Openstack 中文手册-部署Identity服务01
<本文转自 http://manual.blog.51cto.com/3300438/973921>
一、基本概念
身份认证服务包括两个主要功能:
用户管理:时时跟踪用户以及用户被赋予了什么权限。
服务编录:提供一份可用服务的目录并可以定位这些服务的API。
1.1 用户管理
Identity用户管理包括三个主要概念:
用户(Users)
租户(Tenants)
角色(Roles)
用户表示拥有用户名,密码,邮箱等帐号信息的自然人。这里给出创建用户名为"alice”的用户:
$ keystone user-create --name=alice --pass=mypassword123 --mail=alice@example.com
租户可以被理解为一个项目,团队或组织。你必须指定一个相应的租户(tenant)才可以申请OpenStack服务,例如你指定以某租户申请Compute服务来查询当前运行的实例列表,则你将收到的是该租户的运行实例列表。这里是创建一个名为"acme”租户的例子:
$ keystone tenant-create --name=acme
注意事项:由于在早期的版本中使用项目术语来表示租户,所以有些命令行工具使用--project_id替代--tenant_id给客户分配一个ID号。
角色代表特定的租户中的用户用户操作权限,可以使用如下命令创建角色:
$ keystone role-create --name=compute-user
译者批注:你可以理解租户为那些使用你云环境的客户,这些客户可以是一个项目组、工作组、公司,这些客户中会建立不同的帐号(用户)及其对应的权限(角色).
Identity服务将用户与租户及角色结合在一起,继续刚才的例子,我们也许希望在acme租户中为alice用户分配compute-user角色。
$ keystone user-list
+---------------------------------+----------+------+-------+
|id | enabled | email | name |
+----------------------------------+----------+------+-------+
| 96a6ebba0d4c441887aceaeced892585 | True | ... | alice |
+----------------------------------+----------+------+-------+
$ keystone role-list
+----------------------------------+------------------+
|id | name |
+----------------------------------+------------------+
| f8dd5a2e4dc64a41b96add562d9a764e | compute-user |
+----------------------------------+------------------+
$ keystone tenant-list
+----------------------------------+-------+----------+
| id | name | enabled |
+----------------------------------+-------+----------+
| 2395953419144b67955ac4bab96b8fd2 | acme | True |
+----------------------------------+-------+----------+
$ keystone user-role-add \
--user=96a6ebba0d4c441887aceaeced892585 \
--role=f8dd5a2e4dc64a41b96add562d9a764e \
--tenant_id=2395953419144b67955ac4bab96b8fd2
一个用户可以在不同的租户中被分配不同的角色,例如Alice也可以在Cyberdyne租户中用户admin角色。一个用户也可以在同一个租户中分配多个角色。
/etc/[服务代码名称]/policy.json控制着哪些用户可以拥有什么样的服务,如:/etc/nova/policy.json定义了Compute服务的访问策略,/etc/glance/policy.json定义Image服务的访问策略,以及/etc/keystone/policy.json定义Identity服务的访问策略。
Compute,Identity,Image服务的默认policy.json文件仅识别admin角色:所有的操作无需admin角色即可被租户中拥有任何角色的用户均可以访问。
如果你希望限制用户在Compute服务中所执行的操作,你需要在Identity服务中创建一个角色并修改/etc/nova/policy.json,实现仅提供该角色才可以执行Compute操作。
实例,以下在/etc/nova/policy.json中的配置设定卷创建的操作对用户无任何限制,在租户中的用户用户任何角色均可以创建卷。
"volume:create": [],
如果你需要仅拥有compute-user角色的用户才可以创建卷,你就需要添加一行”role:compute-user”,具体配置如下:
"volume:create": ["role:compute-user"],
如我们需要对所有Compute服务的请求均需要指定的角色,你的配置文件应该作类似于如下这样的配置:
{
"admin_or_owner": [["role:admin"], ["project_id:%(project_id)s"]],
"default": [["rule:admin_or_owner"]],
"compute:create": ["role":"compute-user"],
"compute:create:attach_network": ["role":"compute-user"],
"compute:create:attach_volume": ["role":"compute-user"],
"compute:get_all": ["role":"compute-user"],
"admin_api": [["role:admin"]],
"compute_extension:accounts": [["rule:admin_api"]],
"compute_extension:admin_actions": [["rule:admin_api"]],
"compute_extension:admin_actions:pause": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:unpause": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:suspend": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:resume": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:lock": [["rule:admin_api"]],
"compute_extension:admin_actions:unlock": [["rule:admin_api"]],
"compute_extension:admin_actions:resetNetwork": [["rule:admin_api"]],
"compute_extension:admin_actions:injectNetworkInfo": [["rule:admin_api"]],
"compute_extension:admin_actions:createBackup": [["rule:admin_or_owner"]],
"compute_extension:admin_actions:migrateLive": [["rule:admin_api"]],
"compute_extension:admin_actions:migrate": [["rule:admin_api"]],
"compute_extension:aggregates": [["rule:admin_api"]],
"compute_extension:certificates": ["role":"compute-user"],
"compute_extension:cloudpipe": [["rule:admin_api"]],
"compute_extension:console_output": ["role":"compute-user"],
