OCP中的权限管理沿用的Kubernetes RBAC机制,授权模式主要取决于下面几个因数

Rules

针对主要对象的操作权限,比如建立Pod

Sets of permitted verbs on a set of objects. For example, whether something can create pods.

Roles

一系列的Rules的集合,用户和组能关联这些Roles

Collections of rules. Users and groups can be associated with, or bound to, multiple roles at the same time.

Bindings

用户和组针对角色的关联

Associations between users and/or groups with a role.

RBAC分成两种,一种是集群范围内的,叫做Cluster RBAC,一种是项目范围内的,叫Local RBAC,官方定义如下

Cluster RBAC

Roles and bindings that are applicable across all projects. Roles that exist cluster-wide are considered cluster roles. Cluster role bindings can only reference cluster roles.

Local RBAC

Roles and bindings that are scoped to a given project. Roles that exist only in a project are considered local roles. Local role bindings can reference both cluster and local roles.

而当前的Cluster Role包括如下:

Default Cluster Role Description

admin

A project manager. If used in a local binding, an admin user will have rights to view any resource in the project and modify any resource in the project except for quota.

basic-user

A user that can get basic information about projects and users.

cluster-admin

A super-user that can perform any action in any project. When bound to a user with a local binding, they have full control over quota and every action on every resource in the project.

cluster-status

A user that can get basic cluster status information.

edit

A user that can modify most objects in a project, but does not have the power to view or modify roles or bindings.

self-provisioner

A user that can create their own projects.

view

A user who cannot make any modifications, but can see most objects in a project. They cannot view or modify roles or bindings.

下面实际操作一下加深理解。

  • 添加用户
htpasswd /etc/origin/master/htpasswd  eric

htpasswd /etc/origin/master/htpasswd  alice
  • 查看用户

首先需要以管理员身份登录

[root@master ~]# oc login -u system:admin

Logged into "https://master.example.com:8443" as "system:admin" using existing credentials.

You have access to the following projects and can switch between them with 'oc project <projectname>':

    default

    kube-public

    kube-service-catalog

    kube-system

    logging

    management-infra

    myproject

    openshift

    openshift-ansible-service-broker

    openshift-infra

    openshift-node

    openshift-template-service-broker

    openshift-web-console

  * test

Using project "test".

[root@master ~]# oc get users

NAME      UID                                    FULL NAME   IDENTITIES

admin     7594833f-efd1-11e8-bd01-0800275a35ec               htpasswd_auth:admin

alice     517c077e-f094-11e8-bc3a-0800275a35ec               htpasswd_auth:alice

eric      9ff08197-f093-11e8-bc3a-0800275a35ec               htpasswd_auth:eric

eric和alice各自建立project,eric创建myproject,alice创建test项目

  • 以alice登录后查看rolebinding
[root@master ~]# oc get rolebinding

NAME                    ROLE                    USERS     GROUPS                        SERVICE ACCOUNTS   SUBJECTS

admin                   /admin                  alice

system:deployers        /system:deployer                                                deployer

system:image-builders   /system:image-builder                                           builder

system:image-pullers    /system:image-puller              system:serviceaccounts:test

也就是说每个新建立的项目包含的本地rolebinding包括

  • 查看每个rolebinding具体关联的role和用户
[root@master ~]# oc describe rolebinding.rbac

Name:         admin

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  admin

Subjects:

  Kind  Name   Namespace

  ----  ----   ---------

  User  alice  

Name:         system:deployers

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:deployer

Subjects:

  Kind            Name      Namespace

  ----            ----      ---------

  ServiceAccount  deployer  test

Name:         system:image-builders

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:image-builder

Subjects:

  Kind            Name     Namespace

  ----            ----     ---------

  ServiceAccount  builder  test

Name:         system:image-pullers

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:image-puller

Subjects:

  Kind   Name                         Namespace

  ----   ----                         ---------

  Group  system:serviceaccounts:test
  • 给alice用户授予访问myproject的admin权限
[root@master ~]# oc adm policy add-role-to-user admin alice -n myproject

role "admin" added: "alice"

如果只是需要拉取myproject命名空间下的镜像,可以赋予image-puller权限就可以了

[root@master ~]# oc adm policy add-role-to-user system:image-puller  alice -n myproject

role "system:image-puller" added: "alice"

