Atom feed of this document
  

 用户管理

认证用户管理主要的组件有:

  • 用户.就表示现实中的你、我、他。相关信息如用户名、密码以及电子邮箱。此例中是创建了一个名为alice的用户:

    $ openstack user create --password-prompt --email alice@example.com alice
  • 项目。一个租户,组,或者是组织。当你向OpenStack服务发出请求时,你必须指定项目。举例来说,如果你查询计算服务,想获取运行中的实例的话,那么你得到的是在你的查询里所制定项目的所有运行实例。下面的例子是创建了一个名为acme的项目:

    $ openstack project create acme
  • 。为认证实体的管理定义了行政上的边界。一个域可表示一个个体,一个公司,或者属于运维的空间。它用于直接抛出行政的活动给系统用户。

    一个域是项目和用户的集合。一个用户可被赋予域的管理员角色。一个域管理员可以在域内创建项目,用户和组,以及为用户和组分配角色。

    此例创建了一个名为emea的域:

    $ openstack --os-identity-api-version=3 domain create emea
  • 角色,在给定的租户中用户可以操作的权限范围。

    此例子中创建了一个名称为 compute-user的角色:

    $ openstack role create compute-user
    [注意]注意

    独立的服务,如计算服务和镜像服务,赋予角色的意义。在身份服务中,一个角色就是一个简单的名字。

身份服务为用户分配一个租户和一个角色。用户也许会分配compute-user 角色给用户 alice 在租户 acme中:

$ openstack user list
+--------+-------+
| ID     | Name  |
+--------+-------+
| 892585 | alice |
+--------+-------+
$ openstack role list
+--------+---------------+
| ID     | Name          |
+--------+---------------+
| 9a764e | compute-user  |
+--------+---------------+
$ openstack project list
+--------+--------------------+
| ID     | Name               |
+--------+--------------------+
| 6b8fd2 | acme               |
+--------+--------------------+
$ openstack role add --project 6b8fd2 --user 892585 9a764e       

一个用户可以在不同的租户中有不同的角色。例如,Alice还是租户 Cyberdyne中的角色是admin。一个用户还可以是在同一个租户下用户多个角色。

/etc/[SERVICE_CODENAME]/policy.json文件控制着用户可执行给定服务的任务。举例来说,/etc/nova/policy.json 指定了计算服务的访问策略,/etc/glance/policy.json指定了镜像服务的访问策略,以及/etc/keystone/policy.json指定了身份服务的访问策略。

在计算,身份和镜像服务来说,默认的 policy.json 文件只能识别admin角色:一个租户中任何用户,无论其是什么角色,都无需admin角色,都可以执行所有操作。

若用户希望限制用户执行某些操作,例如,计算服务,用户需要在身份服务中创建一个角色,然后修改文件/etc/nova/policy.json ,因为这个角色需要操作计算服务。

举例,在配置文件 /etc/nova/policy.json下面这行指出了用户创建卷没有任何的限制:如果用户在租户中拥有角色,他就可以在那个租户中创建卷。

"volume:create": "",

欲限制拥有compute-user角色的用户在指点的租户创建卷,用户需要增加 "role:compute-user",类似下面这样:

"volume:create": "role:compute-user",

要限制所有的计算服务请求,要求此角色,文件最终的结果是类似这样子的:

{
    "admin_or_owner": "role:admin or project_id:%(project_id)s",
    "default": "rule:admin_or_owner",
    "compute:create": "role:compute-user",
    "compute:create:attach_network": "role:compute-user",
    "compute:create:attach_volume": "role:compute-user",
    "compute:get_all": "role:compute-user",
    "compute:unlock_override": "rule:admin_api",
    "admin_api": "role:admin",
    "compute_extension:accounts": "rule:admin_api",
    "compute_extension:admin_actions": "rule:admin_api",
    "compute_extension:admin_actions:pause": "rule:admin_or_owner",
    "compute_extension:admin_actions:unpause": "rule:admin_or_owner",
    "compute_extension:admin_actions:suspend": "rule:admin_or_owner",
    "compute_extension:admin_actions:resume": "rule:admin_or_owner",
    "compute_extension:admin_actions:lock": "rule:admin_or_owner",
    "compute_extension:admin_actions:unlock": "rule:admin_or_owner",
    "compute_extension:admin_actions:resetNetwork": "rule:admin_api",
    "compute_extension:admin_actions:injectNetworkInfo": "rule:admin_api",
    "compute_extension:admin_actions:createBackup": "rule:admin_or_owner",
    "compute_extension:admin_actions:migrateLive": "rule:admin_api",
    "compute_extension:admin_actions:migrate": "rule:admin_api",
    "compute_extension:aggregates": "rule:admin_api",
    "compute_extension:certificates": "role:compute-user",
    "compute_extension:cloudpipe": "rule:admin_api",
    "compute_extension:console_output": "role:compute-user",
    "compute_extension:consoles": "role:compute-user",
    "compute_extension:createserverext": "role:compute-user",
    "compute_extension:deferred_delete": "role:compute-user",
    "compute_extension:disk_config": "role:compute-user",
    "compute_extension:evacuate": "rule:admin_api",
    "compute_extension:extended_server_attributes": "rule:admin_api",
    "compute_extension:extended_status": "role:compute-user",
    "compute_extension:flavorextradata": "role:compute-user",
    "compute_extension:flavorextraspecs": "role:compute-user",
    "compute_extension:flavormanage": "rule:admin_api",
    "compute_extension:floating_ip_dns": "role:compute-user",
    "compute_extension:floating_ip_pools": "role:compute-user",
    "compute_extension:floating_ips": "role:compute-user",
    "compute_extension:hosts": "rule:admin_api",
    "compute_extension:keypairs": "role:compute-user",
    "compute_extension:multinic": "role:compute-user",
    "compute_extension:networks": "rule:admin_api",
    "compute_extension:quotas": "role:compute-user",
    "compute_extension:rescue": "role:compute-user",
    "compute_extension:security_groups": "role:compute-user",
    "compute_extension:server_action_list": "rule:admin_api",
    "compute_extension:server_diagnostics": "rule:admin_api",
    "compute_extension:simple_tenant_usage:show": "rule:admin_or_owner",
    "compute_extension:simple_tenant_usage:list": "rule:admin_api",
    "compute_extension:users": "rule:admin_api",
    "compute_extension:virtual_interfaces": "role:compute-user",
    "compute_extension:virtual_storage_arrays": "role:compute-user",
    "compute_extension:volumes": "role:compute-user",
    "compute_extension:volume_attachments:index": "role:compute-user",
    "compute_extension:volume_attachments:show": "role:compute-user",
    "compute_extension:volume_attachments:create": "role:compute-user",
    "compute_extension:volume_attachments:delete": "role:compute-user",
    "compute_extension:volumetypes": "role:compute-user",
    "volume:create": "role:compute-user",
    "volume:get_all": "role:compute-user",
    "volume:get_volume_metadata": "role:compute-user",
    "volume:get_snapshot": "role:compute-user",
    "volume:get_all_snapshots": "role:compute-user",
    "network:get_all_networks": "role:compute-user",
    "network:get_network": "role:compute-user",
    "network:delete_network": "role:compute-user",
    "network:disassociate_network": "role:compute-user",
    "network:get_vifs_by_instance": "role:compute-user",
    "network:allocate_for_instance": "role:compute-user",
    "network:deallocate_for_instance": "role:compute-user",
    "network:validate_networks": "role:compute-user",
    "network:get_instance_uuids_by_ip_filter": "role:compute-user",
    "network:get_floating_ip": "role:compute-user",
    "network:get_floating_ip_pools": "role:compute-user",
    "network:get_floating_ip_by_address": "role:compute-user",
    "network:get_floating_ips_by_project": "role:compute-user",
    "network:get_floating_ips_by_fixed_address": "role:compute-user",
    "network:allocate_floating_ip": "role:compute-user",
    "network:deallocate_floating_ip": "role:compute-user",
    "network:associate_floating_ip": "role:compute-user",
    "network:disassociate_floating_ip": "role:compute-user",
    "network:get_fixed_ip": "role:compute-user",
    "network:add_fixed_ip_to_instance": "role:compute-user",
    "network:remove_fixed_ip_from_instance": "role:compute-user",
    "network:add_network_to_project": "role:compute-user",
    "network:get_instance_nw_info": "role:compute-user",
    "network:get_dns_domains": "role:compute-user",
    "network:add_dns_entry": "role:compute-user",
    "network:modify_dns_entry": "role:compute-user",
    "network:delete_dns_entry": "role:compute-user",
    "network:get_dns_entries_by_address": "role:compute-user",
    "network:get_dns_entries_by_name": "role:compute-user",
    "network:create_private_dns_domain": "role:compute-user",
    "network:create_public_dns_domain": "role:compute-user",
    "network:delete_dns_domain": "role:compute-user"
}
Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page


loading table of contents...