博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
openstack keystone 笔记
阅读量:6039 次
发布时间:2019-06-20

本文共 7318 字,大约阅读时间需要 24 分钟。

hot3.png

A user can be assigned different roles in different tenants: for example, Alice may also have
the "admin" role in the "Cyberdyne" tenant. A user can also be assigned multiple roles in the
same tenant.
The /etc/[SERVICE_CODENAME]/policy.json controls what users are allowed to
do for a given service. For example, /etc/nova/policy.json specifies the access policy
for the Compute service, /etc/glance/policy.json specifies the access policy for the
Image service, and /etc/keystone/policy.json specifies the access policy for the
Identity service.
The default policy.json files in the Compute, Identity, and Image service recognize only
the admin role: all operations that do not require the admin role will be accessible by any
user that has any role in a tenant.
If you wish to restrict users from performing operations in, say, the Compute service, you
need to create a role in the Identity service and then modify /etc/nova/policy.json
so that this role is required for Compute operations.
For example, this line in /etc/nova/policy.json specifies that there are no restrictions
on which users can create volumes: if the user has any role in a tenant, they will be able to
create volumes in that tenant.
"volume:create": [],
If we wished to restrict creation of volumes to users who had the compute-user role in a
particular tenant, we would add "role:compute-user", like so:
"volume:create": ["role:compute-user"],
If we wished to restrict all Compute service requests to require this role, the resulting file
would look like:
{
"admin_or_owner": [["role:admin"], ["project_id:%(project_id)s"]],
"default": [["rule:admin_or_owner"]],
"compute:create": ["role":"compute-user"],
"compute:create:attach_network": ["role":"compute-user"],
"compute:create:attach_volume": ["role":"compute-user"],
"compute:get_all": ["role":"compute-user"],
"admin_api": [["role:admin"]],
"compute_extension:accounts": [["rule:admin_api"]],
"compute_extension:admin_actions": [["rule:admin_api"]],
"compute_extension:admin_actions:pause": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:unpause": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:suspend": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:resume": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:lock": [["rule:admin_api"]],
"compute_extension:admin_actions:unlock": [["rule:admin_api"]],
"compute_extension:admin_actions:resetNetwork": [["rule:admin_api"]],
"compute_extension:admin_actions:injectNetworkInfo": [["rule:admin_api"]],
"compute_extension:admin_actions:createBackup": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:migrateLive": [["rule:admin_api"]],
"compute_extension:admin_actions:migrate": [["rule:admin_api"]],
19OpenStack Installation Guide for
Red Hat Enterprise Linux, CentOS,
and Fedora
August 26, 2013
master
"compute_extension:aggregates": [["rule:admin_api"]],
"compute_extension:certificates": ["role":"compute-user"],
"compute_extension:cloudpipe": [["rule:admin_api"]],
"compute_extension:console_output": ["role":"compute-user"],
"compute_extension:consoles": ["role":"compute-user"],
"compute_extension:createserverext": ["role":"compute-user"],
"compute_extension:deferred_delete": ["role":"compute-user"],
"compute_extension:disk_config": ["role":"compute-user"],
"compute_extension:evacuate": [["rule:admin_api"]],
"compute_extension:extended_server_attributes": [["rule:admin_api"]],
"compute_extension:extended_status": ["role":"compute-user"],
"compute_extension:flavorextradata": ["role":"compute-user"],
"compute_extension:flavorextraspecs": ["role":"compute-user"],
"compute_extension:flavormanage": [["rule:admin_api"]],
"compute_extension:floating_ip_dns": ["role":"compute-user"],
"compute_extension:floating_ip_pools": ["role":"compute-user"],
"compute_extension:floating_ips": ["role":"compute-user"],
"compute_extension:hosts": [["rule:admin_api"]],
"compute_extension:keypairs": ["role":"compute-user"],
