红帽全球峰会第 12 章 配置 RBAC
在 OpenStack Networking 中使用 RBAC(Role-based Access Control,基于角色的访问控制)可以对共享 neutron 网络进行“颗粒式”的控制。以前,网络只可能在所有租户网络中共享,或不被任何网络共享。现在,OpenStack Networking 使用一个 RBAC 表来控制 neutron 网络在不同租户间的共享,管理员可以控制哪些租户有权限把实例附加到网络中。
作为结果,云管理员可以删除一些租户的创建网络的权限,而只允许他们附加那些与他们的项目相关的已存在的网络。
12.1. 创建一个新的 RBAC 策略
复制链接链接已复制到粘贴板!
以下是如何使用 RBAC 策略来为一个租户赋予访问一个共享网络的步骤示例。
查看所有有效网络的列表:
# neutron net-list +--------------------------------------+-------------+-------------------------------------------------------+ | id | name | subnets | +--------------------------------------+-------------+-------------------------------------------------------+ | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 | web-servers | 20512ffe-ad56-4bb4-b064-2cb18fecc923 192.168.200.0/24 | | bcc16b34-e33e-445b-9fde-dd491817a48a | private | 7fe4a05a-4b81-4a59-8c47-82c965b0e050 10.0.0.0/24 | | 9b2f4feb-fee8-43da-bb99-032e4aaf3f85 | public | 2318dc3b-cff0-43fc-9489-7d4cf48aaab9 172.24.4.224/28 | +--------------------------------------+-------------+-------------------------------------------------------+查看租户列表:
# openstack project list +----------------------------------+----------+ | ID | Name | +----------------------------------+----------+ | 4b0b98f8c6c040f38ba4f7146e8680f5 | auditors | | 519e6344f82e4c079c8e2eabb690023b | services | | 80bf5732752a41128e612fe615c886c6 | demo | | 98a2f53c20ce4d50a40dac4a38016c69 | admin | +----------------------------------+----------+为
web-servers网络创建一个 RBAC,它为 auditors tenant (4b0b98f8c6c040f38ba4f7146e8680f5) 赋予了访问权限:# neutron rbac-create fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 --type network --target-tenant 4b0b98f8c6c040f38ba4f7146e8680f5 --action access_as_shared Created a new rbac_policy: +---------------+--------------------------------------+ | Field | Value | +---------------+--------------------------------------+ | action | access_as_shared | | id | 314004d0-2261-4d5e-bda7-0181fcf40709 | | object_id | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 | | object_type | network | | target_tenant | 4b0b98f8c6c040f38ba4f7146e8680f5 | | tenant_id | 98a2f53c20ce4d50a40dac4a38016c69 | +---------------+--------------------------------------+
作为结果,auditors 项目中的用户可以把实例连接到 web-servers 网络。
12.2. 检查 RBAC 策略
复制链接链接已复制到粘贴板!
使用
neutron rbac-list获得已存在 RBAC 策略的 ID:# neutron rbac-list +--------------------------------------+-------------+--------------------------------------+ | id | object_type | object_id | +--------------------------------------+-------------+--------------------------------------+ | 314004d0-2261-4d5e-bda7-0181fcf40709 | network | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 | | bbab1cf9-edc5-47f9-aee3-a413bd582c0a | network | 9b2f4feb-fee8-43da-bb99-032e4aaf3f85 | +--------------------------------------+-------------+--------------------------------------+使用
neutron rbac-show查看特定 RBAC 项的详细信息:# neutron rbac-show 314004d0-2261-4d5e-bda7-0181fcf40709 +---------------+--------------------------------------+ | Field | Value | +---------------+--------------------------------------+ | action | access_as_shared | | id | 314004d0-2261-4d5e-bda7-0181fcf40709 | | object_id | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 | | object_type | network | | target_tenant | 4b0b98f8c6c040f38ba4f7146e8680f5 | | tenant_id | 98a2f53c20ce4d50a40dac4a38016c69 | +---------------+--------------------------------------+
12.3. 删除 RBAC 策略
复制链接链接已复制到粘贴板!
使用
neutron rbac-list获得已存在 RBAC 策略的 ID:# neutron rbac-list +--------------------------------------+-------------+--------------------------------------+ | id | object_type | object_id | +--------------------------------------+-------------+--------------------------------------+ | 314004d0-2261-4d5e-bda7-0181fcf40709 | network | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 | | bbab1cf9-edc5-47f9-aee3-a413bd582c0a | network | 9b2f4feb-fee8-43da-bb99-032e4aaf3f85 | +--------------------------------------+-------------+--------------------------------------+使用
neutron rbac-delete删除 RBAC(使用它的 ID):# neutron rbac-delete 314004d0-2261-4d5e-bda7-0181fcf40709 Deleted rbac_policy: 314004d0-2261-4d5e-bda7-0181fcf40709
12.4. 外部网络的 RBA
复制链接链接已复制到粘贴板!
通过使用 --action access_as_external 参数,RBAC 可以控制对外部网络(带有网关接口的网络)的访问。
例如,以下步骤为 web-servers 网络创建了一个 RBAC,并为 engineering 租户(c717f263785d4679b16a122516247deb)赋予了访问权限:
1. 使用 --action access_as_external 创建一个新的 RBAC 策略:
# neutron rbac-create 6e437ff0-d20f-4483-b627-c3749399bdca --type network --target-tenant c717f263785d4679b16a122516247deb --action access_as_external
Created a new rbac_policy:
+---------------+--------------------------------------+
| Field | Value |
+---------------+--------------------------------------+
| action | access_as_external |
| id | ddef112a-c092-4ac1-8914-c714a3d3ba08 |
| object_id | 6e437ff0-d20f-4483-b627-c3749399bdca |
| object_type | network |
| target_tenant | c717f263785d4679b16a122516247deb |
| tenant_id | c717f263785d4679b16a122516247deb |
+---------------+--------------------------------------+2. 作为结果,Engineering 租户中的用户可以查看这个网络,或把实例连接到这个网络:
$ neutron net-list
+--------------------------------------+-------------+------------------------------------------------------+
| id | name | subnets |
+--------------------------------------+-------------+------------------------------------------------------+
| 6e437ff0-d20f-4483-b627-c3749399bdca | web-servers | fa273245-1eff-4830-b40c-57eaeac9b904 192.168.10.0/24 |
+--------------------------------------+-------------+------------------------------------------------------+
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}