OpenStack平台开放镜像权限
案例准备
1.规划节点
IP | 主机名 | 节点 |
---|---|---|
10.24.200.130 | controller | OpenStack Controller节点 |
2.基础准备
使用云主机搭建的OpenStack平台作为实验节点。该案例主要是1实现队不同租户开放不同的镜像,便于更好的管理OpenStack云平台和租户。
案例实施
1.场景分析
(1)背景
某OpenStack云平台有两个租户,A租户与B租户,分别属于两个部门,该公司对镜像的管理比较严格,镜像都由管理员进行上传和权限管理。
(2)诉求
该公司有一个镜像,需要共享给A租户使用,对B租户不可见,实现这种方式最简单的方式,是由A租户中的用户自行上传镜像,这样A租户里面的用户可以看见该镜像,而B租户中的用户看不见。但是现在镜像不能由普通用户去上传,只能通过管理员进行操作。
(3)解决方案
通过管理员上传该镜像,并使用相关命令开放给A租户。
2.案例实操
(1)创建租户
登录Openstack平台,创建租户A和租户B,并且在这两个租户下各创建一个用户userA和userB
普通用户。
[root@controller ~]# source /etc/keystone/admin-openrc.sh
[root@controller ~]# openstack project create --domain demo projectA
[root@controller ~]# openstack project create --domain demo projectnB
[root@controller ~]# openstack user create --domain demo --password Abc@1234 userA
[root@controller ~]# openstack user create --domain demo --password Abc@1234 userB
[root@controller ~]# openstack role add --project projectA --user userA user
[root@controller ~]# openstack role add --project projectB --user userB user
查询租户信息和用户信息
[root@controller ~]# openstack project list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 0ce6da9171e84ba297fbc31cd1228b2f | admin |
| 21f2cccd3b5745a6a0bfbc1fcf8e1feb | service |
| 3dd62766bea24fb78ee1f438d1851f28 | projectB |
| 5c53a176cdf14c98a82fa0beb58fa30b | demo |
| a5d9e31b8e0343f9be3417b21e8a235e | projectA |
+----------------------------------+----------+
[root@controller ~]# openstack user list
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| 55f51154da74467bb7893d561b6de693 | admin |
| 489816708d0546f9a9e5fe43305368c4 | demo |
| 82fcd72461984175899e4b8de3639ad4 | glance |
| cb412595692344898427605daeeb5eb1 | placement |
| 41b64a22ad514c369c65363906dd3c23 | nova |
| 0a14c5a1bc5d4dc3a1f6dd35282d3fb2 | neutron |
| 9d5aea9c38614418a96a34162e75333b | cinder |
| 1bdeb31376374e81ac45c1b38f865453 | swift |
| 46018e6afe244f8bbf46dc42f81c44e1 | userA |
| 67a0e80e829e4f9896a035d53ee14778 | userB |
+----------------------------------+-----------+
# 创建成功!
(2)上传镜像
把镜像上传至/root目录下,并上传到云平台中
[root@controller ~]# openstack image create --disk-format qcow2 --container-format bare --file cirros-0.3.4-x86_64-disk.img cirros1
+------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| checksum | ee1eca47dc88f4879d8a229cc70a07c6 |
| container_format | bare |
| created_at | 2023-02-02T15:00:25Z |
| disk_format | qcow2 |
| file | /v2/images/f185ca1b-7944-4750-aede-427ffc387f52/file |
| id | f185ca1b-7944-4750-aede-427ffc387f52 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros1 |
| owner | 0ce6da9171e84ba297fbc31cd1228b2f |
| properties | os_hash_algo='sha512', os_hash_value='1b03ca1bc3fafe448b90583c12f367949f8b0e665685979d95b004e48574b953316799e23240f4f739d1b5eb4c4ca24d38fdc6f4f9d8247a2bc64db25d6bbdb2', os_hidden='False' |
| protected | False |
| schema | /v2/schemas/image |
| size | 13287936 |
| status | active |
| tags | |
| updated_at | 2023-02-02T15:00:26Z |
| virtual_size | None |
| visibility | shared |
+------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
(3)权限配置
将镜像共享给A租户
命令格式: glance member-create <镜像id> <projectA的id>
[root@controller ~]# glance member-create f185ca1b-7944-4750-aede-427ffc387f52 46018e6afe244f8bbf46dc42f81c44e1
+--------------------------------------+----------------------------------+---------+
| Image ID | Member ID | Status |
+--------------------------------------+----------------------------------+---------+
| f185ca1b-7944-4750-aede-427ffc387f52 | 46018e6afe244f8bbf46dc42f81c44e1 | pending |
+--------------------------------------+----------------------------------+---------+
在共享之后,镜像的状态是pending状态,此时还需要激活镜像
[root@controller ~]# glance member-update f185ca1b-7944-4750-aede-427ffc387f52 46018e6afe244f8bbf46dc42f81c44e1 accepted
+--------------------------------------+----------------------------------+----------+
| Image ID | Member ID | Status |
+--------------------------------------+----------------------------------+----------+
| f185ca1b-7944-4750-aede-427ffc387f52 | 46018e6afe244f8bbf46dc42f81c44e1 | accepted |
+--------------------------------------+----------------------------------+----------+
此时镜像的状态就变为了accepted,切换至userA账户中查看镜像列表信息
[root@controller ~]# export OS_PROJECT_NAME=projectB
[root@controller ~]# export OS_USERNAME=userB
[root@controller ~]# export OS_PASSWORD=Abc@1234
[root@controller ~]# glance image-list
+----+------+
| ID | Name |
+----+------+
+----+------+
[root@controller ~]# export OS_PROJECT_NAME=projectA
[root@controller ~]# export OS_USERNAME=userA
[root@controller ~]# export OS_PASSWORD=Abc@1234
[root@controller ~]# glance image-list
+--------------------------------------+--------+
| ID | Name |
+--------------------------------------+--------+
| 2803a9e4-8f24-425a-bff2-d35d31d9751b | cirros |
+--------------------------------------+--------+
通过这种方式,可以使用管理员设置不同租户对不同镜像的访问权限