Answers to the Quiz

Estimated reading time: 6 minutes.

Red Hat OpenStack Multi-Tenancy

  1. An OpenStack Administrator needs to give a junior OpenStack Operator access to manage API resources from a single application. That operator will work closely with the application’s development team and should not use too much compute capacity to avoid impact on other application teams sharing the cluster. Which of the following is the minimum access level the administrator should grant to that operator?

    • Admin role in the project
      Incorrect: Admin can set quotas and permissions at the project level, which could indirectly impact other application teams.

    • Member role in the project
      Correct: Member is sufficient to manage server instances, networks, and volumes.

    • View role in the project
      Incorrect: View cannot create or change API resources inside a project.

    • Admin role in the project’s domain
      Incorrect: Admin in a domain can potentially affect multiple projects, from different application teams.

    • Member role in the project’s domain
      Incorrect: Members in a domain can potentially affect multiple projects, from different application teams.

    • View role in the project’s domain Incorrect: View cannot create or change API resources inside any project from a domain.

  2. An OpenStack Administrator wants to delegate administration of a group of applications, that belong to the same business unit, to a senior OpenStack Operator. That senior operator will be responsible for a team of junior OpenStack operators dedicated to supporting that business unit and should have autonomy to manage his operators team. Which of the following is the minimum access level the administrator should grant to that operator?

    • Admin role in all projects from that business unit
      Correct: The senior operator needs Admin to grant permissions to the junior operators from the team. This is probably more work than organizing all projects in a domain for the business unit but it works fine.

    • Member role all projects from that business unit
      Incorrect: Member does not allow granting permissions to junior operators from the team.

    • View role in all projects from that business unit
      Incorrect: View does not allow granting permissions to junior operators from the team.

    • Admin role in the domain which represents that business unit
      Correct: The senior operator needs Admin to grant permissions to the junior operators from the team. This is probably less work than granting admin on individual projects, especially if there are too many projects, but all projects must be created as part of the correct domain.

    • Member role in the domain which represents that business unit
      Incorrect: Member does not allow granting permissions to junior operators from the team.

    • View role in the domain which represents that business unit
      Incorrect: View does not allow granting permissions to junior operators from the team.

  3. An OpenStack Administrator needs to support, on the same cluster, two business units which used to have autonomy on technology decisions and ended up implementing each their own enterprise authentication system. OpenStack Operators from each of those business units need to manage their own applications and use authentication credentials managed by their respective enterprise authentication systems. How can OpenStack support this requirement?

    • Each business unit belongs to a different domain, and each domain connects to the business unit’s enterprise authentication system.
      Correct: authentication domains enable configuring a cluster for different enterprise authentication backends in parallel.

    • Each business unit has their own projects, and each project connects to the business unit’s enterprise authentication system.
      Incorrect: authentication backends are configured at the domain level, not at the project level.

    • Each business unit belongs to a different project, and each project grants access to users based on their validating, or originating, enterprise authentication systems.
      Incorrect: Keystone does not forward to other OpenStack services a name or ID of the originating authentication system. They must be represented by different user domains.

    • Each business unit requires their own OpenStack cluster because it is not possible to configure multiple authentication backends for the same cluster.
      Incorrect: Each OpenStack domain can have its own authentication backend.

  4. An OpenStack Administrator team is concerned about a development team whose members have direct access to an OpenStack cluster and occasionally use all of the cluster compute capacity, preventing other application teams from creating new server instances and other API resources on their projects. All teams need the ability of creating a few server instances for testing purposes, and some do that from automated CI/CD pipelines. Which of the following actions should prevent that team from impacting other developer teams sharing the cluster?

    • Create an API resource quota that limits the number of projects a team can create in the cluster.
      Incorrect: API resource quotas cannot be set at the domain level, they are always per-project.

    • Create an API resource quota that limits the number of server instances a team can create in each project.
      Correct: As long as the number of projects times the quota from each project does not exceed the total number of server instances the cluster can run.

    • Create a compute resource quota that limits the number of vCPUs a team can consume in the cluster.
      Incorrect: compute resource quotas cannot be set at the domain level, they are always per-project.

    • Create a compute resource quota that limits the number of vCPUs from all server instances in each project.
      Incorrect: A compute resource quota affects the ability to consume resources from already running server instances, but does not prevent creation of new server instances. A quota on the total quantity of vCPUs might work if the quota times the number of projects does not exceed the total number of CPU cores in the cluster times the overcommit ratio of the cluster, but because it is a compute resource quota, it might lead to low utilization of the cluster because of too many idle applications. Such a quota would assume applications always use CPU available to them and are not bursty.