再度describe一下

[root@master ~]# oc describe rolebinding.rbac  -n myproject

Name:         admin

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  admin

Subjects:

  Kind  Name  Namespace

  ----  ----  ---------

  User  eric  

Name:         admin-

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  admin

Subjects:

  Kind  Name   Namespace

  ----  ----   ---------

  User  alice

Name:         system:deployers

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:deployer

Subjects:

  Kind            Name      Namespace

  ----            ----      ---------

  ServiceAccount  deployer  myproject

Name:         system:image-builders

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:image-builder

Subjects:

  Kind            Name     Namespace

  ----            ----     ---------

  ServiceAccount  builder  myproject

Name:         system:image-puller

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:image-puller

Subjects:

  Kind  Name   Namespace

  ----  ----   ---------

  User  alice  

Name:         system:image-pullers

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:image-puller

Subjects:

  Kind   Name                              Namespace

  ----   ----                              ---------

  Group  system:serviceaccounts:myproject
  • 查看所有的clusterrole
[root@master ~]# oc get clusterrole

NAME

admin

asb-access

asb-auth

basic-user

cluster-admin

cluster-debugger

cluster-reader

cluster-status

edit

hawkular-metrics

hawkular-metrics-admin

.....
  • 查看具体的一个clusterrole能做的内容
[root@master ~]# oc describe clusterrole system:image-builder

Name:        system:image-builder

Created:     hours ago

Labels:        <none>

Annotations:    openshift.io/description=Grants the right to build, push and pull images from within a project.  Used primarily with service accounts for builds.

        openshift.io/reconcile-protect=false

Verbs        Non-Resource URLs    Resource Names    API Groups        Resources

[get update]    []            []        [image.openshift.io ]    [imagestreams/layers]

[create]    []            []        [image.openshift.io ]    [imagestreams]

[update]    []            []        [build.openshift.io ]    [builds/details]

[get]        []            []        [build.openshift.io ]    [builds]

所有缺省的ClusterRole都能绑定用户或组到本地项目中。此外可以自己定义本地Role

==============================================================================================

给权限和回收权限

给一个imager:pruner的权限,以及给一个集群管理员的权限

oc adm policy add-cluster-role-to-user system:image-pruner  eric

oc adm policy add-cluster-role-to-user cluster-admin eric

查看

[root@master ~]# oc get rolebindings

NAME                    ROLE                    USERS     GROUPS                              SERVICE ACCOUNTS   SUBJECTS

admin                   /admin                  eric

system:deployers        /system:deployer                                                      deployer

system:image-builders   /system:image-builder                                                 builder

system:image-pruner     /system:image-pruner    eric

system:image-pullers    /system:image-puller              system:serviceaccounts:openshift3

回收

[root@master ~]# oc adm policy remove-role-from-user     system:image-pruner    eric

role "system:image-pruner" removed: "eric"

取消eric的对项目的admin权限,而给只读权限

[root@master ~]# oc adm policy add-role-to-user view eric

role "view" added: "eric"

[root@master ~]# oc adm policy remove-role-from-user admin eric

role "admin" removed: "eric"

[root@master ~]# oc get rolebinding

NAME                    ROLE                    USERS     GROUPS                              SERVICE ACCOUNTS   SUBJECTS

system:deployers        /system:deployer                                                      deployer

system:image-builders   /system:image-builder                                                 builder

system:image-pullers    /system:image-puller              system:serviceaccounts:openshift3

view                    /view                   eric

可以参考

https://docs.openshift.com/container-platform/3.9/admin_guide/manage_rbac.html

Openshift 用户,角色和RBAC的更多相关文章

  1. [转]扩展RBAC用户角色权限设计方案

    原文地址:http://www.iteye.com/topic/930648 RBAC(Role-Based Access Control,基于角色的访问控制),就是用户通过角色与权限进行关联.简单地 ...

  2. 扩展RBAC用户角色权限设计方案

    RBAC(Role-Based Access Control,基于角色的访问控制),就是用户通过角色与权限进行关联.简单地说,一个用户拥有若干角色,每一个角色拥有若干权限.这样,就构造成“用户-角色- ...

