[转] Customizing OpenStack RBAC policies
http://www.florentflament.com/blog/customizing-openstack-rbac-policies.html
OpenStack uses a role based access control (RBAC) mechanism to manage accesses to its resources. With the current architecture, users' roles granted on each project and domain are stored into Keystone, and can be updated through Keystone's API. However, policy enforcement (actually allowing or not the access to resources according to a user's roles) is performed independently in each service, based on the rules defined in eachpolicy.json
file.
In a default OpenStack setup (like Devstack), two roles are created:
The
Member
role, which when granted to a user on a project, allows him to manage resources (instances, volumes, ...) in this project.The
admin
role, which when granted to a user on any project, offers to this user a total control over the whole OpenStack platform. Although this is the current behavior, it has been marked as a bug.
However, the OpenStack policy engine allows operators to specify fine grained set of rules to control access to resources of each OpenStack service (Keystone, Nova, Cinder, ...).
Attributes available to build custom policies
Four types of attributes can be used to set policy rules:
User roles, which can be checked by using the following syntax:
role:<requires_role>
Other user related attributes (stored into or obtained through the token). The following attributes are available: user_id, domain_id or project_id (depending on the scope), and can be checked against constants or other attributes:
project_id:<some_attribute>
API call attributes are any data sent along with the API call. They can be checked against constants or user attributes. For instance, the following statement checks that a user being created is in the same domain as his creator (note that API call attributes have to be on the right side of the expression, while user attributes are on the left side):
domain_id:user.domain_id
The fourth category of attributes are what I'd call contextual attributes. These are the attributes of objects referenced (or targeted) by an API call; i.e. any object whose id appear somewhere in the API call. For instance, when granting a new role on a project to a user, all attributes related to the role, the project and the user are available to the policy engine, through the
target
keyword. The following syntax checks that the role of the context is theMember
role:'Member':target.role.name
Depending on the type of API calls, some of the following attributes will be available, according to the objects impacted by the action:
domain:
- target.domain.enabled
- target.domain.id
- target.domain.name
group:
- target.group.description
- target.group.domain_id
- target.group.id
- target.group.name
project:
- target.project.description
- target.project.domain_id
- target.project.enabled
- target.project.id
- target.project.name
role:
- target.role.id
- target.role.name
user:
- target.user.default_project_id
- target.user.description
- target.user.domain_id
- target.user.enabled
- target.user.id
- target.user.name
Example: admin and super_admin
The following example is taken from a User Story that we were considering at CloudWatt. As a cloud service provider, we wanted to be able to have 2 different levels of administrator roles:
- An
admin
role, which allows its users to grant theMember
role to any other user. - While the
super_admin
role allows granting any role.
When added to Keystone's ̀policy.json
file, the following rules implements the two roles described previously:
"admin_grant_member": "role:admin and 'Member':%(target.role.name)s",
"identity:create_grant": "role:super_admin or rule:admin_grant_member",
The first rule describes a new rule called admin_grant_member
, which checks that the user authenticated by the token has the admin
role (on its scope), and that the role in the context (the role the admin is trying to grant) is the Member
role (we used the name
attribute, but could use the role's id instead).
The second rule is checked whenever an API call is made to grant a role to a user (action identity:create_grant
). This rule tells the policy engine that in order for a user to be allowed to grant a role to another user, the user authenticated by the token must either have the super_admin
role, or satisfy the admin_grant_member
rule.
Put together these two rules actually meet the use case. Any user with the admin
role will only be able to grant the Member
role to other users, while users with the super_admin
role will be able to grant any role.
Notes
One of the most powerful rules that the OpenStack policy engine allows, are those limiting a user's actions to his own domain or project. These kind of rules are widely used in Keystone's policy.v3cloudsample.json.
Also note, that a recent patch merged into oslo-incubator implements the blueprint allowing the policy engine to check contextual attributes against constant values. This patch will have to be synchronized into the OpenStack projects for them to benefit from this feature.
[转] Customizing OpenStack RBAC policies的更多相关文章
- 别以为真懂Openstack: 虚拟机创建的50个步骤和100个知识点(1)
还是先上图吧,无图无真相 别以为真懂Openstack!先别着急骂我,我也没有说我真懂Openstack 我其实很想弄懂Openstack,然而从哪里下手呢?作为程序员,第一个想法当然是代码,Code ...
