OCP中的权限管理沿用的Kubernetes RBAC机制,授权模式主要取决于下面几个因数

Rules

针对主要对象的操作权限,比如建立Pod

Sets of permitted verbs on a set of objects. For example, whether something can create pods.

Roles

一系列的Rules的集合,用户和组能关联这些Roles

Collections of rules. Users and groups can be associated with, or bound to, multiple roles at the same time.

Bindings

用户和组针对角色的关联

Associations between users and/or groups with a role.

RBAC分成两种,一种是集群范围内的,叫做Cluster RBAC,一种是项目范围内的,叫Local RBAC,官方定义如下

Cluster RBAC

Roles and bindings that are applicable across all projects. Roles that exist cluster-wide are considered cluster roles. Cluster role bindings can only reference cluster roles.

Local RBAC

Roles and bindings that are scoped to a given project. Roles that exist only in a project are considered local roles. Local role bindings can reference both cluster and local roles.

而当前的Cluster Role包括如下:

Default Cluster Role Description

admin

A project manager. If used in a local binding, an admin user will have rights to view any resource in the project and modify any resource in the project except for quota.

basic-user

A user that can get basic information about projects and users.

cluster-admin

A super-user that can perform any action in any project. When bound to a user with a local binding, they have full control over quota and every action on every resource in the project.

cluster-status

A user that can get basic cluster status information.

edit

A user that can modify most objects in a project, but does not have the power to view or modify roles or bindings.

self-provisioner

A user that can create their own projects.

view

A user who cannot make any modifications, but can see most objects in a project. They cannot view or modify roles or bindings.

下面实际操作一下加深理解。

  • 添加用户
htpasswd /etc/origin/master/htpasswd  eric

htpasswd /etc/origin/master/htpasswd  alice
  • 查看用户

首先需要以管理员身份登录

[root@master ~]# oc login -u system:admin

Logged into "https://master.example.com:8443" as "system:admin" using existing credentials.

You have access to the following projects and can switch between them with 'oc project <projectname>':

    default

    kube-public

    kube-service-catalog

    kube-system

    logging

    management-infra

    myproject

    openshift

    openshift-ansible-service-broker

    openshift-infra

    openshift-node

    openshift-template-service-broker

    openshift-web-console

  * test

Using project "test".

[root@master ~]# oc get users

NAME      UID                                    FULL NAME   IDENTITIES

admin     7594833f-efd1-11e8-bd01-0800275a35ec               htpasswd_auth:admin

alice     517c077e-f094-11e8-bc3a-0800275a35ec               htpasswd_auth:alice

eric      9ff08197-f093-11e8-bc3a-0800275a35ec               htpasswd_auth:eric

eric和alice各自建立project,eric创建myproject,alice创建test项目

  • 以alice登录后查看rolebinding
[root@master ~]# oc get rolebinding

NAME                    ROLE                    USERS     GROUPS                        SERVICE ACCOUNTS   SUBJECTS

admin                   /admin                  alice

system:deployers        /system:deployer                                                deployer

system:image-builders   /system:image-builder                                           builder

system:image-pullers    /system:image-puller              system:serviceaccounts:test

也就是说每个新建立的项目包含的本地rolebinding包括

  • 查看每个rolebinding具体关联的role和用户
[root@master ~]# oc describe rolebinding.rbac

Name:         admin

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  admin

Subjects:

  Kind  Name   Namespace

  ----  ----   ---------

  User  alice  

Name:         system:deployers

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:deployer

Subjects:

  Kind            Name      Namespace

  ----            ----      ---------

  ServiceAccount  deployer  test

Name:         system:image-builders

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:image-builder

Subjects:

  Kind            Name     Namespace

  ----            ----     ---------

  ServiceAccount  builder  test

Name:         system:image-pullers

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:image-puller

Subjects:

  Kind   Name                         Namespace

  ----   ----                         ---------

  Group  system:serviceaccounts:test
  • 给alice用户授予访问myproject的admin权限
[root@master ~]# oc adm policy add-role-to-user admin alice -n myproject

role "admin" added: "alice"

如果只是需要拉取myproject命名空间下的镜像,可以赋予image-puller权限就可以了

[root@master ~]# oc adm policy add-role-to-user system:image-puller  alice -n myproject

role "system:image-puller" added: "alice"

再度describe一下

[root@master ~]# oc describe rolebinding.rbac  -n myproject

Name:         admin

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  admin

Subjects:

  Kind  Name  Namespace

  ----  ----  ---------

  User  eric  

Name:         admin-

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  admin

Subjects:

  Kind  Name   Namespace

  ----  ----   ---------

  User  alice

Name:         system:deployers

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:deployer

Subjects:

  Kind            Name      Namespace

  ----            ----      ---------

  ServiceAccount  deployer  myproject

Name:         system:image-builders

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:image-builder

Subjects:

  Kind            Name     Namespace

  ----            ----     ---------

  ServiceAccount  builder  myproject

Name:         system:image-puller

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:image-puller

Subjects:

  Kind  Name   Namespace

  ----  ----   ---------

  User  alice  

Name:         system:image-pullers

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:image-puller

Subjects:

  Kind   Name                              Namespace

  ----   ----                              ---------

  Group  system:serviceaccounts:myproject
  • 查看所有的clusterrole
[root@master ~]# oc get clusterrole

NAME

admin

asb-access

asb-auth

basic-user

cluster-admin

cluster-debugger

cluster-reader

cluster-status

edit

hawkular-metrics

hawkular-metrics-admin

.....
  • 查看具体的一个clusterrole能做的内容
[root@master ~]# oc describe clusterrole system:image-builder

Name:        system:image-builder

Created:     hours ago

Labels:        <none>

Annotations:    openshift.io/description=Grants the right to build, push and pull images from within a project.  Used primarily with service accounts for builds.

        openshift.io/reconcile-protect=false

Verbs        Non-Resource URLs    Resource Names    API Groups        Resources

[get update]    []            []        [image.openshift.io ]    [imagestreams/layers]

[create]    []            []        [image.openshift.io ]    [imagestreams]

[update]    []            []        [build.openshift.io ]    [builds/details]

[get]        []            []        [build.openshift.io ]    [builds]

所有缺省的ClusterRole都能绑定用户或组到本地项目中。此外可以自己定义本地Role

==============================================================================================

给权限和回收权限

给一个imager:pruner的权限,以及给一个集群管理员的权限

oc adm policy add-cluster-role-to-user system:image-pruner  eric

oc adm policy add-cluster-role-to-user cluster-admin eric

查看

[root@master ~]# oc get rolebindings

NAME                    ROLE                    USERS     GROUPS                              SERVICE ACCOUNTS   SUBJECTS

admin                   /admin                  eric

system:deployers        /system:deployer                                                      deployer

system:image-builders   /system:image-builder                                                 builder

system:image-pruner     /system:image-pruner    eric

system:image-pullers    /system:image-puller              system:serviceaccounts:openshift3

回收

[root@master ~]# oc adm policy remove-role-from-user     system:image-pruner    eric

role "system:image-pruner" removed: "eric"

取消eric的对项目的admin权限,而给只读权限

[root@master ~]# oc adm policy add-role-to-user view eric

role "view" added: "eric"

[root@master ~]# oc adm policy remove-role-from-user admin eric

role "admin" removed: "eric"

[root@master ~]# oc get rolebinding

NAME                    ROLE                    USERS     GROUPS                              SERVICE ACCOUNTS   SUBJECTS

system:deployers        /system:deployer                                                      deployer

system:image-builders   /system:image-builder                                                 builder

system:image-pullers    /system:image-puller              system:serviceaccounts:openshift3

view                    /view                   eric

可以参考

https://docs.openshift.com/container-platform/3.9/admin_guide/manage_rbac.html

Openshift 用户,角色和RBAC的更多相关文章

  1. [转]扩展RBAC用户角色权限设计方案

    原文地址:http://www.iteye.com/topic/930648 RBAC(Role-Based Access Control,基于角色的访问控制),就是用户通过角色与权限进行关联.简单地 ...

  2. 扩展RBAC用户角色权限设计方案

    RBAC(Role-Based Access Control,基于角色的访问控制),就是用户通过角色与权限进行关联.简单地说,一个用户拥有若干角色,每一个角色拥有若干权限.这样,就构造成“用户-角色- ...

  3. RBAC用户角色权限设计方案

    RBAC(Role-Based Access Control,基于角色的访问控制),就是用户通过角色与权限进行关联.简单地说,一个用户拥有若干角色,每一个角色拥有若干权限.这样,就构造成“用 户-角色 ...

  4. 扩展RBAC用户角色权限设计方案(转载)

    扩展RBAC用户角色权限设计方案  来源:https://www.cnblogs.com/zwq194/archive/2011/03/07/1974821.html https://blog.csd ...

  5. RBAC用户角色权限设计方案【转载】

    RBAC(Role-Based Access Control,基于角色的访问控制),就是用户通过角色与权限进行关联.简单地说,一个用户拥有若干角色,每一个角色拥有若干权限.这样,就构造成“用户-角色- ...

  6. 扩展RBAC用户角色权限设计方案<转>

    RBAC(Role-Based Access Control,基于角色的访问控制),就是用户通过角色与权限进行关联.简单地说,一个用户拥有若干角色,每一个角色拥有若干权限.这样,就构造成“用户-角色- ...

  7. MVC开发模式下的用户角色权限控制

    前提: MVC开发模式 大概思想: 1.在MVC开发模式下,每个功能都对应着不同的控制器或操作方法名(如修改密码功能可能对应着User/changepd),把每个功能对应的控制器名和操作方法名存到数据 ...

  8. [.Net MVC] 用户角色权限管理_使用CLK.AspNet.Identity

    项目:后台管理平台 意义:一个完整的管理平台需要提供用户注册.登录等功能,以及认证和授权功能. 一.为何使用CLK.AspNet.Identity 首先简要说明所采取的权限控制方式.这里采用了基于角色 ...

  9. spring-boot-plus V1.4.0发布 集成用户角色权限部门管理

    RBAC用户角色权限 用户角色权限部门管理核心接口介绍 Shiro权限配置

  10. Django-用户权限,用户角色使用指南

    RBAC(Role-Based Access Control,基于角色的访问控制)就是用户通过角色与权限进行关联.简单地说,一个用户拥有若干角色,每一个角色拥有若干权限.这样,就构造成"用户 ...

随机推荐

  1. MAC 'readonly' option is set (add ! to override)错误解决

    该错误为当前用户没有权限对文件作修改 输入 :w !sudo tee %

  2. golang查看文档

    大家都知道手册在开发中是多么重要,但是golang.org无法访问,如果不FQ的话可以通过下面的方法来查看手册 方法1 查看 fmt 包 go doc fmt 查看单个函数 Printf godoc ...

  3. 常用模块二(hashlib、configparser、logging)

    阅读目录 常用模块二 hashlib模块 configparse模块 logging模块   常用模块二 返回顶部 hashlib模块 Python的hashlib提供了常见的摘要算法,如MD5,SH ...

  4. ibatis中的符号#跟$区别

    昨天一个项目中在写ibatis中的sql语句时,order by #field#, 运行时总是报错,后来上网查了查,才知道这里不该用#,而应该用$,随即查了下#与$的区别.  总结如下:  1.#是把 ...

  5. 【UI】自动化用例设计技巧

    需要封装的方法: 公共的操作方法 经常使用的步骤:超过两次以上 经常使用的组件:输入框.文本框.列表 经常操作的布局:多个组件组成通用的布局 经常操作的页面:ui页面由一个一个单独Activity组成 ...

  6. cuda8.0 百度云盘分享

    因为深度学习的需要,装了ubuntu16系统,同时也装了cuda,在下载cuda的时候发现教育网下载的速度不忍直视,故换了更快的网下载,结果发现10兆宽带下载速度依然很慢,不过总算还是下载了,故把千辛 ...

  7. HDU 5820 Lights (2016多校7L,主席树)

    题意  给定n个平面上的点,坐标范围为[1, 50000].如果对于任意两个点,都可以通过直走(中途经过其他点)走到. 那么输出YES,否则输出NO. 首先排序,去重. 我们要找的点对是只能斜对角走到 ...

  8. CodeForces 779A Pupils Redistribution

    简单题. 因为需要连边的人的个数一样,又要保证和一样,所以必须每个数字的个数都是一样的. #include<map> #include<set> #include<cti ...

  9. ZOJ 2974 Just Pour the Water

    矩阵快速幂. 构造一个矩阵,$a[i][j]$表示一次操作后,$j$会从$i$那里得到水的比例.注意$k=0$的时候,要将$a[i][j]$置为$1$. #pragma comment(linker, ...

  10. plsql分支,循环,异常

    pl/sql 分支,循环和异常分支:    DECLARE        BEGIN        END; 循环:loop,while,for    1.LOOP        EXIT WHEN ...