此内容没有您所选择的语言版本。
Chapter 3. Group Management
3.1. Manage Keystone Groups
3.1.1. Using the Command-line
You can use Identity Service (keystone) groups to assign consistent permissions to multiple user accounts. This example creates a group and then assigns permissions to the group. As a result, members of the group will inherit the same permissions that were assigned to the group:
The openstack group
subcommands require keystone v3
.
Create the group
grp-Auditors
:$ openstack group create grp-Auditors +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | domain_id | default | | id | 2a4856fc242142a4aa7c02d28edfdfff | | name | grp-Auditors | +-------------+----------------------------------+
View a list of keystone groups:
$ openstack group list --long +----------------------------------+--------------+-----------+-------------+ | ID | Name | Domain ID | Description | +----------------------------------+--------------+-----------+-------------+ | 2a4856fc242142a4aa7c02d28edfdfff | grp-Auditors | default | | +----------------------------------+--------------+-----------+-------------+
Grant the
grp-Auditors
group permission to access thedemo
project, while using the_member_
role:$ openstack role add _member_ --group grp-Auditors --project demo
Add the existing user
user1
to thegrp-Auditors
group:$ openstack group add user grp-Auditors user1 user1 added to group grp-Auditors
Confirm that
user1
is a member ofgrp-Auditors
:$ openstack group contains user grp-Auditors user1 user1 in group grp-Auditors
Review the effective permissions that have been assigned to
user1
:$ openstack role assignment list --effective --user user1 +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+ | Role | User | Group | Project | Domain | Inherited | +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+ | 9fe2ff9ee4384b1894a90878d3e92bab | 3fefe5b4f6c948e6959d1feaef4822f2 | | 0ce36252e2fb4ea8983bed2a568fa832 | | False | +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
3.1.2. Using Dashboard
You can use the dashboard to manage the membership of keystone groups. You will need to use the command-line to assign role permissions to a group, as covered in the previous example.
3.1.2.1. Create a Group
- As an admin user in the dashboard, select Identity > Groups.
- Click +Create Group.
- Enter a name and description for the group.
- Click Create Group.
3.1.2.2. Manage Group Membership
You can use the dashboard to manage the membership of keystone groups.
- As an admin user in the dashboard, select Identity > Groups.
- Click Manage Members for the group you need to edit.
- Use Add users to add a user to the group. If you need to remove a user, mark its checkbox and click or Remove users.