Table of Contents
Sub-Account Setting #
What is Sub-Account? #
A sub-account can be created by the admin or synced from a third-party authentication system and is managed by the admin. Resources created under a sub-account are managed by the sub-account. You can use a sub-account to create, share, delete, and revoke resources under its management and implement fine-grained control over the permissions on resources.
Concepts #
- admin: The admin has super privileges over resources and shall be owned by the IT system administrator.
- The admin can share instance offerings, disk offerings, networks, images, and other cloud resources with sub-accounts or revoke the resources from sub-accounts. Sub-accounts can only manage resources to which they are granted access.
- The admin can modify resource quotas granted to a sub-account based on different business scenarios.
- After the admin created a VXLAN pool, sub-accounts can create VXLAN networks based on the VXLAN pool.
- Changing the owner of a VM instance will change the owner properties of the EIPs associated with the VM instance.
- Sub-account:
- Sub-accounts can be categorized into local sub-accounts and third-party sub-accounts:
- A local sub-account is created by the admin. A third-party sub-account is synced from a third-party authentication server.
- Third-party authentication: The third-party authentication service, powered by the Cloud, supports seamless access to third-party authentication systems. Through the service, related users can directly login to the Cloud and manage cloud resources. Currently, OIDC servers can be added.
- OIDC server: A third-party authentication server that applies the OIDC protocol. It authenticates and authorizes third-party users to log into the Cloud without password and syncs user information to the Cloud based on the mapping rule.
- Third-party authentication: The third-party authentication service, powered by the Cloud, supports seamless access to third-party authentication systems. Through the service, related users can directly login to the Cloud and manage cloud resources. Currently, OIDC servers can be added.
- A sub-account has management permissions on VM instances, images, volumes, and security groups created under the sub-account. A sub-account can perform read operations on resources shared by the admin, but cannot delete the resources.
- Deleting a sub-account will delete all resources created by the sub-account, such as VM instances, volumes, and images.
- The names of sub-accounts must be unique.
- Resource quotas that the admin shares with a sub-account is displayed on the homepage of the sub-account.
- Before a sub-account can create a VM instance, the admin must share an instance offering, disk offering, network, and other required resources with the sub-account. Otherwise, a VM instance cannot be created.
- A sub-account can use an image that it adds to the Cloud or use an image shared by the admin.
- A local sub-account is created by the admin. A third-party sub-account is synced from a third-party authentication server.
- Sub-accounts can be categorized into local sub-accounts and third-party sub-accounts:
- Quota:Resource quotas that the admin shares with a sub-account specify the maximum resources that the sub-account can manage, including computing resource quotas, storage resource quotas, network resource quotas, and other resource quotas.The admin uses the preceding resource quota settings to manage the maximum resources granted to sub-accounts. If a resource is deleted but not expunged, the resource still occupies storage space of primary storage and volumes.
Sub-Account #
Create a Local Sub-Account #
On the main menu of ZStack Cloud, choose Settings > Sub-Account Setting > Sub-Account Management. On the Sub-Account page, click Create Sub-Account. Then, the Create Sub-Account page is displayed.
On the displayed page, set the following parameters:
- Name: Enter a name for the local sub-account.
- Description: Optional. Enter a description for the local sub-account.
- Password: Enter a password for the local sub-account.
- Confirm Password: Confirm the local sub-account password.
- Pricing List: Optional. Select a pricing list. If left blank, the default pricing list is used.
Manage a Sub-Account #
On the main menu of ZStack Cloud, choose Settings > Sub-Account Setting > Sub-Account Management. Then, the Sub-Account page is displayed.
