Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 13. Configure RBAC

Role-based Access Control (RBAC) policies in OpenStack Networking allows granular control over shared neutron networks. Previously, networks were shared either with all tenants, or not at all. OpenStack Networking now uses a RBAC table to control sharing of neutron networks among tenants, allowing an administrator to control which tenants are granted permission to attach instances to a network.
As a result, cloud administrators can remove the ability for some tenants to create networks and can instead allow them to attach to pre-existing networks that correspond to their project.

13.1. Create a new RBAC policy
Link kopieren

This example procedure demonstrates how to use a RBAC policy to grant a tenant access to a shared network.

  1. View the list of available networks: 

    # neutron net-list
+--------------------------------------+-------------+-------------------------------------------------------+
| id                                   | name        | subnets                                               |
+--------------------------------------+-------------+-------------------------------------------------------+
| fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 | web-servers | 20512ffe-ad56-4bb4-b064-2cb18fecc923 192.168.200.0/24 |
| bcc16b34-e33e-445b-9fde-dd491817a48a | private     | 7fe4a05a-4b81-4a59-8c47-82c965b0e050 10.0.0.0/24      |
| 9b2f4feb-fee8-43da-bb99-032e4aaf3f85 | public      | 2318dc3b-cff0-43fc-9489-7d4cf48aaab9 172.24.4.224/28  |
+--------------------------------------+-------------+-------------------------------------------------------+
    Copy to Clipboard Toggle word wrap

  2. View the list of tenants: 

    # openstack project list
+----------------------------------+----------+
| ID                               | Name     |
+----------------------------------+----------+
| 4b0b98f8c6c040f38ba4f7146e8680f5 | auditors |
| 519e6344f82e4c079c8e2eabb690023b | services |
| 80bf5732752a41128e612fe615c886c6 | demo     |
| 98a2f53c20ce4d50a40dac4a38016c69 | admin    |
+----------------------------------+----------+
    Copy to Clipboard Toggle word wrap

  3. Create a RBAC entry for the web-servers network that grants access to the auditors tenant (4b0b98f8c6c040f38ba4f7146e8680f5): 

    # neutron rbac-create fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 --type network --target-tenant 4b0b98f8c6c040f38ba4f7146e8680f5 --action access_as_shared
Created a new rbac_policy:
+---------------+--------------------------------------+
| Field         | Value                                |
+---------------+--------------------------------------+
| action        | access_as_shared                     |
| id            | 314004d0-2261-4d5e-bda7-0181fcf40709 |
| object_id     | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 |
| object_type   | network                              |
| target_tenant | 4b0b98f8c6c040f38ba4f7146e8680f5     |
| tenant_id     | 98a2f53c20ce4d50a40dac4a38016c69     |
+---------------+--------------------------------------+
    Copy to Clipboard Toggle word wrap

As a result, users in the auditors project are able to connect instances to the web-servers network.

13.2. Review your configured RBAC policies
Link kopieren

  1. Use neutron rbac-list to retrieve the ID of your existing RBAC policies: 

    # neutron rbac-list
+--------------------------------------+-------------+--------------------------------------+
| id                                   | object_type | object_id                            |
+--------------------------------------+-------------+--------------------------------------+
| 314004d0-2261-4d5e-bda7-0181fcf40709 | network     | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 |
| bbab1cf9-edc5-47f9-aee3-a413bd582c0a | network     | 9b2f4feb-fee8-43da-bb99-032e4aaf3f85 |
+--------------------------------------+-------------+--------------------------------------+
    Copy to Clipboard Toggle word wrap

  2. Use neutron rbac-show to view the details of a specific RBAC entry: 

    # neutron rbac-show 314004d0-2261-4d5e-bda7-0181fcf40709
+---------------+--------------------------------------+
| Field         | Value                                |
+---------------+--------------------------------------+
| action        | access_as_shared                     |
| id            | 314004d0-2261-4d5e-bda7-0181fcf40709 |
| object_id     | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 |
| object_type   | network                              |
| target_tenant | 4b0b98f8c6c040f38ba4f7146e8680f5     |
| tenant_id     | 98a2f53c20ce4d50a40dac4a38016c69     |
+---------------+--------------------------------------+
    Copy to Clipboard Toggle word wrap

13.3. Delete a RBAC policy
Link kopieren

  1. Use neutron rbac-list to retrieve the ID of your existing RBACs: 

    # neutron rbac-list
+--------------------------------------+-------------+--------------------------------------+
| id                                   | object_type | object_id                            |
+--------------------------------------+-------------+--------------------------------------+
| 314004d0-2261-4d5e-bda7-0181fcf40709 | network     | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 |
| bbab1cf9-edc5-47f9-aee3-a413bd582c0a | network     | 9b2f4feb-fee8-43da-bb99-032e4aaf3f85 |
+--------------------------------------+-------------+--------------------------------------+
    Copy to Clipboard Toggle word wrap

  2. Use neutron rbac-delete to delete the RBAC, using its ID value: 

    # neutron rbac-delete 314004d0-2261-4d5e-bda7-0181fcf40709
Deleted rbac_policy: 314004d0-2261-4d5e-bda7-0181fcf40709
    Copy to Clipboard Toggle word wrap

13.4. RBAC for external networks
Link kopieren

You can grant RBAC access to external networks (networks with gateway interfaces attached) using the --action access_as_external parameter

For example, this procedure creates a RBAC for the web-servers network and grants access to the engineering tenant (c717f263785d4679b16a122516247deb):

1. Create a new RBAC policy using --action access_as_external: 

# neutron rbac-create 6e437ff0-d20f-4483-b627-c3749399bdca --type network --target-tenant c717f263785d4679b16a122516247deb --action access_as_external
 Created a new rbac_policy:
+---------------+--------------------------------------+
| Field         | Value                                |
+---------------+--------------------------------------+
| action        | access_as_external                   |
| id            | ddef112a-c092-4ac1-8914-c714a3d3ba08 |
| object_id     | 6e437ff0-d20f-4483-b627-c3749399bdca |
| object_type   | network                              |
| target_tenant | c717f263785d4679b16a122516247deb     |
| tenant_id     | c717f263785d4679b16a122516247deb     |
+---------------+--------------------------------------+
Copy to Clipboard Toggle word wrap

2. As a result, users in the Engineering tenant are able to view the network or connect instances to it: 

$ neutron net-list
+--------------------------------------+-------------+------------------------------------------------------+
| id                                   | name        | subnets                                              |
+--------------------------------------+-------------+------------------------------------------------------+
| 6e437ff0-d20f-4483-b627-c3749399bdca | web-servers | fa273245-1eff-4830-b40c-57eaeac9b904 192.168.10.0/24 |
+--------------------------------------+-------------+------------------------------------------------------+
Copy to Clipboard Toggle word wrap
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat