Keystone policy文件介绍

最新推荐文章于 2023-05-18 12:56:47 发布
最新推荐文章于 2023-05-18 12:56:47 发布
阅读量984 收藏
点赞数
分类专栏: Openstack 文章标签: keystone
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/chengqiuming/article/details/79597784
版权
一 policy.json文件截图

二 文件内容
该文件描述的是执行某一个命令需要的权限。 
[root@controller0 ~]# cat /etc/keystone/policy.json
{
    "admin_required": "role:admin or is_admin:1",
    "service_role": "role:service",
    "service_or_admin": "rule:admin_required or rule:service_role",
    "owner" : "user_id:%(user_id)s",
    "admin_or_owner": "rule:admin_required or rule:owner",
    "default": "rule:admin_required",
    "identity:get_region": "",
    "identity:list_regions": "",
    "identity:create_region": "rule:admin_required",
    "identity:update_region": "rule:admin_required",
    "identity:delete_region": "rule:admin_required",
    "identity:get_service": "rule:admin_required",
    "identity:list_services": "rule:admin_required",
    "identity:create_service": "rule:admin_required",
    "identity:update_service": "rule:admin_required",
    "identity:delete_service": "rule:admin_required",
    "identity:get_endpoint": "rule:admin_required",
    "identity:list_endpoints": "rule:admin_required",
    "identity:create_endpoint": "rule:admin_required",
    "identity:update_endpoint": "rule:admin_required",
    "identity:delete_endpoint": "rule:admin_required",
    "identity:get_domain": "rule:admin_required",
    "identity:list_domains": "rule:admin_required",
    "identity:create_domain": "rule:admin_required",
    "identity:update_domain": "rule:admin_required",
    "identity:delete_domain": "rule:admin_required",
    "identity:get_project": "rule:admin_required",
    "identity:list_projects": "rule:admin_required",
    "identity:list_user_projects": "rule:admin_or_owner",
    "identity:create_project": "rule:admin_required",
    "identity:update_project": "rule:admin_required",
    "identity:delete_project": "rule:admin_required",
    "identity:get_user": "rule:admin_required",
    "identity:list_users": "rule:admin_required",
    "identity:create_user": "rule:admin_required",
    "identity:update_user": "rule:admin_required",
    "identity:delete_user": "rule:admin_required",
    "identity:change_password": "rule:admin_or_owner",
    "identity:get_group": "rule:admin_required",
    "identity:list_groups": "rule:admin_required",
    "identity:list_groups_for_user": "rule:admin_or_owner",
    "identity:create_group": "rule:admin_required",
    "identity:update_group": "rule:admin_required",
    "identity:delete_group": "rule:admin_required",
    "identity:list_users_in_group": "rule:admin_required",
    "identity:remove_user_from_group": "rule:admin_required",
    "identity:check_user_in_group": "rule:admin_required",
    "identity:add_user_to_group": "rule:admin_required",
    "identity:get_credential": "rule:admin_required",
    "identity:list_credentials": "rule:admin_required",
    "identity:create_credential": "rule:admin_required",
    "identity:update_credential": "rule:admin_required",
    "identity:delete_credential": "rule:admin_required",
    "identity:ec2_get_credential": "rule:admin_or_owner",
    "identity:ec2_list_credentials": "rule:admin_or_owner",
    "identity:ec2_create_credential": "rule:admin_or_owner",
    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
    "identity:get_role": "rule:admin_required",
    "identity:list_roles": "rule:admin_required",
    "identity:create_role": "rule:admin_required",
    "identity:update_role": "rule:admin_required",
    "identity:delete_role": "rule:admin_required",
    "identity:check_grant": "rule:admin_required",
    "identity:list_grants": "rule:admin_required",
    "identity:create_grant": "rule:admin_required",
    "identity:revoke_grant": "rule:admin_required",
    "identity:list_role_assignments": "rule:admin_required",
    "identity:get_policy": "rule:admin_required",
    "identity:list_policies": "rule:admin_required",
    "identity:create_policy": "rule:admin_required",
    "identity:update_policy": "rule:admin_required",
    "identity:delete_policy": "rule:admin_required",
    "identity:check_token": "rule:admin_required",
    "identity:validate_token": "rule:service_or_admin",
    "identity:validate_token_head": "rule:service_or_admin",
