Entitlements in bwCloud-OS: Difference between revisions
No edit summary |
No edit summary |
||
| Line 17: | Line 17: | ||
== Motivation == | == Motivation == | ||
The bwCloud-OS negotiated only contracts with institutions (customers) but not with individual members (users). This is a crucial difference compared to other known cloud providers. Further are severe different types of sponsors (e.g., chairs, research projects) located at the institutes, granting sub-goups of members (users) more resources. | |||
=== Access Control === | === Access Control === | ||
For [[registration]] to the bwCloud-OS [[several criterias]] need to be fulfilled. | For [[registration]] to the bwCloud-OS [[several criterias]] need to be fulfilled. By rolling out the [[Entitlements in bwCloud-OS#Special Entitlements|access entitlement]] home organization can manage by themselves who is allowed to access the bwCloud-OS. | ||
=== Automated | === Automated registration === | ||
[[Registration]] and is streamlined through entitlements: | [[Registration]] and is streamlined through entitlements: | ||
* Entitlements are | * Entitlements are automatically evaluated during registration. | ||
* Users receive | * Users receive immediate access and resources once their entitlement is confirmed. No manual activation is required. | ||
=== Delegating resposibility === | |||
The user’s home organization can define an interall process, so members can set entitlements in the home IdP. | |||
=== Reimbursement === | === Reimbursement === | ||
Entitlements also help define | Entitlements also help define who is financially responsible for produced [[booking units]] (BEH). | ||
* Defining cost centers to separate costs into different cost positions, allowing institutions to reimburse the costs internally. | * Defining cost centers to separate costs into different cost positions, allowing institutions to reimburse the costs internally. | ||
* bwCloud-OS will generate aggregated usage reports and invoices per institution—no individual billing. | * bwCloud-OS will generate aggregated usage reports and invoices per institution—no individual billing. | ||
=== Budget === | |||
Sometimes resources should only be consumed up to a certain level or amount of time. | |||
* Constraints can be used to manage the valid period for eligibility. | |||
* After reaching an eligibility constraint, no more costs can be produced within the associated project. | |||
== Entitlement URN structure == | == Entitlement URN structure == | ||
| Line 233: | Line 240: | ||
* The assignment of cost centers enables customers to pass on costs (internally). | * The assignment of cost centers enables customers to pass on costs (internally). | ||
=== First day of validation === | === First day of validation (NOT supported yet) === | ||
Specific day in the <code>yyyy-mm-dd</code> format that allows the institute to limit the validation window for the | Specific day in the <code>yyyy-mm-dd</code> format that allows the institute to limit the validation window begin for the eligibility. If the date is not given or <code>null</code>, the following default behavior is: Eligibility is valid from the current day on. '''This feature is currently not supported.''' | ||
=== Last day of validation (NOT supported yet) === | |||
Specific day in the <code>yyyy-mm-dd</code> format that allows the institute to limit the validation window end for the eligibility. If the date is not given or <code>null</code>, the following default behavior is: Eligibility is forever valid. '''This feature is currently not supported.''' | |||
=== Maximal number of booking units (NOT supported yet) === | |||
Integer (<code>>0</code>), that defines the maximum number of BEH that can be generated by the associated project. If the number is not given or <code>null</code>, the default behavior is: Eligibility is forever valid. '''This feature is currently not supported.''' | |||
=== Maximal number of booking units === | |||
Integer (<code>>0</code>), that defines the maximum number of BEH that can be generated by the associated project. If the number is not given or null, the default behavior is: Eligibility is forever valid. | |||
== Example Entitlement == | == Example Entitlement == | ||
==== Example 1 ==== | ==== Example 1 ==== | ||
Granting a user a request quota for a project up to the medium flavor. | Granting a user a request quota for a project up to the medium flavor. All generated booking units will be charged under the bill position ''42.'' | ||
<nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_medium_1:42</nowiki> | <nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_medium_1:42</nowiki> | ||
Interpreted as eligibility: | Interpreted as eligibility: | ||
| Line 257: | Line 262: | ||
==== Example 2 ==== | ==== Example 2 ==== | ||
Allow a user to request quota for a large project, but this is terminated up to the end of 2026 and can maximally produce <code>5000</code> booking units. | Allow a user to request quota for a large project, but this is terminated up to the end of 2026 and can maximally produce <code>5000</code> booking units. The booking units for all projects with the cost center ''student'' will be charged under the same bill position''.'' | ||
<nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_large_1:student:null:2026-12-31:5000</nowiki> | <nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_large_1:student:null:2026-12-31:5000</nowiki> | ||
Interpreted as eligibility: | Interpreted as eligibility: | ||
| Line 267: | Line 272: | ||
==== Example 3 ==== | ==== Example 3 ==== | ||
