Search

Chapter 14. Configure RBAC

download PDF

Role-based Access Control (RBAC) policies in OpenStack Networking allows granular control over shared neutron networks. Previously, networks were shared either with all tenants, or not at all. OpenStack Networking now uses a RBAC table to control sharing of neutron networks between tenants, allowing an administrator to control which tenants are granted permission to attach instances to a network.
As a result, cloud administrators can remove the ability for some tenants to create networks, and can instead allow them to attach to pre-existing networks that correspond to their project.

14.1. Create a new RBAC policy

This example procedure demonstrates how to use a RBAC policy to grant a tenant access to a shared network.

  1. View the list of available networks:

    # neutron net-list
    +--------------------------------------+-------------+------------------------------------------------------+
    | id                                   | name        | subnets                                              |
    +--------------------------------------+-------------+------------------------------------------------------+
    | 7a7974fe-3b34-4538-b413-d22b985f26e1 | public      | 7de0811f-86ed-4e1b-bc3c-fd2459d0db9d                 |
    | 6e437ff0-d20f-4483-b627-c3749399bdca | web-servers | fa273245-1eff-4830-b40c-57eaeac9b904 192.168.10.0/24 |
    | 1a744cc9-c2b2-4cfc-b06d-a10af5dc8334 | private     | 5196d774-6bd2-4f5d-9c24-a4d1c8987f10 10.0.0.0/24     |
    +--------------------------------------+-------------+------------------------------------------------------+
  2. View the list of tenants:

    # keystone tenant-list
    +----------------------------------+-------------+---------+
    |                id                |     name    | enabled |
    +----------------------------------+-------------+---------+
    | 4be7697a4258449a9677adb0fbb71e21 |    admin    |   True  |
    | 09ac16ac50634b08a689c1526a34bb82 |     demo    |   True  |
    | c717f263785d4679b16a122516247deb | engineering |   True  |
    | e8549caaf5bf4bd9b5618622e7c21c97 |   services  |   True  |
    +----------------------------------+-------------+---------+
  3. Create a RBAC for the web-servers network that grants access to the engineering tenant (c717f263785d4679b16a122516247deb):

    # neutron rbac-create 6e437ff0-d20f-4483-b627-c3749399bdca --type network --target-tenant c717f263785d4679b16a122516247deb --action access_as_shared
    Created a new rbac_policy:
    +---------------+--------------------------------------+
    | Field         | Value                                |
    +---------------+--------------------------------------+
    | action        | access_as_shared                     |
    | id            | 425cdd5c-c080-4045-a896-31d446551de7 |
    | object_id     | 6e437ff0-d20f-4483-b627-c3749399bdca |
    | object_type   | network                              |
    | target_tenant | c717f263785d4679b16a122516247deb     |
    | tenant_id     | 4be7697a4258449a9677adb0fbb71e21     |
    +---------------+--------------------------------------+

As a result, users in the Engineering tenant are able to connect instances to the web-servers network.

14.2. Review your configured RBAC policies

  1. Use the rbac-list option to retrieve the ID of your existing RBAC policies:

    # neutron rbac-list
    +--------------------------------------+--------------------------------------+
    | id                                   | object_id                            |
    +--------------------------------------+--------------------------------------+
    | 425cdd5c-c080-4045-a896-31d446551de7 | 6e437ff0-d20f-4483-b627-c3749399bdca |
    +--------------------------------------+--------------------------------------+
  2. Use rbac-show to view the details of the specific RBAC entry:

    # neutron rbac-show 425cdd5c-c080-4045-a896-31d446551de7
    +---------------+--------------------------------------+
    | Field         | Value                                |
    +---------------+--------------------------------------+
    | action        | access_as_shared                     |
    | id            | 425cdd5c-c080-4045-a896-31d446551de7 |
    | object_id     | 6e437ff0-d20f-4483-b627-c3749399bdca |
    | object_type   | network                              |
    | target_tenant | c717f263785d4679b16a122516247deb     |
    | tenant_id     | 4be7697a4258449a9677adb0fbb71e21     |
    +---------------+--------------------------------------+

14.3. Delete a RBAC policy

  1. Use the rbac-list option to retrieve the ID of your existing RBACs:

    # neutron rbac-list
    +--------------------------------------+--------------------------------------+
    | id                                   | object_id                            |
    +--------------------------------------+--------------------------------------+
    | 425cdd5c-c080-4045-a896-31d446551de7 | 6e437ff0-d20f-4483-b627-c3749399bdca |
    +--------------------------------------+--------------------------------------+
  2. Use rbac-delete to delete the RBAC, based on it’s ID value:

    # neutron rbac-delete 425cdd5c-c080-4045-a896-31d446551de7
    Deleted rbac_policy: 425cdd5c-c080-4045-a896-31d446551de7
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.