"compute_extension:multinic": ["role":"compute-user"],
"compute_extension:networks": [["rule:admin_api"]],
"compute_extension:quotas": ["role":"compute-user"],
"compute_extension:rescue": ["role":"compute-user"],
"compute_extension:security_groups": ["role":"compute-user"],
"compute_extension:server_action_list": [["rule:admin_api"]],
"compute_extension:server_diagnostics": [["rule:admin_api"]],
"compute_extension:simple_tenant_usage:show": [["rule:admin_or_owner"]],
"compute_extension:simple_tenant_usage:list": [["rule:admin_api"]],
"compute_extension:users": [["rule:admin_api"]],
"compute_extension:virtual_interfaces": ["role":"compute-user"],
"compute_extension:virtual_storage_arrays": ["role":"compute-user"],
"compute_extension:volumes": ["role":"compute-user"],
"compute_extension:volume_attachments:index": ["role":"compute-user"],
"compute_extension:volume_attachments:show": ["role":"compute-user"],
"compute_extension:volume_attachments:create": ["role":"compute-user"],
"compute_extension:volume_attachments:delete": ["role":"compute-user"],
"compute_extension:volumetypes": ["role":"compute-user"],
"volume:create": ["role":"compute-user"],
"volume:get_all": ["role":"compute-user"],
"volume:get_volume_metadata": ["role":"compute-user"],
"volume:get_snapshot": ["role":"compute-user"],
"volume:get_all_snapshots": ["role":"compute-user"],
"network:get_all_networks": ["role":"compute-user"],
"network:get_network": ["role":"compute-user"],
"network:delete_network": ["role":"compute-user"],
"network:disassociate_network": ["role":"compute-user"],
"network:get_vifs_by_instance": ["role":"compute-user"],
"network:allocate_for_instance": ["role":"compute-user"],
"network:deallocate_for_instance": ["role":"compute-user"],
"network:validate_networks": ["role":"compute-user"],
"network:get_instance_uuids_by_ip_filter": ["role":"compute-user"],
"network:get_floating_ip": ["role":"compute-user"],
"network:get_floating_ip_pools": ["role":"compute-user"],
"network:get_floating_ip_by_address": ["role":"compute-user"],
"network:get_floating_ips_by_project": ["role":"compute-user"],
"network:get_floating_ips_by_fixed_address": ["role":"compute-user"],
"network:allocate_floating_ip": ["role":"compute-user"],
20OpenStack Installation Guide for
Red Hat Enterprise Linux, CentOS,
and Fedora
August 26, 2013
master
"network:deallocate_floating_ip": ["role":"compute-user"],
"network:associate_floating_ip": ["role":"compute-user"],
"network:disassociate_floating_ip": ["role":"compute-user"],
"network:get_fixed_ip": ["role":"compute-user"],
"network:add_fixed_ip_to_instance": ["role":"compute-user"],
"network:remove_fixed_ip_from_instance": ["role":"compute-user"],
"network:add_network_to_project": ["role":"compute-user"],
"network:get_instance_nw_info": ["role":"compute-user"],
"network:get_dns_domains": ["role":"compute-user"],
"network:add_dns_entry": ["role":"compute-user"],
"network:modify_dns_entry": ["role":"compute-user"],
"network:delete_dns_entry": ["role":"compute-user"],
"network:get_dns_entries_by_address": ["role":"compute-user"],
"network:get_dns_entries_by_name": ["role":"compute-user"],
"network:create_private_dns_domain": ["role":"compute-user"],
"network:create_public_dns_domain": ["role":"compute-user"],
"network:delete_dns_domain": ["role":"compute-user"]
}

转载于:https://my.oschina.net/u/138210/blog/157181

你可能感兴趣的文章
Sql注入、文件上传与手机品牌信息抓取解决方案
查看>>
SQLServer跨库查询--分布式查询[转载]
查看>>
django错误-NoReverseMatch at /admin/
查看>>
Laravel中的信息验证 和 语言包
查看>>
折半查找法(二分查找 java版)
查看>>
工作两周年—--个人知识体系梳理
查看>>
win2003开启telnet
查看>>
php配置文件php.ini中文详解
查看>>
关于Tomcat配置相关总结
查看>>
安装PDO_MYSQL遇到的问题:error: Cannot find MySQL header files under
查看>>
CocoaPods最新安装及跳过pod setup快速安装教程
查看>>
必须用C模拟OS?
查看>>
JavaScript引入
查看>>
ARM9代码分析启动MAIN.C
查看>>
JSON
查看>>
4.3 Verilog练习(2)
查看>>
浅谈html5某些新元素的用途
查看>>
csv文件的操作
查看>>
Java并发编程-各种锁
查看>>
ODG发布两款AR眼镜,将在CES 2017上展示
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2025-01-03 05:54:08   当前IP: 18.216.156.226   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我