Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 12. Configuring RBAC policies

12.1. Overview of RBAC policies
Copiar enlace

Role-based access control (RBAC) policies in OpenStack Networking allow granular control over shared neutron networks. OpenStack Networking uses a RBAC table to control sharing of neutron networks among projects, allowing an administrator to control which projects are granted permission to attach instances to a network.

As a result, cloud administrators can remove the ability for some projects to create networks and can instead allow them to attach to pre-existing networks that correspond to their project.

12.2. Creating RBAC policies
Copiar enlace

This example procedure demonstrates how to use a role-based access control (RBAC) policy to grant a project access to a shared network.

  1. View the list of available networks: 

    $ openstack network list
    Copy to Clipboard Toggle word wrap
    Sample output
    +--------------------------------------+-------------+-------------------------------------------------------+
| id                                   | name        | subnets                                               |
+--------------------------------------+-------------+-------------------------------------------------------+
| fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 | web-servers | 20512ffe-ad56-4bb4-b064-2cb18fecc923 192.168.200.0/24 |
| bcc16b34-e33e-445b-9fde-dd491817a48a | private     | 7fe4a05a-4b81-4a59-8c47-82c965b0e050 10.0.0.0/24      |
| 9b2f4feb-fee8-43da-bb99-032e4aaf3f85 | public      | 2318dc3b-cff0-43fc-9489-7d4cf48aaab9 172.24.4.224/28  |
+--------------------------------------+-------------+-------------------------------------------------------+
    Copy to Clipboard Toggle word wrap

  2. View the list of projects: 

    $ openstack project list
    Copy to Clipboard Toggle word wrap
    Sample output
    +----------------------------------+----------+
| ID                               | Name     |
+----------------------------------+----------+
| 4b0b98f8c6c040f38ba4f7146e8680f5 | auditors |
| 519e6344f82e4c079c8e2eabb690023b | services |
| 80bf5732752a41128e612fe615c886c6 | demo     |
| 98a2f53c20ce4d50a40dac4a38016c69 | admin    |
+----------------------------------+----------+
    Copy to Clipboard Toggle word wrap

  3. Create a RBAC entry for the web-servers network that grants access to the auditors project (4b0b98f8c6c040f38ba4f7146e8680f5):

    Example
    $ openstack network rbac create --type network --target-project 4b0b98f8c6c040f38ba4f7146e8680f5 --action access_as_shared web-servers
    Copy to Clipboard Toggle word wrap
    Sample output
    Created a new rbac_policy:
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| action         | access_as_shared                     |
| id             | 314004d0-2261-4d5e-bda7-0181fcf40709 |
| object_id      | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 |
| object_type    | network                              |
| target_project | 4b0b98f8c6c040f38ba4f7146e8680f5     |
| project_id     | 98a2f53c20ce4d50a40dac4a38016c69     |
+----------------+--------------------------------------+
    Copy to Clipboard Toggle word wrap

As a result, users in the auditors project can connect instances to the web-servers network.

12.3. Reviewing RBAC policies
Copiar enlace

To review RBAC policies, follow these steps:

Procedure

  1. Run the openstack network rbac list command to retrieve the ID of your existing role-based access control (RBAC) policies: 

    $ openstack network rbac list
    Copy to Clipboard Toggle word wrap
    Sample output
    +--------------------------------------+-------------+--------------------------------------+
| id                                   | object_type | object_id                            |
+--------------------------------------+-------------+--------------------------------------+
| 314004d0-2261-4d5e-bda7-0181fcf40709 | network     | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 |
| bbab1cf9-edc5-47f9-aee3-a413bd582c0a | network     | 9b2f4feb-fee8-43da-bb99-032e4aaf3f85 |
+--------------------------------------+-------------+--------------------------------------+
    Copy to Clipboard Toggle word wrap

  2. Run the openstack network rbac-show command to view the details of a specific RBAC entry:

    Example
    $ openstack network rbac show 314004d0-2261-4d5e-bda7-0181fcf40709
    Copy to Clipboard Toggle word wrap
    Sample output
    +----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| action         | access_as_shared                     |
| id             | 314004d0-2261-4d5e-bda7-0181fcf40709 |
| object_id      | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 |
| object_type    | network                              |
| target_project | 4b0b98f8c6c040f38ba4f7146e8680f5     |
| project_id     | 98a2f53c20ce4d50a40dac4a38016c69     |
+----------------+--------------------------------------+
    Copy to Clipboard Toggle word wrap

12.4. Deleting RBAC policies
Copiar enlace

To delete RBAC policies, follow these steps:

  1. Run the openstack network rbac list command to retrieve the ID of your existing role-based access control (RBAC) policies: 

    $ openstack network rbac list
    Copy to Clipboard Toggle word wrap
    Sample output
    +--------------------------------------+-------------+--------------------------------------+
| id                                   | object_type | object_id                            |
+--------------------------------------+-------------+--------------------------------------+
| 314004d0-2261-4d5e-bda7-0181fcf40709 | network     | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 |
| bbab1cf9-edc5-47f9-aee3-a413bd582c0a | network     | 9b2f4feb-fee8-43da-bb99-032e4aaf3f85 |
+--------------------------------------+-------------+--------------------------------------+
    Copy to Clipboard Toggle word wrap

  2. Run the openstack network rbac delete command to delete the RBAC, using the ID of the RBAC that you want to delete:

    Example
    $ openstack network rbac delete 314004d0-2261-4d5e-bda7-0181fcf40709
Deleted rbac_policy: 314004d0-2261-4d5e-bda7-0181fcf40709
    Copy to Clipboard Toggle word wrap

12.5. Granting RBAC policy access for external networks
Copiar enlace

You can grant role-based access control (RBAC) policy access to external networks (networks with gateway interfaces attached) using the --action access_as_external parameter.

Complete the steps in the following example procedure to create a RBAC for the web-servers network and grant access to the engineering project (c717f263785d4679b16a122516247deb):

  • Create a new RBAC policy using the --action access_as_external option:

    Example
    $ openstack network rbac create --type network --target-project \
c717f263785d4679b16a122516247deb --action access_as_external \
web-servers
    Copy to Clipboard Toggle word wrap
    Sample output
     Created a new rbac_policy:
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| action         | access_as_external                   |
| id             | ddef112a-c092-4ac1-8914-c714a3d3ba08 |
| object_id      | 6e437ff0-d20f-4483-b627-c3749399bdca |
| object_type    | network                              |
| target_project | c717f263785d4679b16a122516247deb     |
| project_id     | c717f263785d4679b16a122516247deb     |
+----------------+--------------------------------------+
    Copy to Clipboard Toggle word wrap

    As a result, users in the engineering project are able to view the network or connect instances to it: 

    $ openstack network list
    Copy to Clipboard Toggle word wrap
    Sample output
    +--------------------------------------+-------------+------------------------------------------------------+
| id                                   | name        | subnets                                              |
+--------------------------------------+-------------+------------------------------------------------------+
| 6e437ff0-d20f-4483-b627-c3749399bdca | web-servers | fa273245-1eff-4830-b40c-57eaeac9b904 192.168.10.0/24 |
+--------------------------------------+-------------+------------------------------------------------------+
    Copy to Clipboard Toggle word wrap
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat