OCP中的权限管理沿用的Kubernetes RBAC机制,授权模式主要取决于下面几个因数

Rules

针对主要对象的操作权限,比如建立Pod

Sets of permitted verbs on a set of objects. For example, whether something can create pods.

Roles

一系列的Rules的集合,用户和组能关联这些Roles

Collections of rules. Users and groups can be associated with, or bound to, multiple roles at the same time.

Bindings

用户和组针对角色的关联

Associations between users and/or groups with a role.

RBAC分成两种,一种是集群范围内的,叫做Cluster RBAC,一种是项目范围内的,叫Local RBAC,官方定义如下

Cluster RBAC

Roles and bindings that are applicable across all projects. Roles that exist cluster-wide are considered cluster roles. Cluster role bindings can only reference cluster roles.

Local RBAC

Roles and bindings that are scoped to a given project. Roles that exist only in a project are considered local roles. Local role bindings can reference both cluster and local roles.

而当前的Cluster Role包括如下:

Default Cluster Role Description

admin

A project manager. If used in a local binding, an admin user will have rights to view any resource in the project and modify any resource in the project except for quota.

basic-user

A user that can get basic information about projects and users.

cluster-admin

A super-user that can perform any action in any project. When bound to a user with a local binding, they have full control over quota and every action on every resource in the project.

cluster-status

A user that can get basic cluster status information.

edit

A user that can modify most objects in a project, but does not have the power to view or modify roles or bindings.

self-provisioner

A user that can create their own projects.

view

A user who cannot make any modifications, but can see most objects in a project. They cannot view or modify roles or bindings.

下面实际操作一下加深理解。

  • 添加用户
htpasswd /etc/origin/master/htpasswd  eric

htpasswd /etc/origin/master/htpasswd  alice
  • 查看用户

首先需要以管理员身份登录

[root@master ~]# oc login -u system:admin

Logged into "https://master.example.com:8443" as "system:admin" using existing credentials.

You have access to the following projects and can switch between them with 'oc project <projectname>':

    default

    kube-public

    kube-service-catalog

    kube-system

    logging

    management-infra

    myproject

    openshift

    openshift-ansible-service-broker

    openshift-infra

    openshift-node

    openshift-template-service-broker

    openshift-web-console

  * test

Using project "test".

[root@master ~]# oc get users

NAME      UID                                    FULL NAME   IDENTITIES

admin     7594833f-efd1-11e8-bd01-0800275a35ec               htpasswd_auth:admin

alice     517c077e-f094-11e8-bc3a-0800275a35ec               htpasswd_auth:alice

eric      9ff08197-f093-11e8-bc3a-0800275a35ec               htpasswd_auth:eric

eric和alice各自建立project,eric创建myproject,alice创建test项目

  • 以alice登录后查看rolebinding
[root@master ~]# oc get rolebinding

NAME                    ROLE                    USERS     GROUPS                        SERVICE ACCOUNTS   SUBJECTS

admin                   /admin                  alice

system:deployers        /system:deployer                                                deployer

system:image-builders   /system:image-builder                                           builder

system:image-pullers    /system:image-puller              system:serviceaccounts:test

也就是说每个新建立的项目包含的本地rolebinding包括

  • 查看每个rolebinding具体关联的role和用户
[root@master ~]# oc describe rolebinding.rbac

Name:         admin

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  admin

Subjects:

  Kind  Name   Namespace

  ----  ----   ---------

  User  alice  

Name:         system:deployers

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:deployer

Subjects:

  Kind            Name      Namespace

  ----            ----      ---------

  ServiceAccount  deployer  test

Name:         system:image-builders

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:image-builder

Subjects:

  Kind            Name     Namespace

  ----            ----     ---------

  ServiceAccount  builder  test

Name:         system:image-pullers

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:image-puller

Subjects:

  Kind   Name                         Namespace

  ----   ----                         ---------

  Group  system:serviceaccounts:test
  • 给alice用户授予访问myproject的admin权限
[root@master ~]# oc adm policy add-role-to-user admin alice -n myproject

role "admin" added: "alice"

如果只是需要拉取myproject命名空间下的镜像,可以赋予image-puller权限就可以了

[root@master ~]# oc adm policy add-role-to-user system:image-puller  alice -n myproject

role "system:image-puller" added: "alice"

再度describe一下

[root@master ~]# oc describe rolebinding.rbac  -n myproject

Name:         admin

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  admin

Subjects:

  Kind  Name  Namespace

  ----  ----  ---------

  User  eric  

Name:         admin-

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  admin

Subjects:

  Kind  Name   Namespace

  ----  ----   ---------

  User  alice

Name:         system:deployers

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:deployer

Subjects:

  Kind            Name      Namespace

  ----            ----      ---------

  ServiceAccount  deployer  myproject

Name:         system:image-builders

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:image-builder

Subjects:

  Kind            Name     Namespace

  ----            ----     ---------

  ServiceAccount  builder  myproject

Name:         system:image-puller

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:image-puller

Subjects:

  Kind  Name   Namespace

  ----  ----   ---------

  User  alice  

Name:         system:image-pullers

Labels:       <none>

Annotations:  <none>

Role:

  Kind:  ClusterRole

  Name:  system:image-puller

Subjects:

  Kind   Name                              Namespace

  ----   ----                              ---------

  Group  system:serviceaccounts:myproject
  • 查看所有的clusterrole
[root@master ~]# oc get clusterrole

NAME

admin

asb-access

asb-auth

basic-user

cluster-admin

cluster-debugger

cluster-reader

cluster-status

edit

hawkular-metrics

hawkular-metrics-admin

.....
  • 查看具体的一个clusterrole能做的内容
[root@master ~]# oc describe clusterrole system:image-builder

Name:        system:image-builder

Created:     hours ago

Labels:        <none>

Annotations:    openshift.io/description=Grants the right to build, push and pull images from within a project.  Used primarily with service accounts for builds.

        openshift.io/reconcile-protect=false

Verbs        Non-Resource URLs    Resource Names    API Groups        Resources

[get update]    []            []        [image.openshift.io ]    [imagestreams/layers]

[create]    []            []        [image.openshift.io ]    [imagestreams]

[update]    []            []        [build.openshift.io ]    [builds/details]

[get]        []            []        [build.openshift.io ]    [builds]

所有缺省的ClusterRole都能绑定用户或组到本地项目中。此外可以自己定义本地Role

==============================================================================================

给权限和回收权限

给一个imager:pruner的权限,以及给一个集群管理员的权限

oc adm policy add-cluster-role-to-user system:image-pruner  eric

oc adm policy add-cluster-role-to-user cluster-admin eric

查看

[root@master ~]# oc get rolebindings

NAME                    ROLE                    USERS     GROUPS                              SERVICE ACCOUNTS   SUBJECTS

admin                   /admin                  eric

system:deployers        /system:deployer                                                      deployer

system:image-builders   /system:image-builder                                                 builder

system:image-pruner     /system:image-pruner    eric

system:image-pullers    /system:image-puller              system:serviceaccounts:openshift3

回收

[root@master ~]# oc adm policy remove-role-from-user     system:image-pruner    eric

role "system:image-pruner" removed: "eric"

取消eric的对项目的admin权限,而给只读权限

[root@master ~]# oc adm policy add-role-to-user view eric

role "view" added: "eric"

[root@master ~]# oc adm policy remove-role-from-user admin eric

role "admin" removed: "eric"

[root@master ~]# oc get rolebinding

NAME                    ROLE                    USERS     GROUPS                              SERVICE ACCOUNTS   SUBJECTS

system:deployers        /system:deployer                                                      deployer

system:image-builders   /system:image-builder                                                 builder

system:image-pullers    /system:image-puller              system:serviceaccounts:openshift3

view                    /view                   eric

可以参考

https://docs.openshift.com/container-platform/3.9/admin_guide/manage_rbac.html

Openshift 用户,角色和RBAC的更多相关文章

  1. [转]扩展RBAC用户角色权限设计方案

    原文地址:http://www.iteye.com/topic/930648 RBAC(Role-Based Access Control,基于角色的访问控制),就是用户通过角色与权限进行关联.简单地 ...

  2. 扩展RBAC用户角色权限设计方案

    RBAC(Role-Based Access Control,基于角色的访问控制),就是用户通过角色与权限进行关联.简单地说,一个用户拥有若干角色,每一个角色拥有若干权限.这样,就构造成“用户-角色- ...

  3. RBAC用户角色权限设计方案

    RBAC(Role-Based Access Control,基于角色的访问控制),就是用户通过角色与权限进行关联.简单地说,一个用户拥有若干角色,每一个角色拥有若干权限.这样,就构造成“用 户-角色 ...

  4. 扩展RBAC用户角色权限设计方案(转载)

    扩展RBAC用户角色权限设计方案  来源:https://www.cnblogs.com/zwq194/archive/2011/03/07/1974821.html https://blog.csd ...

  5. RBAC用户角色权限设计方案【转载】

    RBAC(Role-Based Access Control,基于角色的访问控制),就是用户通过角色与权限进行关联.简单地说,一个用户拥有若干角色,每一个角色拥有若干权限.这样,就构造成“用户-角色- ...

  6. 扩展RBAC用户角色权限设计方案<转>

    RBAC(Role-Based Access Control,基于角色的访问控制),就是用户通过角色与权限进行关联.简单地说,一个用户拥有若干角色,每一个角色拥有若干权限.这样,就构造成“用户-角色- ...

  7. MVC开发模式下的用户角色权限控制

    前提: MVC开发模式 大概思想: 1.在MVC开发模式下,每个功能都对应着不同的控制器或操作方法名(如修改密码功能可能对应着User/changepd),把每个功能对应的控制器名和操作方法名存到数据 ...

  8. [.Net MVC] 用户角色权限管理_使用CLK.AspNet.Identity

    项目:后台管理平台 意义:一个完整的管理平台需要提供用户注册.登录等功能,以及认证和授权功能. 一.为何使用CLK.AspNet.Identity 首先简要说明所采取的权限控制方式.这里采用了基于角色 ...

  9. spring-boot-plus V1.4.0发布 集成用户角色权限部门管理

    RBAC用户角色权限 用户角色权限部门管理核心接口介绍 Shiro权限配置

  10. Django-用户权限,用户角色使用指南

    RBAC(Role-Based Access Control,基于角色的访问控制)就是用户通过角色与权限进行关联.简单地说,一个用户拥有若干角色,每一个角色拥有若干权限.这样,就构造成"用户 ...

随机推荐

  1. FineReport——表单设计

    在单元格的数据设置这一选项中,有分组,列表,汇总三个选项.分组显示,即将相同的项合并,列表则将每一行的数据逐一的展示,不会合并相同的值,每一行的是完整的一条记录,而汇总则是将数字型数据进行汇总. 分组 ...

  2. Request对象与Response对象

    1.Request对象 Request对象是来获取请求消息的,是由服务器(Tomcat)创建的. Request对象继承体系结构: ServletRequest        --    接口     ...

  3. Django web框架之模板

    1 模板: 什么是模板? html+模板语法 模版包括在使用时会被值替换掉的 变量,和控制模版逻辑的 标签. 2 模板语法: 1 变量:{{}} 深度查询: 通过句点符号 . 过滤器 filter { ...

  4. 怎么WordPress增加在线投稿功能

    现在很多个人博客为了增加博客的内容,都会提供投稿通道,大部分都是以邮箱的形式进行投稿,不过这样一来,也很费人力,要拷贝复制,然后编辑等.如果给博客加个在线投稿功能,那就方便多了.稍微审核下文章内容就可 ...

  5. ubuntu上安装mysql及导入导出

    ubuntu上安装mysql:  1. sudo apt-get install mysql-server 2. apt-get isntall mysql-client3. sudo apt-get ...

  6. lr中exit(-1)和return 0的区别

    LR脚本实践:关于lr中exit(-1)和return 0的区别 exit(-1):从当前action里面exit(-1)所在行,当前迭代里面直接退出来,终止运行: return 0:忽略当前acti ...

  7. php获取农历、节日、节气

    /* * 农历 节气 节日 * edit: www.jbxue.com */ header("Content-Type:text/html;charset=utf-8"); cla ...

  8. 经典算法-最长公共子序列(LCS)与最长公共子串(DP)

    public static int lcs(String str1, String str2) { int len1 = str1.length(); int len2 = str2.length() ...

  9. HDU 6070 Dirt Ratio(线段树)

    Dirt Ratio Time Limit: 18000/9000 MS (Java/Others)    Memory Limit: 524288/524288 K (Java/Others)Tot ...

  10. [BZOJ1305][CQOI2009]跳舞(网络流)

    1305: [CQOI2009]dance跳舞 Time Limit: 5 Sec  Memory Limit: 162 MBSubmit: 3944  Solved: 1692[Submit][St ...