9.3. 使用命令行管理应用程序凭证
您可以使用命令行来创建和删除应用凭证。
create
子命令基于当前源的帐户创建一个应用程序凭据。例如,当作为 admin
用户提供凭证时创建凭证,会将同一角色授予应用程序凭证:
$ openstack application credential create --description "App Creds - All roles" AppCredsUser +--------------+----------------------------------------------------------------------------------------+ | Field | Value | +--------------+----------------------------------------------------------------------------------------+ | description | App Creds - All roles | | expires_at | None | | id | fc17651c2c114fd6813f86fdbb430053 | | name | AppCredsUser | | project_id | 507663d0cfe244f8bc0694e6ed54d886 | | roles | member reader admin | | secret | fVnqa6I_XeRDDkmQnB5lx361W1jHtOtw3ci_mf_tOID-09MrPAzkU7mv-by8ykEhEa1QLPFJLNV4cS2Roo9lOg | | unrestricted | False | +--------------+----------------------------------------------------------------------------------------+
警告
使用 --unrestricted
参数可让应用程序凭证创建和删除其他应用程序凭证和信任。这可能是危险的行为,默认是禁用的。您不能将 --unrestricted
参数与其他访问规则结合使用。
默认情况下,生成的角色成员资格包括分配给创建凭据的帐户的所有角色。您可以把访问权限委派给特定角色来限制角色成员资格:
$ openstack application credential create --description "App Creds - Member" --role member AppCredsUser +--------------+----------------------------------------------------------------------------------------+ | Field | Value | +--------------+----------------------------------------------------------------------------------------+ | description | App Creds - Member | | expires_at | None | | id | e21e7f4b578240f79814085a169c9a44 | | name | AppCredsUser | | project_id | 507663d0cfe244f8bc0694e6ed54d886 | | roles | member | | secret | XCLVUTYIreFhpMqLVB5XXovs_z9JdoZWpdwrkaG1qi5GQcmBMUFG7cN2htzMlFe5T5mdPsnf5JMNbu0Ih-4aCg | | unrestricted | False | +--------------+----------------------------------------------------------------------------------------+
删除应用程序凭证:
$ openstack application credential delete AppCredsUser