  3. RBAC用户角色权限设计方案

    RBAC(Role-Based Access Control,基于角色的访问控制),就是用户通过角色与权限进行关联.简单地说,一个用户拥有若干角色,每一个角色拥有若干权限.这样,就构造成“用 户-角色 ...

  4. 扩展RBAC用户角色权限设计方案(转载)

    扩展RBAC用户角色权限设计方案  来源:https://www.cnblogs.com/zwq194/archive/2011/03/07/1974821.html https://blog.csd ...

  5. RBAC用户角色权限设计方案【转载】

    RBAC(Role-Based Access Control,基于角色的访问控制),就是用户通过角色与权限进行关联.简单地说,一个用户拥有若干角色,每一个角色拥有若干权限.这样,就构造成“用户-角色- ...

  6. 扩展RBAC用户角色权限设计方案<转>

    RBAC(Role-Based Access Control,基于角色的访问控制),就是用户通过角色与权限进行关联.简单地说,一个用户拥有若干角色,每一个角色拥有若干权限.这样,就构造成“用户-角色- ...

  7. MVC开发模式下的用户角色权限控制

    前提: MVC开发模式 大概思想: 1.在MVC开发模式下,每个功能都对应着不同的控制器或操作方法名(如修改密码功能可能对应着User/changepd),把每个功能对应的控制器名和操作方法名存到数据 ...

  8. [.Net MVC] 用户角色权限管理_使用CLK.AspNet.Identity

    项目:后台管理平台 意义:一个完整的管理平台需要提供用户注册.登录等功能,以及认证和授权功能. 一.为何使用CLK.AspNet.Identity 首先简要说明所采取的权限控制方式.这里采用了基于角色 ...

  9. spring-boot-plus V1.4.0发布 集成用户角色权限部门管理

    RBAC用户角色权限 用户角色权限部门管理核心接口介绍 Shiro权限配置

  10. Django-用户权限,用户角色使用指南

    RBAC(Role-Based Access Control,基于角色的访问控制)就是用户通过角色与权限进行关联.简单地说,一个用户拥有若干角色,每一个角色拥有若干权限.这样,就构造成"用户 ...

随机推荐

  1. swiper 滑动插件,小屏单个显示滑动,大屏全部显示

    var currSwiperIndex=0; function widthHandle(){ var level = widthLevel(); if(level==1){ //单个显示,滑动 if( ...

  2. nowcoder 提高第六场A题

    Solution 60分 因为所有的字母要么全相同要么全不同, 所以两条路径比较字典序只需要比较第一条边就可以, 于是建反图, 在反图上按拓扑序转移就可以. 因为有环, 所以拓扑完入度还是不为0的点答 ...

  3. java中的构造方法与其作用

    什么是构造方法呢? 方法名和类名相同 没有返回值类型,连void都不能写 没有具体的返回值 构造方法分为无参构造方法与有参构造方法. 先来看一下最简单的无参构造方法: Student.java pac ...

  4. java之基本数据类型与引用数据类型

    基本数据类型 需要注意的是字符是基本数据类型,但是字符串不是基本数据类型. 引用数据类型 类.接口类型.数组类型.枚举类型.注解类型. (上面说的字符串String属于引用数据类型中“类”的范畴) 两 ...

  5. gvim代码补全

    gvim 代码自动提示 插件 插件名:AutoComplPop 下载地址:http://www.vim.org/scripts/script.php?script_id=1879 gvim 代码模板补 ...

  6. onethink 重写URL后,apache提示No input file specified

    <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{RE ...

  7. Codeforces 1131 A. Sea Battle-暴力 (Codeforces Round #541 (Div. 2))

    A. Sea Battle time limit per test 1 second memory limit per test 256 megabytes input standard input ...

  8. 转:使用IDA动态调试WanaCrypt0r中的tasksche.exe

    逆向分析——使用IDA动态调试WanaCrypt0r中的tasksche.exe 转:http://www.4hou.com/technology/4832.html 2017年5月19日发布 导语: ...

  9. 微信JSSDK分享功能实现

    <script src="http://res.wx.qq.com/open/js/jweixin-1.2.0.js"></script> <scri ...

  10. ZOJ 3495 Lego Bricks

    计算几何,暴力. 题目中有一句话:$The$ $mass$ $of$ $each$ $brick$ $is$ $equally$ $distributed$ $and$ $it$ $will$ $be ...