이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 2. Role Management
2.1. Role Management 링크 복사링크가 클립보드에 복사되었습니다!
OpenStack uses a role-based access control (RBAC) mechanism to manage access to its resources. Roles define which actions users can perform. By default, there are two predefined roles: a member role that gets attached to a tenant, and an administrative role to enable non-admin users to administer the environment. Note that there are abstract levels of permission, and it is possible to create the roles the administrator needs, and configure services adequately.
2.1.1. View Roles 링크 복사링크가 클립보드에 복사되었습니다!
Use the following command to list the available predefined roles.
To get details for a specified role, run:
openstack role show admin
$ openstack role show admin
Example
2.1.2. Create and Assign a Role 링크 복사링크가 클립보드에 복사되었습니다!
As a cloud administrator, you can create and manage roles on the Keystone client using the following set of commands. Each OpenStack deployment must include at least one project, one user, and one role, linked together. However, users can be members of multiple projects. To assign users to multiple projects, create a role and assign that role to a user-project pair. Note that you can create a user and assign a primary project and default role in the dashboard.
Either the name or ID can be used to specify users, roles, or projects.
Create the
new-role
role:openstack role create [ROLE_NAME]
$ openstack role create [ROLE_NAME]
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example
Copy to Clipboard Copied! Toggle word wrap Toggle overflow To assign a user to a project, you must assign the role to a user-project pair. To do this, obtain the user, role, and project names or IDs:
List users:
openstack user list
$ openstack user list
Copy to Clipboard Copied! Toggle word wrap Toggle overflow List roles:
openstack role list
$ openstack role list
Copy to Clipboard Copied! Toggle word wrap Toggle overflow List projects:
openstack project list
$ openstack project list
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Assign a role to a user-project pair.
openstack role add --project [PROJECT_NAME] --user [USER_ID] [ROLE_ID]
openstack role add --project [PROJECT_NAME] --user [USER_ID] [ROLE_ID]
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example
In this example, you assign the
admin
role to theadmin
user in thedemo
project:openstack role add --project demo --user 895e43465b9643b9aa29df0073572bb2 ae49e2b796ea4820ac51637be27650d8
$ openstack role add --project demo --user 895e43465b9643b9aa29df0073572bb2 ae49e2b796ea4820ac51637be27650d8
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Verify the role assignment for the user
admin
:openstack role assignment list --user [USER_ID] --project [PROJECT_ID]
$ openstack role assignment list --user [USER_ID] --project [PROJECT_ID]
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
2.2. Implied Roles and Domain-specific Roles 링크 복사링크가 클립보드에 복사되었습니다!
2.2.1. Implied roles 링크 복사링크가 클립보드에 복사되었습니다!
In OpenStack, access control is enforced by confirming that a user is assigned to a specific role. Until recently, those roles had to be explicitly assigned to either a user, or to a group in which the user was a member. Identity Service (keystone) has now added the concept of implied role assignments: If a user is explicitly assigned to a role, then the user could be implicitly assigned to additional roles as well.
2.2.2. Inference Rules 링크 복사링크가 클립보드에 복사되었습니다!
Implied assignment is managed by role inference rules. An inference rule is written in the form superior implies subordinate
. For example, a rule might state that the admin
role implies the _member_
role. As a result, a user assigned to admin
for a project would implicitly be assigned to the _member_
role as well.
With implied roles, a user’s role assignments are processed cumulatively, allowing the user to inherit the subordinate roles. This result is dependent on an inference rule being created that specifies this outcome.
2.2.2.1. Keystone Configuration 링크 복사링크가 클립보드에 복사되었습니다!
For keystone to observe implied roles, the infer_roles
setting must be enabled in /etc/keystone/keystone.conf:
[token] infer_roles = true
[token]
infer_roles = true
Implied roles are governed by a defined set of inference rules. These rules determine how a role assignment can result in the implied membership of another role. See Section 2.2.3.1, “Demonstration of Implied Roles” for an example.
2.2.3. Prevent Certain Roles From Being Implied 링크 복사링크가 클립보드에 복사되었습니다!
You can prevent certain roles from being implied onto a user. For example, in /etc/keystone/keystone.conf, you can add a ListOpt
of roles:
[assignment] prohibited_implied_role = admin
[assignment]
prohibited_implied_role = admin
This will prevent a user from ever being assigned a role implicitly. Instead, the user will need to be explicitly granted access to that role.
2.2.3.1. Demonstration of Implied Roles 링크 복사링크가 클립보드에 복사되었습니다!
This section describes how to create an inference rule, resulting in an implied role. These rules control how one role can imply membership of another. The example rule used in the following procedure will imply that members of the admin
role also have _member_
access:
2.2.3.1.1. Assign a Role to the User 링크 복사링크가 클립보드에 복사되었습니다!
Retrieve the ID of a user that will have the
_member_
role implied. For example:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Retrieve the ID of the
demo
project:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Retrieve the ID of the
admin
role:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Give the
User1
useradmin
privileges to thedemo
project:openstack role add --user User1 --project demo admin
$ openstack role add --user User1 --project demo admin
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Confirm the
admin
role assignment:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
2.2.3.1.2. Create the Inference Rule 링크 복사링크가 클립보드에 복사되었습니다!
Now that you have granted the admin
role to User1, run the following steps to create the inference rule:
First, confirm User1’s current role membership:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Retrieve the list of role IDs:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create the inference rule. These are currently created using
curl
. This example uses the IDs of the roles returned in the previous step. It also runs the command using theadmin_token
in keystone.conf:source overcloudrc export OS_TOKEN=`grep ^admin_token /etc/keystone/keystone.conf | awk -F'=' '{print $2}'` curl -X PUT -H "X-Auth-Token: $OS_TOKEN" -H "Content-type: application/json" $OS_AUTH_URL/roles/9b821b2920544be7a4d8f71fa99fcd35/implies/9fe2ff9ee4384b1894a90878d3e92bab
source overcloudrc export OS_TOKEN=`grep ^admin_token /etc/keystone/keystone.conf | awk -F'=' '{print $2}'` curl -X PUT -H "X-Auth-Token: $OS_TOKEN" -H "Content-type: application/json" $OS_AUTH_URL/roles/9b821b2920544be7a4d8f71fa99fcd35/implies/9fe2ff9ee4384b1894a90878d3e92bab
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Review the results using the CLI. In this example, User1 has received implied access to the
_member_
role, as indicated by ID9fe2ff9ee4384b1894a90878d3e92bab
:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Review your inference rules using curl:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
2.2.4. Domain-Specific Roles 링크 복사링크가 클립보드에 복사되었습니다!
Domain-specific roles grant you more granular control when defining rules for roles, allowing the roles to act as aliases for the existing prior roles. Note that you cannot have a global role implying a domain-specific role. As a result, if you list the effective role assignments of a user in a project, the domain-specific roles will not be present.
Domain-specific roles can be created by a user who administers their keystone domain; they do not have to be administrators of the OpenStack deployment. This means that a domain-specific role definition can be limited to a specific domain.
Domain-specific roles cannot be used to scope a token. This can only be done with global roles.
2.2.4.1. Using Domain-Specific Roles 링크 복사링크가 클립보드에 복사되었습니다!
This example describes how to create a domain specific role and review its effect.
Create a domain:
openstack domain create corp01
$ openstack domain create corp01
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a role that specifies a domain (note that this parameter is distinct from
--domain
):openstack role create operators --role-domain domain-corp01
$ openstack role create operators --role-domain domain-corp01
Copy to Clipboard Copied! Toggle word wrap Toggle overflow