- openstack Icehouse发布
OpenStack 2014.1 (Icehouse) Release Notes General Upgrade Notes Windows packagers should use pbr 0.8 ...
- openstack(liberty):部署实验平台(二,简单版本软件安装 part2)
继续前面的part1,将后续的compute以及network部分的安装过程记录完毕! 首先说说compute部分nova的安装. n1.准备工作.创建数据库,配置权限!(密码依旧是openstack ...
- 在ubuntu14.04上安装openstack mitaka
最近在工作环境安装部署了juno版本,在GE口测试网络性能不太满意,发现mitaka版本支持ovs-dpdk,于是抽时间安装实验一番. 参考官网的安装文档,先准备将mitaka版本安装好再配置ovs. ...
- openstack私有云布署实践【13.2 网络Neutron-compute节点配置(办公网环境)】
所有compute节点 下载安装组件 # yum install openstack-neutron openstack-neutron-linuxbridge ebtables ipset -y ...
- openstack私有云布署实践【13.1 网络Neutron-compute节点配置(科兴环境)】
所有kxcompute节点 下载安装组件 # yum install openstack-neutron openstack-neutron-linuxbridge ebtables ipset ...
- OpenStack - liberty CentOS 7
OpenStack私有云部署 Controller Node: em1(10.6.17.11),em2() Computer Node: em1(10.6.17.12),e ...
- openstack安装文档
#########################################openstack m版本部署安装################################## 控制节点.网络 ...
- CentOS7.4安装部署openstack [Liberty版] (一)
一.OpenStack简介 OpenStack是一个由NASA(美国国家航空航天局)和Rackspace合作研发并发起的,以Apache许可证授权的自由软件和开放源代码项目. OpenStack是一个 ...
随机推荐
- MAC终端如何使用rar和unrar
一.MAC具体安装见下面两个博客分享: Homebrew介绍和使用:https://www.jianshu.com/p/de6f1d2d37bf Mac 压缩 / 解压缩工具解决方案:https:// ...
- 20164319 刘蕴哲 Exp4:恶意代码分析
[实验内容] ①系统运行监控 使用如计划任务,每隔一分钟记录自己的电脑有哪些程序在联网,连接的外部IP是哪里.运行一段时间并分析该文件,综述一下分析结果.目标就是找出所有连网的程序,连了哪里,大约干了 ...
- 导出Excel工具类
import java.io.OutputStream; import java.lang.reflect.Method; import java.text.SimpleDateFormat; imp ...
- 关于为什么会涉足easyui
之前公司需要做一款类似于报价系统的功能,涉及到表单以及报表的统计, 这时分配给我,PHP也要开始弄easyui了 就这样走上了前端的路? 还挺感谢这些时间,有精力来学习额外的东西 不学习就会落后,ヾ( ...
- centos7下编译安装php7.3
一.下载php7.3的源码 https://www.php.net/downloads.php 下载php-7.3.4.tar.gz 二.安装gcc,gcc-c++,kernel-devel yum ...
- 安装Pygame(Python3.6,windows)
1. 本机为python3.6的环境 2. 到pygame官网下载对应系统,对应python版本的pygame文件,下载地址:https://pypi.python.org/pypi/Pygame/1 ...
- Devexpress使用之:GridControl控件
Devexpress使用之:GridControl控件 Devexpress系列控件功能很强大,使用起来也不太容易,我也是边摸索边使用,如果有时间我会把常用控件的使用方法整理出来的. using Sy ...
- 装了SVN软件,但是文件夹没有绿色和红色的图标显示
第一步: win+R,输入regedit,打开注册表.查找ShellIconOverlayIdentifiers,可以找到Tortoise相关的标签,这个时候会发现,这些标签都排在后面.需要在这些标签 ...
- [转]JSOUP 抓取HTTPS/HTTP网页,校验问题
针对一般的http请求是不需要的校验的.但是https安全校验过总过不去.最后找到以下方法,终于成功. 让我们的站点信任所有站点,不需要引包,系统自带ssl证书校验,话不多数,贴代码. /** * 信 ...
- sqlserv 配置 CLR
转载地址:http://www.cnblogs.com/Brambling/p/8000911.html //clr 配置 https://docs.microsoft.com/zh-cn/sql ...