Entitlements in bwCloud-OS: Difference between revisions

From bwCloud-OS
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
No edit summary
No edit summary
Line 1: Line 1:
{| class="mw-message-box mw-message-box-warning"
{| class="mw-message-box mw-message-box-warning"
| style="vertical-align:middle;" | '''⚠️ Please Note:''' This page is currently under development.
| style="vertical-align:middle;" | '''⚠️ Please Note:''' This page is currently under development.
Line 7: Line 6:
|}
|}


Entitlements in bwCloud-OS define '''who can access the platform''', '''how many resources they may use''' ([[Entitlements in bwCloud-OS#Quota flavors|Quota flavors]]), and '''under what conditions''' ([[Entitlements in bwCloud-OS#Eligibility JSON|Eligibility]]). They are issued and managed by the user’s home institution and play a central role in how the platform is used and funded.  These decisions are made '''exclusively by the user's home institution'''. The bwCloud-OS team has no authority to grant access or resources without an official entitlement.
<span id="In-a-Nutshell"></span>
{{InANutshell|
<li>is a information string, given by the home organization</li>
<li>a customer can use the entitlements to allow their members to consume in the bwCloud-OS and to control eventual costs.</li>
}}
 
Entitlements in bwCloud-OS define '''who can access the platform''' ([[Entitlements in bwCloud-OS#Access Control via Entitlements|Access Control]]), '''how many resources they may use''' ([[Entitlements in bwCloud-OS#Quota flavors|Quota flavors]]), and '''under what conditions''' ([[Entitlements in bwCloud-OS#Eligibility JSON|Eligibility]]).  
 
Every member of a higher education institution in Baden-Württemberg has a personal account. If the institution participates in the federated identity management system ('''bwIDM'''), its members can also apply for the external service bwCloud-OS, by providing additional information. This is handled through the assignment of <code>eduPersonEntitlement</code>, to the user's account.


In a nutshell, a customer can use the entitlements to allow their members to consume in the bwCloud-OS and to control eventual costs.
All entitlements are issued and managed by the user’s home institution and play a central role in how the platform is used and funded.  These decisions are made '''exclusively by the user's home institution'''. The bwCloud-OS team has no authority to grant access or resources without an official entitlement.


__TOC__
__TOC__
Line 15: Line 22:
== Motivation ==
== Motivation ==


=== Access Control via Entitlements ===
=== Access Control ===
The entitlement ''bwcloudos_access'' determines whether a user is allowed to access bwCloud-OS at all. Accessing the bwCloud-OS requires a [[registration]] in advance.
Accessing the bwCloud-OS requires a [[registration]] in advance. The entitlement ''bwcloudos_access'' determines, besides other criteria, whether a user is allowed to access / register for the bwCloud-OS at all.


=== Automated Registration ===
=== Automated Registration ===
Line 29: Line 36:
** Verifying users have access to funding.
** Verifying users have access to funding.
** Covering the collective costs for all users from that institution.
** Covering the collective costs for all users from that institution.
* bwCloud-OS will generate aggregated usage reports and invoices per institution — no individual billing.__TOC__
* bwCloud-OS will generate aggregated usage reports and invoices per institution—no individual billing.


== Structure ==
== Entitlement structure ==
An entitlement persists out of two parts, the quota flavor and optionally the eligibilities,
An entitlement persists out of two parts, the [[Entitlements in bwCloud-OS#Quota flavors|Quota flavors]] and optionally the [[Entitlements in bwCloud-OS#Eligibility|Eligibility]]:
  QUOTA_FLAVOR
  <nowiki>urn:geant:bwcloud-os.de:group:QUOTA_FLAVOR</nowiki>[:ELIGIBILITY]
bzw.
bzw.
  QUOTA_FLAVOR:json=ELIGIBILITY
  <nowiki>urn:geant:bwcloud-os.de:group</nowiki>:<quota_flavor>[:<cost_center_id>:<first_day_valid>:<last_day_valid>:<max_booking_units>]
, where ''QUOTA_FLAVOR'' must be one of the supported values from the table [[TODO LINK]] below and ''ELIGIBILITY'' is the base64-encoded JSON structure described below.
The valid syntax is described in the sections below.
 
