete records of past executions
Check the :ref:`users` page for more details on the user model.
Zoe supports two authentication back-ends:
* LDAP and LDAP+SASL (``auth-type=ldap`` ot ``auth-type=ldapsasl``)
* Text file (``auth-type=text``)
As most of Zoe, the authentication back-end is pluggable and others can be easily implemented.
Remember to disable or change the password of the default admin user.
LDAP
^^^^
......
......@@ -2,3 +2,20 @@
Quotas
======
Quotas enforce resource limits to users. A quota can be assigned to multiple users, but a user can have one quota.
Quotas can be set on the following resources:
* concurrent_executions : maximum number of concurrent executions in an active state
* memory : maximum amount of memory a user can reserve in total, across all its active executions (not yet implemented)
* cores : maximum amount of cores a user can reserve in total, across all its active executions (not yet implemented)
A default quota is always available:
* name: default
* concurrent executions: 5
* memory: 32GB
* cores: 20
This default quota can be modified, but not deleted. More quotas can be created via the zoe_admin.py command.
......@@ -2,3 +2,23 @@
Roles
=====
Roles in Zoe define the limits of what a user can do. A role can be assigned to multiple users, but a user can have only a single role.
The capabilities that can be turned on and off for a role are:
* can_see_status : can access the status page on the web interface
* can_change_config : can make changes to the configuration (add/delete/modify users, quotas and roles)
* can_operate_others : can operate on others' work (see and terminate other users' executions)
* can_delete_executions : can permanently delete executions and all the associated logs
* can_access_api : can access the REST API
* can_customize_resources : can use the web interface to modify resource reservations when starting ZApps from the shop
* can_access_full_zapp_shop : has access to all ZApps in the shop
By default three roles are created:
* admin : all capabilities are set
* superuser : has can_see_status, can_access_api, can_customize_resources and can_access_full_zapp_shop
* user : has no capabilities
Zoe will refuse to delete or modify the admin role.
......@@ -2,3 +2,19 @@
Users
=====
Zoe has a flexible user management system. All users that need access to Zoe need to have an entry created in the Zoe user database through the command-line utility (zoe-admin.py) or the web interface.
When the entry is being created, the administrator can choose an authentication source, that can be different for each user. Currently the following sources are available:
* internal : the password is stored in Zoe
* LDAP(+SASL) : authentication is performed by contacting an external LDAP server
* textfile : the password is stored in a CSV file
* pam : authentication is performed by using the PAM subsystem of the operating system where the zoe-api process is running
More backends can be developed, the authentication system is designed to be pluggable.
Each user has a :ref:`roles` and a :ref:`quotas` associated.
By default Zoe has an admin user (password admin), created during the first startup. While deploying Zoe, this user must be disabled or its password changed. The default password is a security risk.
......@@ -115,8 +115,8 @@ class ExecutionInspectWeb(ZoeWebRequestHandler):
try:
e = self.api_endpoint.execution_by_id(self.current_user, execution_id)
except zoe_api.exceptions.ZoeException as e:
self.set_status(e.status_code, e.message)
except zoe_api.exceptions.ZoeException as ex:
self.set_status(ex.status_code, ex.message)
return
services_info, endpoints = self.api_endpoint.execution_endpoints(self.current_user, e)
......
......@@ -50,7 +50,7 @@ class DockerStateSynchronizer(threading.Thread):
self.start()
def _host_subthread(self, host_config: DockerHostConfig):
def _host_subthread(self, host_config: DockerHostConfig): # pylint: disable=too-many-locals
log.info("Synchro thread for host {} started".format(host_config.name))
self.host_stats[host_config.name] = NodeStats(host_config.name)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment