http://www.florentflament.com/blog/customizing-openstack-rbac-policies.html

OpenStack uses a role based access control (RBAC) mechanism to manage accesses to its resources. With the current architecture, users' roles granted on each project and domain are stored into Keystone, and can be updated through Keystone's API. However, policy enforcement (actually allowing or not the access to resources according to a user's roles) is performed independently in each service, based on the rules defined in eachpolicy.json file.

In a default OpenStack setup (like Devstack), two roles are created:

  • The Member role, which when granted to a user on a project, allows him to manage resources (instances, volumes, ...) in this project.

  • The admin role, which when granted to a user on any project, offers to this user a total control over the whole OpenStack platform. Although this is the current behavior, it has been marked as a bug.

However, the OpenStack policy engine allows operators to specify fine grained set of rules to control access to resources of each OpenStack service (Keystone, Nova, Cinder, ...).

Attributes available to build custom policies

Four types of attributes can be used to set policy rules:

  • User roles, which can be checked by using the following syntax:

    role:<requires_role>
  • Other user related attributes (stored into or obtained through the token). The following attributes are available: user_id, domain_id or project_id (depending on the scope), and can be checked against constants or other attributes:

    project_id:<some_attribute>
  • API call attributes are any data sent along with the API call. They can be checked against constants or user attributes. For instance, the following statement checks that a user being created is in the same domain as his creator (note that API call attributes have to be on the right side of the expression, while user attributes are on the left side):

    domain_id:user.domain_id
  • The fourth category of attributes are what I'd call contextual attributes. These are the attributes of objects referenced (or targeted) by an API call; i.e. any object whose id appear somewhere in the API call. For instance, when granting a new role on a project to a user, all attributes related to the role, the project and the user are available to the policy engine, through the target keyword. The following syntax checks that the role of the context is the Member role:

    'Member':target.role.name

Depending on the type of API calls, some of the following attributes will be available, according to the objects impacted by the action:

  • domain:

    • target.domain.enabled
    • target.domain.id
    • target.domain.name
  • group:

    • target.group.description
    • target.group.domain_id
    • target.group.id
    • target.group.name
  • project:

    • target.project.description
    • target.project.domain_id
    • target.project.enabled
    • target.project.id
    • target.project.name
  • role:

    • target.role.id
    • target.role.name
  • user:

    • target.user.default_project_id
    • target.user.description
    • target.user.domain_id
    • target.user.enabled
    • target.user.id
    • target.user.name

Example: admin and super_admin

The following example is taken from a User Story that we were considering at CloudWatt. As a cloud service provider, we wanted to be able to have 2 different levels of administrator roles:

  • An admin role, which allows its users to grant the Member role to any other user.
  • While the super_admin role allows granting any role.

When added to Keystone's ̀policy.json file, the following rules implements the two roles described previously:

"admin_grant_member": "role:admin and 'Member':%(target.role.name)s",
"identity:create_grant": "role:super_admin or rule:admin_grant_member",

The first rule describes a new rule called admin_grant_member, which checks that the user authenticated by the token has the admin role (on its scope), and that the role in the context (the role the admin is trying to grant) is the Member role (we used the name attribute, but could use the role's id instead).

The second rule is checked whenever an API call is made to grant a role to a user (action identity:create_grant). This rule tells the policy engine that in order for a user to be allowed to grant a role to another user, the user authenticated by the token must either have the super_admin role, or satisfy the admin_grant_member rule.

Put together these two rules actually meet the use case. Any user with the admin role will only be able to grant the Member role to other users, while users with the super_admin role will be able to grant any role.

Notes

One of the most powerful rules that the OpenStack policy engine allows, are those limiting a user's actions to his own domain or project. These kind of rules are widely used in Keystone's policy.v3cloudsample.json.

Also note, that a recent patch merged into oslo-incubator implements the blueprint allowing the policy engine to check contextual attributes against constant values. This patch will have to be synchronized into the OpenStack projects for them to benefit from this feature.

[转] Customizing OpenStack RBAC policies的更多相关文章

  1. 别以为真懂Openstack: 虚拟机创建的50个步骤和100个知识点(1)

    还是先上图吧,无图无真相 别以为真懂Openstack!先别着急骂我,我也没有说我真懂Openstack 我其实很想弄懂Openstack,然而从哪里下手呢?作为程序员,第一个想法当然是代码,Code ...

