如何创建OpenStack项目,用户和角色
时间:2020-02-23 14:41:12 来源:igfitidea点击:
作为OpenStack云管理员,我们可以在Horizo n Dashboard或者OpenStack CLI中创建,删除或者修改项目,用户和角色。
OpenStack用户可以是一个或者多个项目的成员。
在OpenStack中,使用基于角色的访问控制(RBAC)机制来管理对云资源的访问。
如果用户具有执行操作的必要角色,则会强制授予授权。
角色定义用户可以执行的操作。
OpenStack中有三个主要的预定义角色:admin:这是一个管理角色,使非管理员用户能够管理环境.member:分配给新用户的默认角色。
这将添加到租户.Reader:主要用于只读API和操作。
使用以下命令列出OpenStack中可用的预定义角色:
$openstack role list +----------------------------------+--------+ | ID | Name | +----------------------------------+--------+ | 1d07e8e4730e453f88fb14c5d342a7cd | member | | 69952e0bf4bb44feaed4fd4f892eb424 | admin | | d638006a45cf49a7823cfcda5bf0c429 | reader | +----------------------------------+--------+
要获取指定角色的详细信息,请使用命令:
$openstack role show reader +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | None | | domain_id | None | | id | d638006a45cf49a7823cfcda5bf0c429 | | name | reader | +-------------+----------------------------------+
在本教程中,我们将创建一个项目,用户并为用户分配角色。
1:创建OpenStack项目
一个项目是一组零或者多个消耗云资源的用户。
我们将使用OpenStack CLI进行所有操作。
如果我们是新的,请查看我们以前的教程:
如何在Linux上安装和配置OpenStack客户端
要从CLI创建OpenStack项目,请运行命令:
$openstack project create --description "Development Project" dev +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Development Project | | domain_id | default | | enabled | True | | id | be1444931c0949b49db107b893017379 | | is_domain | False | | name | dev | | parent_id | default | | tags | [] | +-------------+----------------------------------+
如果我们有多个域,请为NDOMAIN选项指定新项目的域。
我只有一个域名。
$openstack domain list +---------+---------+---------+--------------------+ | ID | Name | Enabled | Description | +---------+---------+---------+--------------------+ | default | Default | True | The default domain | +---------+---------+---------+--------------------+
列表创建的项目。
$openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 06bcc3c56ab1489282b65681e782d7f6 | admin | | 0766331616c7429a9b459d0d642cc4db | service | | 587cfc85df274629a2d7a7b33b52446c | lab | | be1444931c0949b49db107b893017379 | dev | +----------------------------------+---------+
要显示项目信息,请运行:
$openstack project show dev +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Development Project | | domain_id | default | | enabled | True | | id | be1444931c0949b49db107b893017379 | | is_domain | False | | name | dev | | parent_id | default | | tags | [] | +-------------+----------------------------------+
共同项目操作
重命名项目:
$openstack project set PROJECT_ID --name newprojectname
暂时禁用项目:
$openstack project set PROJECT_ID --disable
启用禁用项目:
$openstack project set PROJECT_ID --enable
删除项目
$openstack project delete PROJECT_ID
2:创建OpenStack用户
我们将添加两个用户 - User1和User2.