=== Example Entitlements ===
 
==== Example 1 ====
Granting a user to request quota for a project up to the medium flavor.
<nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_medium_1</nowiki>
 
==== Example 2 ====
Allow a user to request quota for a large project, but this is terminated up to the end of 2026 and can maximally produce 5000 booking units. All generated booking units will be charged under the bill position ''student.''
<nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_large_1:student::2026-12-31:5000</nowiki>
 
==== Example 3 ====
A tiny project can be requested. The consumed booking units will aggregate under the position for the ''technical_faculty''.
<nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_xtiny_1:technical_faculty</nowiki>:::


=== Special Entitlements ===
=== Special Entitlements ===
Line 49: Line 70:


== Quota flavors ==
== Quota flavors ==
The entitlements for granting quotas are described in the table below.
The supported quota packages are described in the table below.
{| class="wikitable"
{| class="wikitable"
|+List of supported quota flavors
|+List of supported quota flavors
Line 79: Line 100:
|User can choose the quota to be requested.
|User can choose the quota to be requested.
|}
|}
Each quota flavor is associated with resources granted to projects.
Each quota flavor is associated with resources granted to [[Projects and Quota|Projects]].
{| class="wikitable"
{| class="wikitable"
|+Resources associated with each quota flavor
|+Resources associated with each quota flavor
Line 199: Line 220:
| valign="top" |*
| valign="top" |*
|}
|}
== Eligibility ==


 
=== Structure ===
== Eligibility JSON ==
Optionally, the following structure for Eli may be used to provide further information and define conditions for the quota flavor.
Optionally, the following structure for [[Eligibility|Eligibilities]] may be used to provide further information and define conditions for the quota flavor.
  <cost_center_id>:<first_day_valid>:<last_day_valid>:<max_booking_units>
  {"eligs": [{"cc_id": "COST_CENTER_ID", "first_val": "YYYY-MM-DD", "last_val": "YYYY-MM-DD", "max_bu": "INTEGER"}, {...}]}
This JSON needs to be utf-8 and base64 encoded.
This JSON needs to be utf-8 and base64 encoded.


Revision as of 10:31, 15 December 2025

⚠️ Please Note: This page is currently under development.
This page is about the entitlements for the bwCloud-OS NG. Please visit entitlements for bwCloud-SCOPE for the legacy information.

In a Nutshell
  • is a information string, given by the home organization
  • a customer can use the entitlements to allow their members to consume in the bwCloud-OS and to control eventual costs.

Entitlements in bwCloud-OS define who can access the platform (Access Control), how many resources they may use (Quota flavors), and under what conditions (Eligibility).

Every member of a higher education institution in Baden-Württemberg has a personal account. If the institution participates in the federated identity management system (bwIDM), its members can also apply for the external service bwCloud-OS, by providing additional information. This is handled through the assignment of eduPersonEntitlement, to the user's account.

All entitlements are issued and managed by the user’s home institution and play a central role in how the platform is used and funded. These decisions are made exclusively by the user's home institution. The bwCloud-OS team has no authority to grant access or resources without an official entitlement.

Motivation

Access Control

Accessing the bwCloud-OS requires a registration in advance. The entitlement bwcloudos_access determines, besides other criteria, whether a user is allowed to access / register for the bwCloud-OS at all.

Automated Registration

Registration is streamlined through entitlements:

  • Entitlements are automatically evaluated during registration.
  • Users receive immediate access and resources once their entitlement is confirmed. No manual activation is required.

Cost Allocation and Funding Model

Entitlements also help define who is financially responsible for resource usage. To ensure sustainable operation and future hardware/software upgrades, bwCloud-OS is moving toward a cost allocation model.

  • The user’s institution is responsible for:
    • Verifying users have access to funding.
    • Covering the collective costs for all users from that institution.
  • bwCloud-OS will generate aggregated usage reports and invoices per institution—no individual billing.