A xtiny project can be requested. The consumed booking units will aggregate under the position for the informatics faculty and can be used from February 2026 on for one year. | A xtiny project can be requested. The consumed booking units will aggregate under the position for the informatics faculty and can be used from February 2026 on for one year. Costs are allocated to cost center ''hfu_informatics_faculty''. | ||
<nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_xtiny_1:hfu_informatics_faculty:2026-02-01:2027-02-01:null</nowiki> | <nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_xtiny_1:hfu_informatics_faculty:2026-02-01:2027-02-01:null</nowiki> | ||
Interpreted as eligibility: | Interpreted as eligibility: | ||
| Line 277: | Line 282: | ||
==== Example 4 ==== | ==== Example 4 ==== | ||
A user with this entitlement will book the costs on the cost center ''hfu_informatics_faculty'' and must stop when the project consumed <code>1000000</code> BEH. | |||
<nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_xmedium_1:hfu_informatics_faculty:null:null:1000000</nowiki> | <nowiki>urn:geant:bwcloud-os.de:group:bwcloudos_xmedium_1:hfu_informatics_faculty:null:null:1000000</nowiki> | ||
Interpreted as eligibility: | Interpreted as eligibility: | ||
quota_flavor = | quota_flavor = bwcloudos_large_1 | ||
cost_center_id = hfu_informatics_faculty | cost_center_id = hfu_informatics_faculty | ||
first_day_of_validation = <nowiki>{{today}}</nowiki> | first_day_of_validation = <nowiki>{{today}}</nowiki> | ||
last_day_of_validation = inf | last_day_of_validation = inf | ||
max_booking_units = 1000000 | max_booking_units = 1000000 | ||
Revision as of 17:17, 15 December 2025
Entitlements in bwCloud-OS define who can access the platform (Access Control), how many resources they may use (Quota flavors), and under what conditions (Eligibility).
- Every user owns at least the empty entitlement, even if not directly specified.
Every member of a higher education institution in Baden-Württemberg has a personal account. If the institution participates in the federated identity management system (bwIDM), its members can also apply for the external service bwCloud-OS, by providing additional information. This is handled through the assignment of eduPersonEntitlement to the user's account.
All entitlements are issued and managed by the user’s home institution and play a central role in how the platform is used and funded. These decisions are made exclusively by the user's home institution. The bwCloud-OS team has no authority to grant access or resources without an official entitlement.
| In a Nutshell |
|
Motivation
The bwCloud-OS negotiated only contracts with institutions (customers) but not with individual members (users). This is a crucial difference compared to other known cloud providers. Further are severe different types of sponsors (e.g., chairs, research projects) located at the institutes, granting sub-goups of members (users) more resources.
Access Control
For registration to the bwCloud-OS several criterias need to be fulfilled. By rolling out the access entitlement home organization can manage by themselves who is allowed to access the bwCloud-OS.
Automated registration
Registration and is streamlined through entitlements:
- Entitlements are automatically evaluated during registration.
- Users receive immediate access and resources once their entitlement is confirmed. No manual activation is required.
Delegating resposibility
The user’s home organization can define an interall process, so members can set entitlements in the home IdP.
Reimbursement
Entitlements also help define who is financially responsible for produced booking units (BEH).
- Defining cost centers to separate costs into different cost positions, allowing institutions to reimburse the costs internally.
- bwCloud-OS will generate aggregated usage reports and invoices per institution—no individual billing.
Budget
Sometimes resources should only be consumed up to a certain level or amount of time.
- Constraints can be used to manage the valid period for eligibility.
- After reaching an eligibility constraint, no more costs can be produced within the associated project.
Entitlement URN structure
Quota Entitlements
A quota entitlement persists out of two parts, the namespace and the identifier (eligibility):
urn:geant:bwcloud-os.de:group:ELIGIBILITY
bzw.
urn:geant:bwcloud-os.de:group:<quota_flavor>:<cost_center_id>[:<first_day_of_validation|null>:<last_day_of_validation|null>:<max_booking_units|null>]
The syntax for valid entitlement identifiers is described in the sections below.
Special Entitlements
There is also a special entitlement bwcloudos_access, which determines whether a user is allowed to access the bwCloud-OS at all.
urn:geant:bwcloud-os.de:bwcloudos_access
| permition | Note |
|---|---|
| bwcloudos_access | Allows the registration for the bwCloud-OS via RegApp |
Eligibility
Every project is associated with an entitlement, making sure the project is chargeable.
- An eligibility is a unique combination of quota flavor, owner, and cost center.
- An eligibility can be assigned to a maximum of one project. The eligibility-project association is therefore unique.
- A limit value for BEH and validation dates may be set to restrict the duration of an eligibility.
Example Eligibility usage
The example in the image to the left demonstrates how costs can be accumulated based on cost centers.
Structure
Optionally, the following structure for Eli may be used to provide further information and define conditions for the quota flavor.
<quota_flavor>:<cost_center_id>[:<first_day_of_validation|null>:<last_day_of_validation|null>:<max_booking_units|null>]
Quota flavors
A project flavor specifies the maximum resources a project may receive.