两个用户的默认项目是我们之前创建的开发。
$openstack user create --email "Hyman@theitroad" \
--description "Dev User1" --project dev --password-prompt user1
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| default_project_id | be1444931c0949b49db107b893017379 |
| description | Dev User1 |
| domain_id | default |
| email | Hyman@theitroad |
| enabled | True |
| id | eb0f38e04c124288bc1f3a6c8c9b265f |
| name | user1 |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
通过使用 --password-prompt参数,我们将获得一个用于密码的交互式提示。
创建User2:
$openstack user create --email "Hyman@theitroad" \
--description "Dev User2" --project dev --password "StrongUserPass" user2
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| default_project_id | be1444931c0949b49db107b893017379 |
| description | Dev User2 |
| domain_id | default |
| email | Hyman@theitroad |
| enabled | True |
| id | 7322efdb32da4b2d9ee695d63f60c930 |
| name | user2 |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
将使用通过提供的密码创建用户 --password争论。
列出OpenStack用户:
$openstack user list +----------------------------------+-----------+ | ID | Name | +----------------------------------+-----------+ | 10b837c94f3f47d0aeacd9a814af26d8 | nova | | 336acbb7421f47f8be4891eabf0c9cc8 | admin | | 3ee7a2ae291b48dba21c450f48fc6f75 | placement | | 79bdacc586444278bc4e0e0a533227e7 | cinder | | 858dcd522daa4bffa71eef82246c81b1 | swift | | 97c71757453749948cc22dce0ffc5722 | neutron | | c6f7a4ae1cc041efb3e6653aefd02082 | glance | | eb0f38e04c124288bc1f3a6c8c9b265f | user1 | | 7322efdb32da4b2d9ee695d63f60c930 | user2 | +----------------------------------+-----------+
普通用户的运作
更改用户帐户的名称和描述:
openstack user set USER_NAME --name new-name --email Hyman@theitroad
暂时禁用用户帐户:
$openstack user set USER_NAME --disable
启用禁用的用户帐户:
$openstack user set USER_NAME --enable
删除指定的用户帐户:
$openstack user delete USER_NAME
3:为用户分配角色
首先列出可用角色:
$openstack role list +----------------------------------+--------+ | ID | Name | +----------------------------------+--------+ | 1d07e8e4730e453f88fb14c5d342a7cd | member | | 69952e0bf4bb44feaed4fd4f892eb424 | admin | | d638006a45cf49a7823cfcda5bf0c429 | reader | +----------------------------------+--------+
用户可以成为多个项目的成员。
要将用户分配给项目,必须将角色分配给用户项目对。
我们将使用我们之前创建的项目和用户。
获取列表用户以分配角色 - 请注意用户标识/名称。
$openstack user list +----------------------------------+-----------+ | ID | Name | +----------------------------------+-----------+ | 10b837c94f3f47d0aeacd9a814af26d8 | nova | | 336acbb7421f47f8be4891eabf0c9cc8 | admin | | 3ee7a2ae291b48dba21c450f48fc6f75 | placement | | 7322efdb32da4b2d9ee695d63f60c930 | user2 | | 79bdacc586444278bc4e0e0a533227e7 | cinder | | 858dcd522daa4bffa71eef82246c81b1 | swift | | 97c71757453749948cc22dce0ffc5722 | neutron | | c6f7a4ae1cc041efb3e6653aefd02082 | glance | | eb0f38e04c124288bc1f3a6c8c9b265f | user1 | +----------------------------------+-----------+
列表要分配的角色 - 请注意角色ID/name。
$openstack role list +----------------------------------+--------+ | ID | Name | +----------------------------------+--------+ | 1d07e8e4730e453f88fb14c5d342a7cd | member | | 69952e0bf4bb44feaed4fd4f892eb424 | admin | | d638006a45cf49a7823cfcda5bf0c429 | reader | +----------------------------------+--------+
获取项目名称/ID。
$openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 06bcc3c56ab1489282b65681e782d7f6 | admin | | 0766331616c7429a9b459d0d642cc4db | service | | 587cfc85df274629a2d7a7b33b52446c | lab | | be1444931c0949b49db107b893017379 | dev | +----------------------------------+---------+
为用户项目对分配角色的语法是:
$openstack role add --user USER_NAME --project TENANT_ID ROLE_NAME
例1:
为开发项目分配user1管理角色。
openstack role add --user user1 --project dev admin
在Dev和Lab项目中分配User2成员角色:
openstack role add --user user2 --project dev member openstack role add --user user2 --project lab member
查看用户角色分配。
$openstack role assignment list --user user1 +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ | 69952e0bf4bb44feaed4fd4f892eb424 | eb0f38e04c124288bc1f3a6c8c9b265f | | be1444931c0949b49db107b893017379 | | | False | +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ $openstack role assignment list --user user2 +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ | 1d07e8e4730e453f88fb14c5d342a7cd | 7322efdb32da4b2d9ee695d63f60c930 | | 587cfc85df274629a2d7a7b33b52446c | | | False | | 1d07e8e4730e453f88fb14c5d342a7cd | 7322efdb32da4b2d9ee695d63f60c930 | | be1444931c0949b49db107b893017379 | | | False | +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
从用户项目对中删除角色:
$openstack role remove --user USER_NAME --project TENANT_ID ROLE_NAME $openstack role list --user USER_NAME --project TENANT_ID
测试用户角色
登录OpenStack仪表板并查看User1的视图:
具有管理员角色的用户的仪表板视图。