"compute_extension:consoles": ["role":"compute-user"],
"compute_extension:createserverext": ["role":"compute-user"],
"compute_extension:deferred_delete": ["role":"compute-user"],
"compute_extension:disk_config": ["role":"compute-user"],
"compute_extension:extended_server_attributes": [["rule:admin_api"]],
"compute_extension:extended_status": ["role":"compute-user"],
"compute_extension:flavorextradata": ["role":"compute-user"],
"compute_extension:flavorextraspecs": ["role":"compute-user"],
"compute_extension:flavormanage": [["rule:admin_api"]],
"compute_extension:floating_ip_dns": ["role":"compute-user"],
"compute_extension:floating_ip_pools": ["role":"compute-user"],
"compute_extension:floating_ips": ["role":"compute-user"],
"compute_extension:hosts": [["rule:admin_api"]],
"compute_extension:keypairs": ["role":"compute-user"],
"compute_extension:multinic": ["role":"compute-user"],
"compute_extension:networks": [["rule:admin_api"]],
"compute_extension:quotas": ["role":"compute-user"],
"compute_extension:rescue": ["role":"compute-user"],
"compute_extension:security_groups": ["role":"compute-user"],
"compute_extension:server_action_list": [["rule:admin_api"]],
"compute_extension:server_diagnostics": [["rule:admin_api"]],
"compute_extension:simple_tenant_usage:show": [["rule:admin_or_owner"]],
"compute_extension:simple_tenant_usage:list": [["rule:admin_api"]],
"compute_extension:users": [["rule:admin_api"]],
"compute_extension:virtual_interfaces": ["role":"compute-user"],
"compute_extension:virtual_storage_arrays": ["role":"compute-user"],
"compute_extension:volumes": ["role":"compute-user"],
"compute_extension:volumetypes": ["role":"compute-user"],
"volume:create": ["role":"compute-user"],
"volume:get_all": ["role":"compute-user"],
"volume:get_volume_metadata": ["role":"compute-user"],
"volume:get_snapshot": ["role":"compute-user"],
"volume:get_all_snapshots": ["role":"compute-user"],
"network:get_all_networks": ["role":"compute-user"],
"network:get_network": ["role":"compute-user"],
"network:delete_network": ["role":"compute-user"],
"network:disassociate_network": ["role":"compute-user"],
"network:get_vifs_by_instance": ["role":"compute-user"],
"network:allocate_for_instance": ["role":"compute-user"],
"network:deallocate_for_instance": ["role":"compute-user"],
"network:validate_networks": ["role":"compute-user"],
"network:get_instance_uuids_by_ip_filter": ["role":"compute-user"],
"network:get_floating_ip": ["role":"compute-user"],
"network:get_floating_ip_pools": ["role":"compute-user"],
"network:get_floating_ip_by_address": ["role":"compute-user"],
"network:get_floating_ips_by_project": ["role":"compute-user"],
"network:get_floating_ips_by_fixed_address": ["role":"compute-user"],
"network:allocate_floating_ip": ["role":"compute-user"],
"network:deallocate_floating_ip": ["role":"compute-user"],
"network:associate_floating_ip": ["role":"compute-user"],
"network:disassociate_floating_ip": ["role":"compute-user"],
"network:get_fixed_ip": ["role":"compute-user"],
"network:add_fixed_ip_to_instance": ["role":"compute-user"],
"network:remove_fixed_ip_from_instance": ["role":"compute-user"],
"network:add_network_to_project": ["role":"compute-user"],
"network:get_instance_nw_info": ["role":"compute-user"],
"network:get_dns_domains": ["role":"compute-user"],
"network:add_dns_entry": ["role":"compute-user"],
"network:modify_dns_entry": ["role":"compute-user"],
"network:delete_dns_entry": ["role":"compute-user"],
"network:get_dns_entries_by_address": ["role":"compute-user"],
"network:get_dns_entries_by_name": ["role":"compute-user"],
"network:create_private_dns_domain": ["role":"compute-user"],
"network:create_public_dns_domain": ["role":"compute-user"],
"network:delete_dns_domain": ["role":"compute-user"]
}
1.2 服务管理
服务管理有两个主要的概念:
服务
终端
Identity服务同时维护着一份与各个服务相同的用户(如:Compute服务有一个对应的用户名nova),以及一个名为service的特殊服务租户。
blog comments powered by Disqus