2017年3月29日星期三

OpenShift_070:为不同的 Project 分配权限

环境:OCP 3.4

假设有两个 Project:project1 和 project 2。要求如下:

普通用户 admin 作为管理员
普通用户 p1admin 作为 project1 管理员
普通用户 p1dev1 作为 project1 的开发人员,有修改权限
普通用户 p1test1 作为 project1 的测试人员,有查看权限

普通用户 p2admin 作为 project2 管理员
普通用户 p2dev1 作为 project2 的开发人员,有修改权限
普通用户 p2test1 作为 project2 的测试人员,有查看权限

1. 以超级管理员身份登录
系统用户 system:admin 是超级管理员
oc login -u system:admin

2. 创建各个账户
htpasswd -b /etc/origin/master/htpasswd admin admin
htpasswd -b /etc/origin/master/htpasswd p1admin p1admin
htpasswd -b /etc/origin/master/htpasswd p2admin p2admin
htpasswd -b /etc/origin/master/htpasswd p1dev1 p1dev1
htpasswd -b /etc/origin/master/htpasswd p1test1 p1test1
htpasswd -b /etc/origin/master/htpasswd p2dev1 p2dev1
htpasswd -b /etc/origin/master/htpasswd p2test1 p2test1

说明:默认情况下,创建账户后,使用 oc login -u <账户> -p <口令> 登录后,该账户就可以创建 Project,创建 Project 后,就成为这个 Project 的管理员,具有 admin 角色。

如果是多 master 结构,需要在每一个 master 节点上创建同样的账户。
下面这个这个命令可以在多个节点生成账户,
ansible -i ansible-hosts masters -m "command" -a " htpasswd  -b  /etc/origin/master/htpasswd <user> <password>" -b

3. 为 admin 账户授权管理员权限
oadm policy add-cluster-role-to-user admin admin

注意,如果授予 admin cluster-admin 角色,则 admin 为超级管理员。

oadm policy add-cluster-role-to-user cluster-admin admin

cluster-admin 和 admin 角色区别在于 cluster-admin 可以查看和修改 clusterPolicy。
二者都可以管理集群中所有 Project。

常用的授权命令如下:
(1)在当前 Project 下,列出能对指定资源执行指定操作的用户和组
oadm policy who-can verb resource
(2)在当前 Project 下,把指定的角色和用户绑定起来
oadm policy add-role-to-user role username
(3)在当前 Project 下,删除指定用户的指定角色
oadm policy remove-role-from-user role username
(4)在当前 Project 下,在所有的角色中删除指定的用户
oadm policy remove-user username
(5)在当前 Project 下,把指定的角色和组绑定起来
oadm policy add-role-to-group role groupname
(6)在当前 Project 下,删除指定组的指定角色
oadm policy remove-role-from-group role groupname
(7)在当前 Project 下,在所有的角色中删除指定的组
oadm policy remove-group groupname
(8)在集群中所有 Project 下,把指定的角色和用户绑定起来
oadm policy add-cluster-role-to-user role username
(9)在集群中所有 Project 下,删除指定用户的指定角色
oadm policy remove-cluster-role-from-user role username
(10)在集群中所有 Project 下,把指定的角色和组绑定起来
oadm policy add-cluster-role-to-group role groupname
(11)在集群中所有 Project 下,删除指定组的指定角色
oadm policy remove-cluster-role-from-group role groupname

4. 创建各个 Project
oc new-project project1
oc new-project project2

5. 为 project1 分配权限
oc project project1
oc policy add-role-to-user admin p1admin
oc policy add-role-to-user edit p1dev1
oc policy add-role-to-user view p1test1

6. 为 project2 分配权限
oc project project2
oc policy add-role-to-user admin p2admin
oc policy add-role-to-user edit p2dev1
oc policy add-role-to-user view p2test1

7. 一共有多少种 Role ?
oc get clusterroles
输出如下:
NAME
admin
basic-user
cluster-admin
cluster-debugger
cluster-reader
cluster-status
edit
hawkular-metrics-admin
management-infra-admin
registry-admin
registry-editor
registry-viewer
self-access-reviewer
self-provisioner
storage-admin
sudoer
system:build-controller
system:build-strategy-custom
system:build-strategy-docker
system:build-strategy-jenkinspipeline
system:build-strategy-source
system:certificate-signing-controller
system:daemonset-controller
system:deployer
system:deployment-controller
system:deploymentconfig-controller
system:discovery
system:disruption-controller
system:endpoint-controller
system:gc-controller
system:hpa-controller
system:image-auditor
system:image-builder
system:image-pruner
system:image-puller
system:image-pusher
system:image-signer
system:job-controller
system:master
system:namespace-controller
system:node
system:node-admin
system:node-bootstrapper
system:node-proxier
system:node-reader
system:oauth-token-deleter
system:pv-attach-detach-controller
system:pv-binder-controller
system:pv-provisioner-controller
system:pv-recycler-controller
system:registry
system:replicaset-controller
system:replication-controller
system:router
system:sdn-manager
system:sdn-reader
system:service-ingress-ip-controller
system:service-load-balancer-controller
system:service-serving-cert-controller
system:statefulset-controller
system:unidling-controller
system:webhook
view

8. 查看 view 角色具体能操作哪些资源?
oc describe clusterrole view
输出如下:
Name: view
Namespace:
Created: 7 weeks ago
Labels:
Annotations: openshift.io/description=A user who can view but not edit any resources within the project. They can not view secrets or membership.
Verbs Non-Resource URLs Extension Resource Names API Groups Resources
[get list watch] [] [] [] [configmaps endpoints persistentvolumeclaims pods replicationcontrollers serviceaccounts services]
[get list watch] [] [] [] [bindings events limitranges namespaces namespaces/status pods/log pods/status replicationcontrollers/status resourcequotas resourcequotas/status]
[get list watch] [] [] [autoscaling] [horizontalpodautoscalers]
[get list watch] [] [] [batch] [cronjobs jobs scheduledjobs]
[get list watch] [] [] [extensions] [deployments deployments/scale horizontalpodautoscalers jobs replicasets replicasets/scale]
[get list watch] [] [] [extensions] [daemonsets]
[get list watch] [] [] [apps] [statefulsets]
[get list watch] [] [] [] [buildconfigs buildconfigs/webhooks builds]
[get list watch] [] [] [] [builds/log]
[view] [] [] [build.openshift.io] [jenkins]
[get list watch] [] [] [] [deploymentconfigs deploymentconfigs/scale]
[get list watch] [] [] [] [deploymentconfigs/log deploymentconfigs/status]
[get list watch] [] [] [] [imagestreamimages imagestreammappings imagestreams imagestreamtags]
[get list watch] [] [] [] [imagestreams/status]
[get] [] [] [] [projects]
[get list watch] [] [] [] [appliedclusterresourcequotas]
[get list watch] [] [] [] [routes]
[get list watch] [] [] [] [routes/status]
[get list watch] [] [] [] [processedtemplates templateconfigs templates]
[get list watch] [] [] [] [buildlogs]
[get list watch] [] [] [] [resourcequotausages]

8. 查看 clusterPolicy 拥有的角色
oc get clusterpolicy
输出如下:
NAME      ROLES                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 LAST MODIFIED
default   admin, basic-user, cluster-admin, cluster-debugger, cluster-reader, cluster-status, edit, hawkular-metrics-admin, management-infra-admin, registry-admin, registry-editor, registry-viewer, self-access-reviewer, self-provisioner, storage-admin, sudoer, system:build-controller, system:build-strategy-custom, system:build-strategy-docker, system:build-strategy-jenkinspipeline, system:build-strategy-source, system:certificate-signing-controller, system:daemonset-controller, system:deployer, system:deployment-controller, system:deploymentconfig-controller, system:discovery, system:disruption-controller, system:endpoint-controller, system:gc-controller, system:hpa-controller, system:image-auditor, system:image-builder, system:image-pruner, system:image-puller, system:image-pusher, system:image-signer, system:job-controller, system:master, system:namespace-controller, system:node, system:node-admin, system:node-bootstrapper, system:node-proxier, system:node-reader, system:oauth-token-deleter, system:pv-attach-detach-controller, system:pv-binder-controller, system:pv-provisioner-controller, system:pv-recycler-controller, system:registry, system:replicaset-controller, system:replication-controller, system:router, system:sdn-manager, system:sdn-reader, system:service-ingress-ip-controller, system:service-load-balancer-controller, system:service-serving-cert-controller, system:statefulset-controller, system:unidling-controller, system:webhook, view   2017-05-24 02:57:17 -0400 EDT

8. 查看 clusterPolicy default 具体能操作哪些资源?
oc describe clusterPolicy default
详细定义了每个 Role 可以对哪些 Resources 做哪些操作 Verbs

9. 查看当前/指定 Project 下的角色和用户、组的绑定关系
oc get rolebinding
输出如下:
NAME                    ROLE                    USERS          GROUPS                        SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  system:admin                                                  
system:deployers        /system:deployer                                                     deployer        
system:image-builders   /system:image-builder                                                builder          
system:image-pullers    /system:image-puller                   system:serviceaccounts:test      
oc describe policyBindings :default
oc describe policyBindings :default -n project1
 

10. 查看集群角色和用户、组的绑定关系
oc get clusterrolebinding

没有评论: