Openshift 用户，角色和RBAC

OCP中的权限管理沿用的Kubernetes RBAC机制，授权模式主要取决于下面几个因数

Rules	针对主要对象的操作权限，比如建立Pod Sets of permitted verbs on a set of objects. For example, whether something can create pods.
Roles	一系列的Rules的集合，用户和组能关联这些Roles Collections of rules. Users and groups can be associated with, or bound to, multiple roles at the same time.
Bindings	用户和组针对角色的关联 Associations between users and/or groups with a role.

RBAC分成两种，一种是集群范围内的，叫做Cluster RBAC,一种是项目范围内的，叫Local RBAC,官方定义如下

Cluster RBAC	Roles and bindings that are applicable across all projects. Roles that exist cluster-wide are considered cluster roles. Cluster role bindings can only reference cluster roles.
Local RBAC	Roles and bindings that are scoped to a given project. Roles that exist only in a project are considered local roles. Local role bindings can reference both cluster and local roles.

而当前的Cluster Role包括如下：

Default Cluster Role	Description
admin	A project manager. If used in a local binding, an admin user will have rights to view any resource in the project and modify any resource in the project except for quota.
basic-user	A user that can get basic information about projects and users.
cluster-admin	A super-user that can perform any action in any project. When bound to a user with a local binding, they have full control over quota and every action on every resource in the project.
cluster-status	A user that can get basic cluster status information.
edit	A user that can modify most objects in a project, but does not have the power to view or modify roles or bindings.
self-provisioner	A user that can create their own projects.
view	A user who cannot make any modifications, but can see most objects in a project. They cannot view or modify roles or bindings.

下面实际操作一下加深理解。

• 添加用户

htpasswd /etc/origin/master/htpasswd  eric

htpasswd /etc/origin/master/htpasswd  alice

• 查看用户

首先需要以管理员身份登录

[root@master ~]# oc login -u system:admin
Logged into "https://master.example.com:8443" as "system:admin" using existing credentials.

You have access to the following projects and can switch between them with 'oc project <projectname>':

    default
    kube-public
    kube-service-catalog
    kube-system
    logging
    management-infra
    myproject
    openshift
    openshift-ansible-service-broker
    openshift-infra
    openshift-node
    openshift-template-service-broker
    openshift-web-console
  * test

Using project "test".
[root@master ~]# oc get users
NAME      UID                                    FULL NAME   IDENTITIES
admin     7594833f-efd1-11e8-bd01-0800275a35ec               htpasswd_auth:admin
alice     517c077e-f094-11e8-bc3a-0800275a35ec               htpasswd_auth:alice
eric      9ff08197-f093-11e8-bc3a-0800275a35ec               htpasswd_auth:eric

eric和alice各自建立project，eric创建myproject,alice创建test项目

• 以alice登录后查看rolebinding

[root@master ~]# oc get rolebinding
NAME                    ROLE                    USERS     GROUPS                        SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  alice
system:deployers        /system:deployer                                                deployer
system:image-builders   /system:image-builder                                           builder
system:image-pullers    /system:image-puller              system:serviceaccounts:test                  

也就是说每个新建立的项目包含的本地rolebinding包括

• 查看每个rolebinding具体关联的role和用户

[root@master ~]# oc describe rolebinding.rbac
Name:         admin
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  admin
Subjects:
  Kind  Name   Namespace
  ----  ----   ---------
  User  alice  

Name:         system:deployers
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:deployer
Subjects:
  Kind            Name      Namespace
  ----            ----      ---------
  ServiceAccount  deployer  test

Name:         system:image-builders
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:image-builder
Subjects:
  Kind            Name     Namespace
  ----            ----     ---------
  ServiceAccount  builder  test

Name:         system:image-pullers
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:image-puller
Subjects:
  Kind   Name                         Namespace
  ----   ----                         ---------
  Group  system:serviceaccounts:test  

• 给alice用户授予访问myproject的admin权限

[root@master ~]# oc adm policy add-role-to-user admin alice -n myproject
role "admin" added: "alice"

如果只是需要拉取myproject命名空间下的镜像，可以赋予image-puller权限就可以了

[root@master ~]# oc adm policy add-role-to-user system:image-puller  alice -n myproject
role "system:image-puller" added: "alice"

再度describe一下

[root@master ~]# oc describe rolebinding.rbac  -n myproject
Name:         admin
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  admin
Subjects:
  Kind  Name  Namespace
  ----  ----  ---------
  User  eric  

Name:         admin-
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  admin
Subjects:
  Kind  Name   Namespace
  ----  ----   ---------
  User  alice
Name:         system:deployers
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:deployer
Subjects:
  Kind            Name      Namespace
  ----            ----      ---------
  ServiceAccount  deployer  myproject

Name:         system:image-builders
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:image-builder
Subjects:
  Kind            Name     Namespace
  ----            ----     ---------
  ServiceAccount  builder  myproject

Name:         system:image-puller
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:image-puller
Subjects:
  Kind  Name   Namespace
  ----  ----   ---------
  User  alice  

Name:         system:image-pullers
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:image-puller
Subjects:
  Kind   Name                              Namespace
  ----   ----                              ---------
  Group  system:serviceaccounts:myproject  

• 查看所有的clusterrole

[root@master ~]# oc get clusterrole
NAME
admin
asb-access
asb-auth
basic-user
cluster-admin
cluster-debugger
cluster-reader
cluster-status
edit
hawkular-metrics
hawkular-metrics-admin
.....

• 查看具体的一个clusterrole能做的内容

[root@master ~]# oc describe clusterrole system:image-builder
Name:        system:image-builder
Created:     hours ago
Labels:        <none>
Annotations:    openshift.io/description=Grants the right to build, push and pull images from within a project.  Used primarily with service accounts for builds.
        openshift.io/reconcile-protect=false
Verbs        Non-Resource URLs    Resource Names    API Groups        Resources
[get update]    []            []        [image.openshift.io ]    [imagestreams/layers]
[create]    []            []        [image.openshift.io ]    [imagestreams]
[update]    []            []        [build.openshift.io ]    [builds/details]
[get]        []            []        [build.openshift.io ]    [builds]

所有缺省的ClusterRole都能绑定用户或组到本地项目中。此外可以自己定义本地Role

==============================================================================================

给权限和回收权限

给一个imager:pruner的权限，以及给一个集群管理员的权限

oc adm policy add-cluster-role-to-user system:image-pruner  eric

oc adm policy add-cluster-role-to-user cluster-admin eric

查看

[root@master ~]# oc get rolebindings
NAME                    ROLE                    USERS     GROUPS                              SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  eric
system:deployers        /system:deployer                                                      deployer
system:image-builders   /system:image-builder                                                 builder
system:image-pruner     /system:image-pruner    eric
system:image-pullers    /system:image-puller              system:serviceaccounts:openshift3        

回收

[root@master ~]# oc adm policy remove-role-from-user     system:image-pruner    eric
role "system:image-pruner" removed: "eric"

取消eric的对项目的admin权限，而给只读权限

[root@master ~]# oc adm policy add-role-to-user view eric
role "view" added: "eric"
[root@master ~]# oc adm policy remove-role-from-user admin eric
role "admin" removed: "eric"
[root@master ~]# oc get rolebinding
NAME                    ROLE                    USERS     GROUPS                              SERVICE ACCOUNTS   SUBJECTS
system:deployers        /system:deployer                                                      deployer
system:image-builders   /system:image-builder                                                 builder
system:image-pullers    /system:image-puller              system:serviceaccounts:openshift3
view                    /view                   eric

可以参考

https://docs.openshift.com/container-platform/3.9/admin_guide/manage_rbac.html