    "identity:revocation_list": "rule:service_or_admin",
    "identity:revoke_token": "rule:admin_or_owner",
    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
    "identity:get_trust": "rule:admin_or_owner",
    "identity:list_trusts": "",
    "identity:list_roles_for_trust": "",
    "identity:check_role_for_trust": "",
    "identity:get_role_for_trust": "",
    "identity:delete_trust": "",
    "identity:create_consumer": "rule:admin_required",
    "identity:get_consumer": "rule:admin_required",
    "identity:list_consumers": "rule:admin_required",
    "identity:delete_consumer": "rule:admin_required",
    "identity:update_consumer": "rule:admin_required",
    "identity:authorize_request_token": "rule:admin_required",
    "identity:list_access_token_roles": "rule:admin_required",
    "identity:get_access_token_role": "rule:admin_required",
    "identity:list_access_tokens": "rule:admin_required",
    "identity:get_access_token": "rule:admin_required",
    "identity:delete_access_token": "rule:admin_required",
    "identity:list_projects_for_endpoint": "rule:admin_required",
    "identity:add_endpoint_to_project": "rule:admin_required",
    "identity:check_endpoint_in_project": "rule:admin_required",
    "identity:list_endpoints_for_project": "rule:admin_required",
    "identity:remove_endpoint_from_project": "rule:admin_required",
    "identity:create_identity_provider": "rule:admin_required",
    "identity:list_identity_providers": "rule:admin_required",
    "identity:get_identity_providers": "rule:admin_required",
    "identity:update_identity_provider": "rule:admin_required",
    "identity:delete_identity_provider": "rule:admin_required",
    "identity:create_protocol": "rule:admin_required",
    "identity:update_protocol": "rule:admin_required",
    "identity:get_protocol": "rule:admin_required",
    "identity:list_protocols": "rule:admin_required",
    "identity:delete_protocol": "rule:admin_required",
    "identity:create_mapping": "rule:admin_required",
    "identity:get_mapping": "rule:admin_required",
    "identity:list_mappings": "rule:admin_required",
    "identity:delete_mapping": "rule:admin_required",
    "identity:update_mapping": "rule:admin_required",
    "identity:list_projects_for_groups": "",
    "identity:list_domains_for_groups": "",
    "identity:list_revoke_events": ""
}


chengqiuming
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Keystone组件详解
ZXJ_asu的博客
05-26 3887
了解openstack keystone组件
深挖Openstack keystone - 源码分析(1)
熊孩子会撒野
07-17 1292
一.  Policy策略 Policy机制就是用来控制某一个User在某个Tenant中某个操作的权限。对于Keystone服务来说,policy就是一个json文件,默认是/etc/keystone/policy.json。 {     "admin_required": "role:admin",     "cloud_admin": "rule:admin_required and d...
keystone policy.json 的学习总结
diaogeng2629的博客
12-04 336
keystonepolicy.json文件位于:/etc/keystone/policy.json 其内容如下: 1 { 2 "admin_required": "role:admin or is_admin:1", 34 "identity:get_project": "rule:admin_required", 35 ...
Keystone关键概念图解
实践求真知
02-25 2499
一 一个生活实例类比Keystone二 主要功能身份验证:Authenticaton授权:Authorization服务目录:Catalog of services三 Keystone的主要概念四 策略PolicyKeyshone V3中的新概念将Tenant改为project引入Group概念引入Domain的概念引入Region的概念...
OpenStack-Keystone组件-详解
最新发布
m0_62727902的博客
05-18 591
Keystone V3之前,用户的权限管理以每一个用户为单位,需要对每一个用户进行角色分配,并不存在一种对一组用户进行统一管理的方案,这给系统管理员带来了额外的工作和不便。3. User/API 向Keystone发送带有特定租户的凭证(交互权限),告诉Keystone User/API在哪个项目中,Keystone收到请求后,会发送一个项目的Token到User/API (访问权限),User/API 拿着Token和Endpoint找到可访问服务。经过验证后,会为每个单独的租户提供一个特定的令牌。
OpenStack Keystone架构一:Keystone基础
weixin_33831673的博客
11-15 524
一 什么是keystone keystone是OpenStack的身份服务,暂且可以理解为一个'与权限有关'的组件。 二 为何要有keystone Keystone项目的主要目的是为访问openstack的各个组件(nova,cinder,glance...)提供一个统一的验证方式,具体的: openstack是由众多组件构成的一套系统,该系统的功能是...
keystone.conf.bak
10-13
OpenStack身份认证组件keystone的配置文件备份,放入/etc/keystone/路径下并改名为keystone.conf生效
OpenStack Keystone的基本概念详细介绍
01-20
OpenStack Keystone的基本概念理解 Keystone简介  Keystone(OpenStack Identity Service)是OpenStack框架中,负责身份验证、服务规则和服务令牌的功能, 它实现了OpenStack的...Keystone基本概念介绍  1. User
Keystone:Keystone Linux 项目的文件
06-07
Arch Linux 安装 ###划分 parted /dev/sdX mklabel gpt mkpart ESP fat32 1M 513M set 1 boot on mkpart primary btrfs 513M 100% mkfs.vfat -F32 /dev/sda1 mkfs.btrfs /dev/sda2 ###山 ...
n阶keystone函数_keystone变换_matlab
07-14
在压缩包中的"Keystone函数"文件,很可能是实现了以上步骤的一个Matlab函数或脚本。通过调用这个函数,并输入合适的参数(如n阶、特征点信息等),用户可以直接对存在keystone失真的图像进行校正,无需深入了解复杂...
