Organizations
In CloudCasa, an Organization implements a multi-tenancy model where visibility and access to resources can be isolated at organization level.
There are two different ways in which organizations are created. In the default way, a new organization is created
whenever a user logs in for the first time. It is named “default” and the user is made the administrator of the
organization. At this point, more users can be invited to this org if they need to access the resources such as
clusters, jobs, and policies. This default functionality can be disabled by setting the Helm parameter
auth.createDefaultOrg to false.
The other way is for a site admin to explicitly create an organization. In the following sections, more details will be provided for this option.
Finally, there is a special organization called “Site admins” which is created first time when a site admin user logs in. This is automatically shared by all site admin users.
Creating an organization
This functionality is available only for site admins and can be used to support multiple use cases. For example, an MSP can create one organization per customer or an organization can be created for each division in a company. A very important aspect of creating organization this way is the ability to associate a list of authentication groups with the Org. For example, if you configured LDAP as the authentication provider, you can associate one or more LDAP groups with the organization. This way, whenever users from these groups login, their organization is automatically set to this one.
Note that a given authentication group can be associated with multiple Orgs. In this case, users in this group will be able to switch between these orgs at any time.
To create an org, go to Site Admin => Organizations and click on Add organization.
Listing organizations
Site admins can see list of all the organizations in the system and can switch to any one of them. This functionality can be used to access resources in a given org.
To see the list of orgs, go to Site Admin => Organizations. To switch to an org, click on “Switch” from actions menu of the corresponding org.
Editing an organization
Site admins can make changes to an org such as changing its name or reconfiguring the associated authentication groups. Note that if an authentication group is removed, users from this group will not be able to access resources in that org any more.
To edit an org, go to Site Admin => Organizations and click on “Edit” from actions menu of the corresponding org.
When users login and if none of their groups have an associated org, there are two possibilities:
If the helm parameter
auth.createDefaultOrgwas set totrue(which is the default), a new dedicated org will be created for each such user.If this parameter is set to
false, the login will fail.
Deleting an organization
A site admin can delete an organization after making sure that all resources in that org are removed first. if any resources remain in an org, it cannot be deleted. This functionality will be improved in future by providing a “force” option to delete an org and all its resources.
To delete an org, go to Site Admin => Organizations and click on “Remove” from actions menu of the corresponding org.
API Keys
By default, api keys are limited to access resources in the same organization in which they are created. However, keys created in the “Site admins” org can be given a role called “SITE ADMIN” which will allow them to create and do other operations on orgs as described above.