此内容没有您所选择的语言版本。

Chapter 2. Role Management

2.1. Role Management
复制链接

OpenStack uses a role-based access control (RBAC) mechanism to manage access to its resources. Roles define which actions users can perform. By default, there are two predefined roles: a member role that gets attached to a tenant, and an administrative role to enable non-admin users to administer the environment. Note that there are abstract levels of permission, and it is possible to create the roles the administrator needs, and configure services adequately.

2.1.1. View Roles
复制链接

Use the following command to list the available predefined roles.

openstack role list

$ openstack role list
+----------------------------------+---------------+
| ID                               | Name          |
+----------------------------------+---------------+
| 4fd37c2c993a4acab8e1b5896afb8687 | SwiftOperator |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_      |
| a0f19c1381c54770ae068456c4411d82 | ResellerAdmin |
| ae49e2b796ea4820ac51637be27650d8 | admin         |
+----------------------------------+---------------+

Copy to Clipboard

Toggle word wrap

To get details for a specified role, run:

openstack role show admin

$ openstack role show admin

Copy to Clipboard

Toggle word wrap

Example

openstack role show admin

$ openstack role show admin
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | ae49e2b796ea4820ac51637be27650d8 |
| name      | admin                            |
+-----------+----------------------------------+

Copy to Clipboard

Toggle word wrap

2.1.2. Create and Assign a Role
复制链接

As a cloud administrator, you can create and manage roles on the Keystone client using the following set of commands. Each OpenStack deployment must include at least one project, one user, and one role, linked together. However, users can be members of multiple projects. To assign users to multiple projects, create a role and assign that role to a user-project pair. Note that you can create a user and assign a primary project and default role in the dashboard.

Note

Either the name or ID can be used to specify users, roles, or projects.

Create the new-role role:

openstack role create [ROLE_NAME]

$ openstack role create [ROLE_NAME]

Copy to Clipboard

Toggle word wrap

Example

openstack role create new-role

$ openstack role create new-role
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 880c116b6a55464b99ca8d8d8fe26743 |
| name      | new-role                         |
+-----------+----------------------------------+

Copy to Clipboard

Toggle word wrap

To assign a user to a project, you must assign the role to a user-project pair. To do this, obtain the user, role, and project names or IDs:
1. List users:
  $ openstack user list
  Copy to Clipboard Toggle word wrap
2. List roles:
  $ openstack role list
  Copy to Clipboard Toggle word wrap
3. List projects:
  $ openstack project list
  Copy to Clipboard Toggle word wrap

Assign a role to a user-project pair.

openstack role add --project [PROJECT_NAME] --user [USER_ID]  [ROLE_ID]

openstack role add --project [PROJECT_NAME] --user [USER_ID]  [ROLE_ID]

Copy to Clipboard

Toggle word wrap

Example

In this example, you assign the admin role to the admin user in the demo project:

openstack role add --project demo --user 895e43465b9643b9aa29df0073572bb2  ae49e2b796ea4820ac51637be27650d8

$ openstack role add --project demo --user 895e43465b9643b9aa29df0073572bb2  ae49e2b796ea4820ac51637be27650d8

Copy to Clipboard

Toggle word wrap

Verify the role assignment for the user admin:

openstack role assignment list --user [USER_ID]  --project [PROJECT_ID]

$ openstack role assignment list --user [USER_ID]  --project [PROJECT_ID]

Copy to Clipboard

Toggle word wrap

Example

openstack role assignment list --user 895e43465b9643b9aa29df0073572bb2 --project demo

$ openstack role assignment list --user 895e43465b9643b9aa29df0073572bb2 --project demo
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| Role                             | User                             | Group | Project                          | Domain | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+
| ae49e2b796ea4820ac51637be27650d8 | 895e43465b9643b9aa29df0073572bb2 |       | 7efbdc8b4ab448b8b5aeb9fa5898ce23 |        | False     |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+

Copy to Clipboard

Toggle word wrap

此内容没有您所选择的语言版本。

Chapter 2. Role Management

2.1. Role Management
复制链接

2.1.1. View Roles
复制链接

2.1.2. Create and Assign a Role
复制链接

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

此内容没有您所选择的语言版本。

Chapter 2. Role Management

2.1. Role Management复制链接链接已复制到粘贴板!

2.1.1. View Roles复制链接链接已复制到粘贴板!

2.1.2. Create and Assign a Role复制链接链接已复制到粘贴板!

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

2.1. Role Management
复制链接

2.1.1. View Roles
复制链接

2.1.2. Create and Assign a Role
复制链接