As product manager for MAAS, a common request MAAS end-users bring is multi-tenancy, which in its more fundamental form can be understood as the ability to reserve machines for certain sets of users. This is common when you have a central MAAS which is managing multiple parts of your datacenter; it applies less when you are using MAAS dedicated to a deployment, such as we use in a typical starter OpenStack build.
Let’s discuss that use case in a bit more detail. It boils down to:
MAAS currently implements a feature called Machine Reservation — in essence, pre-allocating machines to users. Typically in a MAAS machines are left unassigned; once commissioned, they are only assigned on-demand, when a request to deploy a new machine comes in from the API or Web UI. But with machine reservations, you can obtain the fundamental effect of multi-tenancy in a very simple manner: you simply pre-assign machines to your users and as they request machines, they will get chosen from that assigned set.
Here’s an image showing a MAAS installation where 5 groups of users — prod, qa, staging, sandbox and admin — are each assigned of a set of machines:
The full listing above is only visible to administrators; machines assigned to specific users are not visible to other users when logged into the system. In other words, MAAS administrators can see the complete set of machines enlisted in MAAS, but regular users see only their own. Following on from the example above, when the prod user is logged in, they will see this:
This simple example should bring up a few questions, which I’ll cover in the next sections.
The way MAAS satisfies a user’s request to deploy a machine is pretty simple:
This leaves it up to you to decide what sort of policy to put in place:
The current implementation of MAAS does not model groups; that’s on the roadmap, as is using LDAP as the source for its users and groups.
However, there is a simple way to get most of that benefit, which is to create accounts in MAAS to represent your groups, assign machines to those accounts, and hand out API keys to users within those groups. If you require users to access the Web UI, then you’ll need to share passwords between them, which is not an ideal setup, but which for certain environments is an acceptable compromise.
As hinted at in question 1, when new machines are added and commissioned, they are put in the globally available pool. If you are operating with a policy where all machines are always allocated to users, then ensure that you assign the new machines as soon as commissioning ends. There is a small race condition there, and one which we are also investigating how to address as part of our multi-tenancy roadmap work, but this should not generally be a major concern for most IT environments where users are trusted to a reasonable degree.
MAAS is already in use in large environments using this model, and we are welcoming input and feedback on how well it works. If you would like to add to the discussion, join the maas-devel mailing list and share your thoughts. See you there!
Ubuntu offers all the training, software infrastructure, tools, services and support you need for your public and private clouds.
Welcome to the latest work and updates from the design and web team. The team manages all web projects across Canonical. From www.ubuntu.com to the Juju GUI we help to bring beauty and consistency to all the web projects. MAAS squad Table…
This originally appeared on Andres Rodriguez’s blog Hello MAASters! I’m happy to announce that MAAS 2.4.0 alpha 2 has now been released and is available for Ubuntu Bionic. MAAS Availability MAAS 2.4.0 alpha 1 is available in the…
This article originally appeared on Chris Sanders’ blog MAAS is designed to run in a data center where it expects to have control of DNS and DHCP. The use of an external DHCP server is listed as ‘may work but not supported’ in the…