- A quota flavor can be specified several times by using different cost centers. Each additional eligibility can be used for another project.
- A user can have several quota flavors.
The supported quota packages are described in the table below.
| quota flavor | Note |
|---|---|
| bwcloudos_empty | Default case. User can’t generate costs. |
| bwcloudos_tiny_1 | |
| bwcloudos_xtiny_1 | |
| bwcloudos_medium_1 | |
| bwcloudos_xmedium_1 | |
| bwcloudos_large_1 | |
| bwcloudos_xlarge_1 | |
| bwcloudos_custom | User can choose the quota to be requested. |
Each quota flavor is associated with resources granted to projects.
| Entitlement | instances | cores | ram_gb | volumes | volumes_gb | backups | backups_gb | networks | subnets | routers | floating_ips |
|---|---|---|---|---|---|---|---|---|---|---|---|
| bwcloudos_empty | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| bwcloudos_tiny_1 | 1 | 1 | 1 | 10 | 100 | 30 | 300 | 10 | 10 | 1 | 0 |
| bwcloudos_xtiny_1 | 2 | 2 | 2 | 10 | 100 | 30 | 300 | 10 | 10 | 1 | 0 |
| bwcloudos_medium_1 | 4 | 4 | 4 | 20 | 200 | 60 | 600 | 10 | 10 | 1 | 1 |
| bwcloudos_xmedium_1 | 8 | 8 | 8 | 20 | 200 | 60 | 600 | 10 | 10 | 1 | 1 |
| bwcloudos_large_1 | 16 | 16 | 16 | 40 | 400 | 120 | 1200 | 20 | 20 | 2 | 2 |
| bwcloudos_xlarge_1 | 32 | 32 | 32 | 40 | 400 | 120 | 1200 | 20 | 20 | 2 | 2 |
| bwcloudos_custom | * | * | * | * | * | * | * | * | * | * | * |
Cost centers
Cost centers are used to allocate BEH generated within projects. This string does not need to be agreed upon with us and does not need to have any meaning outside the institution.
- A cost center can be assigned to multiple eligibilities and users.
- BEH are aggregated per cost center across all projects assigned to the cost center.
- The assignment of cost centers enables customers to pass on costs (internally).
First day of validation (NOT supported yet)
Specific day in the yyyy-mm-dd format that allows the institute to limit the validation window begin for the eligibility. If the date is not given or null, the following default behavior is: Eligibility is valid from the current day on. This feature is currently not supported.
Last day of validation (NOT supported yet)
Specific day in the yyyy-mm-dd format that allows the institute to limit the validation window end for the eligibility. If the date is not given or null, the following default behavior is: Eligibility is forever valid. This feature is currently not supported.
Maximal number of booking units (NOT supported yet)
Integer (>0), that defines the maximum number of BEH that can be generated by the associated project. If the number is not given or null, the default behavior is: Eligibility is forever valid. This feature is currently not supported.
Example Entitlement
Example 1
Granting a user a request quota for a project up to the medium flavor. All generated booking units will be charged under the bill position 42.
urn:geant:bwcloud-os.de:group:bwcloudos_medium_1:42
Interpreted as eligibility:
quota_flavor = bwcloudos_medium_1
cost_center_id = 42
first_day_of_validation = {{today}}
last_day_of_validation = inf
max_booking_units = inf
Example 2
Allow a user to request quota for a large project, but this is terminated up to the end of 2026 and can maximally produce 5000 booking units. The booking units for all projects with the cost center student will be charged under the same bill position.
urn:geant:bwcloud-os.de:group:bwcloudos_large_1:student:null:2026-12-31:5000
Interpreted as eligibility:
quota_flavor = bwcloudos_large_1
cost_center_id = student
first_day_of_validation = {{today}}
last_day_of_validation = 31.12.2026
max_booking_units = 5000
Example 3
A xtiny project can be requested. The consumed booking units will aggregate under the position for the informatics faculty and can be used from February 2026 on for one year. Costs are allocated to cost center hfu_informatics_faculty.
urn:geant:bwcloud-os.de:group:bwcloudos_xtiny_1:hfu_informatics_faculty:2026-02-01:2027-02-01:null
Interpreted as eligibility:
quota_flavor = bwcloudos_xtiny_1 cost_center_id = hfu_informatics_faculty first_day_of_validation = 01.02.2026 last_day_of_validation = 01.02.2027 max_booking_units = inf
Example 4
A user with this entitlement will book the costs on the cost center hfu_informatics_faculty and must stop when the project consumed 1000000 BEH.
urn:geant:bwcloud-os.de:group:bwcloudos_xmedium_1:hfu_informatics_faculty:null:null:1000000
Interpreted as eligibility:
quota_flavor = bwcloudos_large_1
cost_center_id = hfu_informatics_faculty
first_day_of_validation = {{today}}
last_day_of_validation = inf
max_booking_units = 1000000