Manage a Local Sub-Account #
The following table lists the actions that you can perform on a local sub-account.
| Action | Description |
|---|---|
| Create Sub-Account | Create a new sub-account. |
| Change Password | Change the password of an account. Note: After changing the password of admin, you need to log out of the account and log in again to take effect. |
| Change Pricing List | Change a pricing list attached by an account. |
| Delete Sub-Account | If you delete a sub-account, the sub-account cannot be used to log in to the platform. VPC vRouters managed by the sub-account will be deleted. VM instances and volumes will be deleted based on the policy configured by the admin:If the deletion policy is set to Direct, deleting a sub-account will expunge VM instances and volumes managed by the sub-account.If the deletion policy is set to Delay, deleting a sub-account will change the state of VM instances and volumes managed by the sub-account to Deleted and change their owner to admin.If the deletion policy is set to Never, deleting a sub-account will change the state of VM instances and volumes managed by the sub-account to Deleted and change their owner to admin. |
Manage a 3rd-Party Sub-Account #
The following table lists the actions that you can perform on a 3rd-party sub-account.
| Action | Description |
|---|---|
| Change Pricing List | Change a pricing list attached by an account. |
| Delete Sub-Account | If you delete a sub-account, the sub-account cannot be used to log in to the platform. VPC vRouters managed by the sub-account will be deleted. VM instances and volumes will be deleted based on the policy configured by the admin:If the deletion policy is set to Direct, deleting a sub-account will expunge VM instances and volumes managed by the sub-account.If the deletion policy is set to Delay, deleting a sub-account will change the state of VM instances and volumes managed by the sub-account to Deleted and change their owner to admin.If the deletion policy is set to Never, deleting a sub-account will change the state of VM instances and volumes managed by the sub-account to Deleted and change their owner to admin.If you delete a 3rd-party sub-account, the source sub-account in the 3rd-party authentication server is not affected. |
3rd-Party Authentication #
Add a 3rd-Party Authentication Server #
On the main menu of ZStack Cloud, choose Settings > Sub-Account Setting > 3rd-Party Authentication. On the 3rd-Party Authentication page, click Add 3rd-Party Authentication Server. Then, the Add 3rd-Party Authentication Server page is displayed.
On the displayed page, set the following parameters:
- Name: Enter a name for the 3rd-party authentication server.
- Description: Optional. Enter a description for the 3rd-party authentication server.
- Type: Only supports OIDC Server. It is a third-party authentication server that applies the OIDC protocol. It authenticates and authorizes third-party users to log into the Cloud without password and syncs user information to the Cloud based on the mapping rule.
- Redirect URL: The URL used to redirect to the Cloud when the authentication server is certified.
- Redirect Template: The redirect template used to realize a password-free login inside the Cloud platform system. You can modify the IP address and port of this parameter when the Cloud is configured with a reverse proxy.
- Client ID: Enter the unique ID that the authentication system assigns to the Cloud.
- Client Secret: Enter the secret that the authentication system assigns to the Cloud.
- Authorization Request URL: Enter the request URL used to obtain an authorization grant in authorization code mode.
- Token Request URL: Enter the request URL used to obtain an access token from the authentication server.
- Userinfo Request URL: The request URL used to obtain the user information from the authentication server.
- Logout URL: The URL used to log off sessions after logging out of the Cloud. When logging in to the Cloud again, you need to re-enter the authentication server. If left blank, the login information will not be immediately cleared after logging out of the Cloud, and you can still log in to the Cloud without a password as long as the session is valid.
- User Mapping Rule: Through the user mapping rule, the third-party user has local user attributes after it is synced to the Cloud. The rule used to map third-party attributes of a third-party user to Cloud local attributes.
- Name: Specify a rule to map the attribute of OIDC users to the name of Cloud users. The name is the unique identification of a user. Make sure that the name that you fill in also has a unique identity in the authentication system.For example, if a Name maps username, the Name whose user is created in the Cloud can use the value (such as Xiaoming) matching username.
- Description: Optional. Specify a rule to map the attribute of OIDC users to the description of Cloud users.For example, if a Description maps description, the Description whose user is created in the Cloud can use the value (such as dev-backend) matching description.
Manage a 3rd-Party Authentication Server #
On the main menu of ZStack Cloud, choose Settings > Sub-Account Setting > 3rd-Party Authentication. Then, the 3rd-Party Authentication page is displayed.
The following table lists the actions that you can perform on a 3rd-party authentication server.
| Action | Description |
|---|---|
| Edit 3rd-Party Authentication Server | Edit the name and description of a 3rd-party authentication server. |
| Delete 3rd-Party Authentication Server | Delete a 3rd-party authentication server.Note: Deleting a 3rd-party authentication server also deletes the related third-party user information. The source user and organization information is not affected. |
