第 4 章 管理组
您可以使用 Identity Service (keystone)组为多个用户帐户分配一致的权限。
4.1. 使用命令行
创建组,并为组分配权限。组成员继承您分配给组中的相同权限:
创建组
grp-Auditors
:$ openstack group create grp-Auditors +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | domain_id | default | | id | 2a4856fc242142a4aa7c02d28edfdfff | | name | grp-Auditors | +-------------+----------------------------------+
查看 keystone 组列表:
$ openstack group list --long +----------------------------------+--------------+-----------+-------------+ | ID | Name | Domain ID | Description | +----------------------------------+--------------+-----------+-------------+ | 2a4856fc242142a4aa7c02d28edfdfff | grp-Auditors | default | | +----------------------------------+--------------+-----------+-------------+
在使用
member
角色时,授予grp-Auditors
组权限来访问demo
项目:$ openstack role add member --group grp-Auditors --project demo
将现有用户
user1
添加到grp-Auditors
组中:$ openstack group add user grp-Auditors user1 user1 added to group grp-Auditors
确认
user1
是grp-Auditors
的成员:$ openstack group contains user grp-Auditors user1 user1 in group grp-Auditors
查看分配给
user1
的有效权限:$ openstack role assignment list --effective --user user1 +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+ | Role | User | Group | Project | Domain | Inherited | +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+ | 9fe2ff9ee4384b1894a90878d3e92bab | 3fefe5b4f6c948e6959d1feaef4822f2 | | 0ce36252e2fb4ea8983bed2a568fa832 | | False | +----------------------------------+----------------------------------+-------+----------------------------------+--------+-----------+