探索 OpenStack 之(13):研究 Keystone
weixin_34252686的博客
02-10 131
Keystone 是 OpenStack Identity Service 的项目名称。本文就试着尽可能深入地研究 Keystone。 1. Keystone 的功能 做为 OpenStack 云系统的入口,Keystone 提供了云系统入口所需要的许多功能: (1). 用户身份验证:系统得知道用户是不是合法的用户。为此,Keystone 需要对 user 进行管理和保存;管理用户相关的 t...
OpenStack J版本 policy.json限制用户action权限
湛岚的博客
10-21 3531
OpenStack J版本 policy.json限制用户action权限
openstack policy 鉴权过程分析
少帅的天空
03-13 9517
1. openstack 鉴权简单介绍       众所周知,openstack通过keystone用来完成authenticate(认证),真正的鉴权(authorize)是在各个模块分别做的,具体实现为每个模块都有一个policy文件,叫policy.json,里面定义了鉴权用的rules。    以nova为例,policy文件的位置在:/etc/nova/policy.json,下面先来看
keystone介绍
热门推荐
Fivestar_wang的专栏
09-27 1万+
keystone简介 keystone(openstack identity service)是openstack框架中负责身份验证、服务规则和服务令牌的功能, 它实现了openstack的Identity API。 keystone类似一个服务总线,或者说是挣个openstack框架的注册表, 其他服务通过keystone来注册其服务的Endpoint(服务访问的URL),任何服务之间的相互调
OpenStack学习笔记(一)
m0_51734025的博客
06-23 1041
基于OpenStack设计与实现书籍内容笔记:了解最原始的初始化虚拟化技术:允许多个用户远程共享同一高性能计算设备的时间了解了虚拟化技术的初衷:使昂贵的大型资源得到尽可能的充分利用云计算的三种模式:公有云、私有云和混合云扩展了解:1、公有云:面向大众提供资源的服务;用户通过互联网来获取这些资源的使用;优势:成本低,扩展性非常好缺点:对于云端的资源缺乏控制、保密数据的安全性、网络性能和匹配性问题2、私有云:“私有”更多是指此类平台属于非共享资源,而非指其安全优势。私有云是为了一个客户单独使用而构建的,所以这些
OpenStack — Keystone
李少侠
01-27 3624
文章目录Keystone概念AuthenticationCredentialsEndpointDomainGroupProjectRegionRoleServiceTokenUserKeystone在OpenStack中的工作流程 Keystone概念 Authentication 确认用户身份的过程。为了确认传入的请求,keystone会验证用户提供的一组凭证。 最初,这些凭证是用户名和密码,或者用户名和API key。 当keystone验证用户凭证时,它会发出一个认证令牌。用户在随后的请求中提供令牌。
磨刀不误砍柴工,OpenStack核心服务详解(上)
极客不撩妹
05-25 1820
前言 OpenStack操作界面管理 OpenStack操作界面服务Horizon提供基于Web的控制界面,是云管理员和用户能够管理各种OpenStack资源和服务。 从Horizon着手学习OpenStack,快速了解OpenStack全貌,为学习OpenStack技术细节打下扎实基础。 OpenStack操作界面服务Horizon简介 OpenStack操作界面Horizon Horizon 操作界面 首次出现在OpenStack的"Essex"版本中 简介 Horizon提供基于Web的控制界面,使
关于 IdentityServer 部署到生产环境相关问题踩坑记录
weixin_34198797的博客
03-07 2422
Idsr 定义了几种模式适用于不同的场景: // // 摘要: // OpenID Connect flows. public enum Flows { // // 摘要: // authorization code flow AuthorizationCo...
了解和使用keystone(三)创建admin用户
愷风(Wei)的专栏
09-10 1万+
admin用户可以用来创建domain,project,user。在keystone.conf中,通过设定admin_token,提供了一个初始的管理员令牌,假定为ADMIN,我们用这个令牌来创建admin用户。这是个管理的问题,如果分配给不同的人员,应该要使用不同的username/password。 配置环境变量 $ openstack --os-token=ADMIN --os-url=
[ ] Texas Instruments Keystone Devices 介绍
05-17
德州仪器(Texas Instruments,简称TI)的Keystone系列芯片是一系列高性能、低功耗的多核数字信号处理器(DSP)和通用处理器。这些芯片采用TI独有的C66x DSP架构和ARM Cortex-A15 MPCore处理器,提供了卓越的处理...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值