Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 2. Role Management

2.1. Role Management
Copia collegamento

OpenStack uses a role-based access control (RBAC) mechanism to manage access to its resources. Roles define which actions users can perform. By default, there are two predefined roles: a member role that gets attached to a tenant, and an administrative role to enable non-admin users to administer the environment. Note that there are abstract levels of permission, and it is possible to create the roles the administrator needs, and configure services adequately.

2.1.1. View Roles
Copia collegamento

Use the following command to list the available predefined roles. 

$ keystone role-list
+----------------------------------+---------------+
|                id                |      name     |
+----------------------------------+---------------+
| 71ccc37d41c8491c975ae72676db687f |     Member    |
| 149f50a1fe684bfa88dae76a48d26ef7 | ResellerAdmin |
| 9fe2ff9ee4384b1894a90878d3e92bab |    _member_   |
| 6ecf391421604da985db2f141e46a7c8 |     admin     |
+----------------------------------+---------------+
Copy to Clipboard Toggle word wrap

To get details for a specified role, run: 

$ keystone role-get [ROLE]
Copy to Clipboard Toggle word wrap

Example

$ keystone role-get admin
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | 6ecf391421604da985db2f141e46a7c8 |
|   name   |             admin                |
+----------+----------------------------------+
Copy to Clipboard Toggle word wrap

2.1.2. Create and Assign a Role
Copia collegamento

As a cloud administrator, you can create and manage roles on the Keystone client using the following set of commands. Each OpenStack deployment must include at least one project, one user, and one role, linked together. However, users can be members of multiple projects. To assign users to multiple projects, create a role and assign that role to a user-project pair. Note that you can create a user and assign a primary project and default role in the dashboard.

Note

Either the name or ID can be used to specify users, roles, or projects.

  1. Create the new-role role: 

    $ keystone role-create --name [ROLE_NAME]
    Copy to Clipboard Toggle word wrap

    Example

    $ keystone role-create --name new-role
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | 61013e7aa4ba4e00a0a1ab4b14bc6b2a |
|   name   |             new-role             |
+----------+----------------------------------+
    Copy to Clipboard Toggle word wrap

  2. To assign a user to a project, you must assign the role to a user-project pair. To do this, obtain the user, role, and project names or IDs:

    1. List users: 

      $ keystone user-list
      Copy to Clipboard Toggle word wrap

    2. List roles: 

      $ keystone role-list
      Copy to Clipboard Toggle word wrap

    3. List projects: 

      $ keystone tenant-list
      Copy to Clipboard Toggle word wrap

  3. Assign a role to a user-project pair. 

    $ keystone user-role-add --user [USER_NAME] --role [ROLE_NAME] --tenant [TENANT_NAME]
    Copy to Clipboard Toggle word wrap

    Example

    In this example, you assign the new-role role to the demo-demo pair: 

    $ keystone user-role-add --user demo --role new-role --tenant demo
    Copy to Clipboard Toggle word wrap

  4. Verify the role assignment for the user demo: 

    $ keystone user-role-list --user [USER_NAME] --tenant [TENANT_NAME]
    Copy to Clipboard Toggle word wrap

    Example

    $ keystone user-role-list --user demo --tenant demo
    Copy to Clipboard Toggle word wrap

2.1.3. Delete a Role
Copia collegamento

  1. Use the following command to delete a role from a user-project pair. Deleting a role ensures the associated user-project pairing is lost. 

    $ keystone user-role-remove --user [USER_NAME] --role [ROLE] --tenant [TENANT_NAME]
    Copy to Clipboard Toggle word wrap

  2. Verify the role removal: 

    $ keystone user-role-list --user [USER_NAME] --tenant [TENANT_NAME]
    Copy to Clipboard Toggle word wrap

    If the role was removed, the command output omits the removed role.

Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat