This documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.此内容没有您所选择的语言版本。
Chapter 7. Managing Authorization Policies
7.1. Overview
You can use the CLI to view authorization policies and the administrator CLI to manage the roles and bindings within a policy.
7.2. Viewing Roles and Bindings
				Roles grant various levels of access in the system-wide cluster policy as well as project-scoped local policies. Users and groups can be associated with, or bound to, multiple roles at the same time. You can view details about the roles and their bindings using the oc describe command.
			
Users with the cluster-admin default role in the cluster policy can view cluster policy and all local policies. Users with the admin default role in a given local policy can view that project-scoped policy.
Review a full list of verbs in the Evaluating Authorization section.
7.2.1. Viewing Cluster Policy
To view the cluster roles and their associated rule sets in the cluster policy:
oc describe clusterPolicy default
$ oc describe clusterPolicy defaultExample 7.1. Viewing Cluster Roles
To view the current set of cluster bindings, which shows the users and groups that are bound to various roles:
oc describe clusterPolicyBindings :default
$ oc describe clusterPolicyBindings :defaultExample 7.2. Viewing Cluster Bindings
7.2.2. Viewing Local Policy
While the list of local roles and their associated rule sets are not viewable within a local policy, all of the default roles are still applicable and can be added to users or groups, other than the cluster-admin default role. The local bindings, however, are viewable.
To view the current set of local bindings, which shows the users and groups that are bound to various roles:
oc describe policyBindings :default
$ oc describe policyBindings :default
					By default, the current project is used when viewing local policy. Alternatively, a project can be specified with the -n flag. This is useful for viewing the local policy of another project, if the user already has the admindefault role in it.
				
Example 7.3. Viewing Local Bindings
By default in a local policy, only the binding for the admin role is immediately listed. However, if other default roles are added to users and groups within a local policy, they become listed as well.
7.3. Managing Role Bindings
				Adding, or binding, a role to users or groups gives the user or group the relevant access granted by the role. You can add and remove roles to and from users and groups using oadm policy commands.
			
				When managing a user or group’s associated roles for a local policy using the following operations, a project may be specified with the -n flag. If it is not specified, then the current project is used.
			
| Command | Description | 
|---|---|
| 
								 | Indicates which users can perform an action on a resource. | 
| 
								 | Binds a given role to specified users in the current project. | 
| 
								 | Removes a given role from specified users in the current project. | 
| 
								 | Removes specified users and all of their roles in the current project. | 
| 
								 | Binds a given role to specified groups in the current project. | 
| 
								 | Removes a given role from specified groups in the current project. | 
| 
								 | Removes specified groups and all of their roles in the current project. | 
				You can also manage role bindings for the cluster policy using the following operations. The -n flag is not used for these operations because the cluster policy uses non-namespaced resources.
			
| Command | Description | 
|---|---|
| 
								 | Binds a given role to specified users for all projects in the cluster. | 
| 
								 | Removes a given role from specified users for all projects in the cluster. | 
| 
								 | Binds a given role to specified groups for all projects in the cluster. | 
| 
								 | Removes a given role from specified groups for all projects in the cluster. | 
For example, you can add the admin role to the alice user in joe-project by running:
oadm policy add-role-to-user admin alice -n joe-project
$ oadm policy add-role-to-user admin alice -n joe-projectYou can then view the local bindings and verify the addition in the output:
- 1
- The alice user has been added to the adminsRoleBinding.
7.4. Granting Users Daemonset Permissions
By default, project developers do not have the permission to create daemonsets. As a cluster administrator, you can grant them the abilities.
- Define a ClusterRole file: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the role: - oadm policy add-role-to-user daemonset-admin <user> - $ oadm policy add-role-to-user daemonset-admin <user>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
7.5. Creating a Local Role
To create a local role for a project, you can either copy and modify an existing role or build a new role from scratch. It is recommended that you build it from scratch so that you understand each of the permissions assigned.
To copy the cluster role view to use as a local role, run:
To create a new role from scratch, save this snippet into the file role_exampleview.yaml:
Example Role Named exampleview
Then, to add the role to your project, run:
oc project <project_you_want_to_add_the_local_role_exampleview_to>
$ oc project <project_you_want_to_add_the_local_role_exampleview_to>Optionally, annotate it with a description.
Save the following role binding in the policybinding.yaml file:
To create the PolicyBinding, run:
oc create -f policybinding.yaml -n <project-name>
$ oc create -f policybinding.yaml -n <project-name>To create the role, run:
oc create -f localrole_exampleview.yaml -n <project-name>
 $ oc create -f localrole_exampleview.yaml -n <project-name>To use the new role, run:
oadm policy add-role-to-user customview <new-user> --role-namespace=<project-name>
$ oadm policy add-role-to-user customview <new-user> --role-namespace=<project-name>
					A clusterrolebinding is a role binding that exists at the cluster level. A rolebinding exists at the project level. This can be confusing. The clusterrolebinding view must be assigned to a user within a project for that user to view the project. Local roles are only created if a cluster role does not provide the set of permissions needed for a particular situation, which is unlikely.
				
					Some cluster role names are initially confusing. The clusterroleclusteradmin can be assigned to a user within a project, making it appear that this user has the privileges of a cluster administrator. This is not the case. The clusteradmin cluster role bound to a certain project is more like a super administrator for that project, granting the permissions of the cluster role admin, plus a few additional permissions like the ability to edit rate limits. This can appear especially confusing via the web console UI, which does not list cluster policy (where cluster administrators exist). However, it does list local policy (where a locally bound clusteradmin may exist).
				
					Within a project, project administrators should be able to see rolebindings, not clusterrolebindings.