  2. openstack Icehouse发布

    OpenStack 2014.1 (Icehouse) Release Notes General Upgrade Notes Windows packagers should use pbr 0.8 ...

  3. openstack(liberty):部署实验平台(二,简单版本软件安装 part2)

    继续前面的part1,将后续的compute以及network部分的安装过程记录完毕! 首先说说compute部分nova的安装. n1.准备工作.创建数据库,配置权限!(密码依旧是openstack ...

  4. 在ubuntu14.04上安装openstack mitaka

    最近在工作环境安装部署了juno版本,在GE口测试网络性能不太满意,发现mitaka版本支持ovs-dpdk,于是抽时间安装实验一番. 参考官网的安装文档,先准备将mitaka版本安装好再配置ovs. ...

  5. openstack私有云布署实践【13.2 网络Neutron-compute节点配置(办公网环境)】

    所有compute节点 下载安装组件   # yum install openstack-neutron openstack-neutron-linuxbridge ebtables ipset -y ...

  6. openstack私有云布署实践【13.1 网络Neutron-compute节点配置(科兴环境)】

    所有kxcompute节点 下载安装组件   # yum install openstack-neutron openstack-neutron-linuxbridge ebtables ipset ...

  7. OpenStack - liberty CentOS 7

    OpenStack私有云部署 Controller Node:       em1(10.6.17.11),em2() Computer Node:         em1(10.6.17.12),e ...

  8. openstack安装文档

    #########################################openstack m版本部署安装################################## 控制节点.网络 ...

  9. CentOS7.4安装部署openstack [Liberty版] (一)

    一.OpenStack简介 OpenStack是一个由NASA(美国国家航空航天局)和Rackspace合作研发并发起的,以Apache许可证授权的自由软件和开放源代码项目. OpenStack是一个 ...

随机推荐

  1. python3作业:模拟登录

    __author__ = "bin007" customer = {}#存储用户信息#处理用户信息文件try: with open('login.txt','r',encoding ...

  2. python的os模块fnmatch模块介绍

    一.先介绍一下os模块 import os print(os.getcwd()) # E:\python\test\python_models # 获取当前的目录 print(os.listdir(& ...

  3. Android横竖屏切换生命周期变化

    1. AndroidMenifest没有设置configChanged属性. 竖屏启动(横屏启动相同): onCreate -->onStart-->onResume 切换横屏: onPa ...

  4. Qt4.8.6开发WinCE 5.0环境搭建

    Qt-Wince5.0开发环境介绍 1.Windows7SP1 64 2.vs2008,以及sp1补丁 3.编译qt-everywhere-opensource-src-4.8.6.zip 4.qt- ...

  5. 探索未知种族之osg类生物---渲染遍历之裁剪三

    前言 在osgUtil::CullVisitor,我们发现apply函数的重载中,有CullVisitor::apply(Group& node),CullVisitor::apply(Swi ...

  6. GPS坐标系

    本次测试之坑,人车定位偏差,分析如下 车的定位由后台提供,由gps上报位置,采用WGS-84坐标系 前端(app/小程序)使用腾讯地图,或者高德地图,采用的是GCJ-02坐标系,或者在GCJ-02基础 ...

  7. 你电梯没了—OO第二单元作业思考

    写在前面 这三次电梯调度作业,主要是学习多线程并行操作,对于各个线程的时间轴的把握,互相的配合与影响,通过使用锁来解决访问冲突等方面. 个人在学会Thread相关操作之外,写出来一些奇怪结构的诡异操作 ...

  8. mysql的orde by 按照指定状态顺序排序

    要求按照以下顺序排序 审核中->审核拒绝->待放款->放款失败->待还款->已结清->已逾期 { id:80, label:'审核中'},{ id:100, lab ...

  9. java35

    1.变量的访问:就近原则 2.this.name 本类的name 3.枚举:一个事物的固定状态 修饰符 enum 枚举名称{ } 4.枚举相当于一个特殊的类,默认继承了Enum 5.枚举不能直接创建对 ...

  10. eclipse新建servers时选中tomcat版本后next是灰色的解决

    有时在编辑器里删除server后就不能重新new了,因为不能点next. 试了下面的方法,可以用. 1.退出2.到[工程目录下]/.metadata/.plugins/org.eclipse.core ...