-
Notifications
You must be signed in to change notification settings - Fork 4
Authorization Model
The authorization model separates system administrators, tenant administrators, and project users.
System administrators are permitted to read and modify all the objects in the system. They can also create tenant administrators. A tenant administrator can view and modify projects, quotas, and other objects owned by the tenant. A tenant administrator or a system administrator can create project users, who can view and modify project resources, such as VMs, disks, and images.
These users have full access to all APIs in the system.
The table below describes APIs that are to be used by System Administrators and their attributes:
Only a system administrator can access these API endpoints.
| API Call | Description |
|---|---|
| /datastores | List datastores in use by Photon Controller |
| /deployments | List Photon Controller deployments |
| /hosts | List hosts under control of Photon Controller |
| /portgroups | List portgroups available |
| /status | List Photon Controller's system status |
Only a system administrator can write to these API endpoints; all other users may read them. By "write," we mean create, modify, and delete---"manage" in the table below.
| API Call | Sysadmin Actions | Actions for others |
|---|---|---|
| /flavors | Manage flavors | List/show flavors |
| /networks | Manage networks | List/show networks |
| /tenants | Manage tenants | List/show tenants |
| /tenants/quotas | Manage quotas | List/show quotas |
Tenant Administrators are assigned on a per-tenant basis and have the following capabilities:
- Creating and deleting projects under the tenant they are assigned
- Creating and deleting quotas
- Managing the security groups associated with the tenant
- Fully manipulating any object scoped under the tenant and project
A tenant administrator can manage the the projects within the tenant.
| API Call | Description |
|---|---|
| /tenants/MY-TENANT/set_security_groups | Manage security groups for MY-TENANT |
| /tenants/MY-TENANT/projects | Manage projects for MY-TENANT |
Project users can view and modify project resources, including VMs and disks. After a Photon Controller tenant administrator or system administrator binds a security group to a project, all members of that group are granted project user rights.
| API Call | Description |
|---|---|
| /projects/MY-PROJECT/clusters | Manage container clusters for MY-PROJECT |
| /projects/MY-PROJECT/disks | Manage disks for MY-PROJECT |
| /projects/MY-PROJECT/vms | Manage VMs for MY-PROJECT |
| /projects/MY-PROJECT/set_security_groups | Manage security groups for MY-PROJECT |
For more information about tenants and resources, see Understanding Multitenancy and Working with Tenants, Quotas, and Projects.
- Home
- Installation Guide
- Download Photon Controller
- Release Notes
- User Guide
- Installation and Setup
- Administration and Operations
- Command-Line Cheat Sheet
- Overview of Commands
- Authenticating Multitenant Users and Groups
- Authorization Model
- Connecting to the Load Balancer and Logging In
- Tenants, Quotas, and Projects
- Creating Tenants, Projects, and Quotas
- Working with Tenants
- Creating a Project
- Uploading Images
- Creating Images
- Replicating Images in Datastores
- Creating Flavors
- Working with Virtual Machines
- Using a Photon OS VM
- Creating a Network
- Performing Host Maintenance
- Working with ESXi Hosts
- Configuring Your Own Load Balancer
- Troubleshooting
- Deploying Clusters
- Integration
- API
- Information for Developers
- References
- Legal