第 12 章 配置 RBAC

在 OpenStack Networking 中使用 RBAC(Role-based Access Control,基于角色的访问控制)可以对共享 neutron 网络进行“颗粒式”的控制。以前,网络只可能在所有租户网络中共享,或不被任何网络共享。现在,OpenStack Networking 使用一个 RBAC 表来控制 neutron 网络在不同租户间的共享,管理员可以控制哪些租户有权限把实例附加到网络中。
作为结果,云管理员可以删除一些租户的创建网络的权限,而只允许他们附加那些与他们的项目相关的已存在的网络。

12.1. 创建一个新的 RBAC 策略

以下是如何使用 RBAC 策略来为一个租户赋予访问一个共享网络的步骤示例。

  1. 查看所有有效网络的列表:

    # neutron net-list
    +--------------------------------------+-------------+-------------------------------------------------------+
    | id                                   | name        | subnets                                               |
    +--------------------------------------+-------------+-------------------------------------------------------+
    | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 | web-servers | 20512ffe-ad56-4bb4-b064-2cb18fecc923 192.168.200.0/24 |
    | bcc16b34-e33e-445b-9fde-dd491817a48a | private     | 7fe4a05a-4b81-4a59-8c47-82c965b0e050 10.0.0.0/24      |
    | 9b2f4feb-fee8-43da-bb99-032e4aaf3f85 | public      | 2318dc3b-cff0-43fc-9489-7d4cf48aaab9 172.24.4.224/28  |
    +--------------------------------------+-------------+-------------------------------------------------------+
  2. 查看租户列表:

    # openstack project list
    +----------------------------------+----------+
    | ID                               | Name     |
    +----------------------------------+----------+
    | 4b0b98f8c6c040f38ba4f7146e8680f5 | auditors |
    | 519e6344f82e4c079c8e2eabb690023b | services |
    | 80bf5732752a41128e612fe615c886c6 | demo     |
    | 98a2f53c20ce4d50a40dac4a38016c69 | admin    |
    +----------------------------------+----------+
  3. web-servers 网络创建一个 RBAC,它为 auditors tenant (4b0b98f8c6c040f38ba4f7146e8680f5) 赋予了访问权限:

    # neutron rbac-create fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 --type network --target-tenant 4b0b98f8c6c040f38ba4f7146e8680f5 --action access_as_shared
    Created a new rbac_policy:
    +---------------+--------------------------------------+
    | Field         | Value                                |
    +---------------+--------------------------------------+
    | action        | access_as_shared                     |
    | id            | 314004d0-2261-4d5e-bda7-0181fcf40709 |
    | object_id     | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 |
    | object_type   | network                              |
    | target_tenant | 4b0b98f8c6c040f38ba4f7146e8680f5     |
    | tenant_id     | 98a2f53c20ce4d50a40dac4a38016c69     |
    +---------------+--------------------------------------+

作为结果,auditors 项目中的用户可以把实例连接到 web-servers 网络。

12.2. 检查 RBAC 策略

  1. 使用 neutron rbac-list 获得已存在 RBAC 策略的 ID:

    # neutron rbac-list
    +--------------------------------------+-------------+--------------------------------------+
    | id                                   | object_type | object_id                            |
    +--------------------------------------+-------------+--------------------------------------+
    | 314004d0-2261-4d5e-bda7-0181fcf40709 | network     | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 |
    | bbab1cf9-edc5-47f9-aee3-a413bd582c0a | network     | 9b2f4feb-fee8-43da-bb99-032e4aaf3f85 |
    +--------------------------------------+-------------+--------------------------------------+
  2. 使用 neutron rbac-show 查看特定 RBAC 项的详细信息:

    # neutron rbac-show 314004d0-2261-4d5e-bda7-0181fcf40709
    +---------------+--------------------------------------+
    | Field         | Value                                |
    +---------------+--------------------------------------+
    | action        | access_as_shared                     |
    | id            | 314004d0-2261-4d5e-bda7-0181fcf40709 |
    | object_id     | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 |
    | object_type   | network                              |
    | target_tenant | 4b0b98f8c6c040f38ba4f7146e8680f5     |
    | tenant_id     | 98a2f53c20ce4d50a40dac4a38016c69     |
    +---------------+--------------------------------------+

12.3. 删除 RBAC 策略

  1. 使用 neutron rbac-list 获得已存在 RBAC 策略的 ID:

    # neutron rbac-list
    +--------------------------------------+-------------+--------------------------------------+
    | id                                   | object_type | object_id                            |
    +--------------------------------------+-------------+--------------------------------------+
    | 314004d0-2261-4d5e-bda7-0181fcf40709 | network     | fa9bb72f-b81a-4572-9c7f-7237e5fcabd3 |
    | bbab1cf9-edc5-47f9-aee3-a413bd582c0a | network     | 9b2f4feb-fee8-43da-bb99-032e4aaf3f85 |
    +--------------------------------------+-------------+--------------------------------------+
  2. 使用 neutron rbac-delete 删除 RBAC(使用它的 ID):

    # neutron rbac-delete 314004d0-2261-4d5e-bda7-0181fcf40709
    Deleted rbac_policy: 314004d0-2261-4d5e-bda7-0181fcf40709

12.4. 外部网络的 RBA

通过使用 --action access_as_external 参数,RBAC 可以控制对外部网络(带有网关接口的网络)的访问。

例如,以下步骤为 web-servers 网络创建了一个 RBAC,并为 engineering 租户(c717f263785d4679b16a122516247deb)赋予了访问权限:

1. 使用 --action access_as_external 创建一个新的 RBAC 策略:

# neutron rbac-create 6e437ff0-d20f-4483-b627-c3749399bdca --type network --target-tenant c717f263785d4679b16a122516247deb --action access_as_external
 Created a new rbac_policy:
+---------------+--------------------------------------+
| Field         | Value                                |
+---------------+--------------------------------------+
| action        | access_as_external                   |
| id            | ddef112a-c092-4ac1-8914-c714a3d3ba08 |
| object_id     | 6e437ff0-d20f-4483-b627-c3749399bdca |
| object_type   | network                              |
| target_tenant | c717f263785d4679b16a122516247deb     |
| tenant_id     | c717f263785d4679b16a122516247deb     |
+---------------+--------------------------------------+

2. 作为结果,Engineering 租户中的用户可以查看这个网络,或把实例连接到这个网络:

$ neutron net-list
+--------------------------------------+-------------+------------------------------------------------------+
| id                                   | name        | subnets                                              |
+--------------------------------------+-------------+------------------------------------------------------+
| 6e437ff0-d20f-4483-b627-c3749399bdca | web-servers | fa273245-1eff-4830-b40c-57eaeac9b904 192.168.10.0/24 |
+--------------------------------------+-------------+------------------------------------------------------+