Entitlement structure

An entitlement persists out of two parts, the Quota flavors and optionally the Eligibility: 

urn:geant:bwcloud-os.de:group:QUOTA_FLAVOR[:ELIGIBILITY]

bzw. 

urn:geant:bwcloud-os.de:group:<quota_flavor>[:<cost_center_id>:<first_day_valid>:<last_day_valid>:<max_booking_units>]

The valid syntax is described in the sections below.

Example Entitlements

Example 1

Granting a user to request quota for a project up to the medium flavor. 

urn:geant:bwcloud-os.de:group:bwcloudos_medium_1

Example 2

Allow a user to request quota for a large project, but this is terminated up to the end of 2026 and can maximally produce 5000 booking units. All generated booking units will be charged under the bill position student. 

urn:geant:bwcloud-os.de:group:bwcloudos_large_1:student::2026-12-31:5000

Example 3

A tiny project can be requested. The consumed booking units will aggregate under the position for the technical_faculty. 

urn:geant:bwcloud-os.de:group:bwcloudos_xtiny_1:technical_faculty:::

Special Entitlements

There is also the Entitlement bwcloudos_access that is further described in Access Control via Entitlements.

Entitlement Note
bwcloudos_access Allows the registration for the bwCloud-OS via RegApp

Quota flavors

The supported quota packages are described in the table below.

List of supported quota flavors
quota flavor Note
bwcloudos_empty Default case. User can’t generate costs.
bwcloudos_tiny_1
bwcloudos_xtiny_1
bwcloudos_medium_1
bwcloudos_xmedium_1
bwcloudos_large_1
bwcloudos_xlarge_1
bwcloudos_custom User can choose the quota to be requested.

Each quota flavor is associated with resources granted to Projects.

Resources associated with each quota flavor
Entitlement instances cores ram_gb volumes volumes_gb backups backups_gb networks subnets routers floating_ips
bwcloudos_empty 0 0 0 0 0 0 0 0 0 0 0
bwcloudos_tiny_1 1 1 1 10 100 30 300 10 10 1 0
bwcloudos_xtiny_1 2 2 2 10 100 30 300 10 10 1 0
bwcloudos_medium_1 4 4 4 20 200 60 600 10 10 1 1
bwcloudos_xmedium_1 8 8 8 20 200 60 600 10 10 1 1
bwcloudos_large_1 16 16 16 40 400 120 1200 20 20 2 2
bwcloudos_xlarge_1 32 32 32 40 400 120 1200 20 20 2 2
bwcloudos_custom * * * * * * * * * * *

Eligibility

Structure

Optionally, the following structure for Eli may be used to provide further information and define conditions for the quota flavor. 

<cost_center_id>:<first_day_valid>:<last_day_valid>:<max_booking_units>

This JSON needs to be utf-8 and base64 encoded.

Detailed

⚠️ Attention: Comments are not allowed by JSON and must be removed to provide a valid data structure! 
{
  # Optional: Define eligibilities
  "eligs":
  [
    # First eligibility
    {
      # Optional: The ID/ name of your cost center. The fallback is to address this to the
      #           'home organization' of the entitlement owner.
      "cc_id": "COST_CENTER_ID",
      
      # Optional: Day with that, this eligibility starts to be valid. Default behavior is
      #           valid from day one.
      "first_val": "YYYY-MM-DD",
      
      # Optional: Day after which this eligibility is no longer valid. Default behavior is
      #           valid until removed from the entitlement of the owner.
      "last_val": "YYYY-MM-DD",
      
      # Optional: Number representing consumable booking units, after which this
      #           eligibility is no longer debitable for this user. Default behavior is
      #           unlimited.
      "max_bu": "INTEGER"
    },

    # Next eligibility
    {
    ...
    }
  ]
}
Retrieved from "https://wiki.bwcloud-os.de/index.php?title=Entitlements_in_bwCloud-OS&oldid=1550"