本帖最后由 pig2 于 2015-9-23 17:31 编辑
问题导读
1.如何禁用token?
2.普通租户是否具有查看用户的权限?
3.如何取消临时token?
1.为了安全,禁用临时token机制
编辑文件/usr/share/keystone/keystone-dist-paste.ini,移除标签
[pipeline:public_api], [pipeline:admin_api], 和 [pipeline:api_v3] 部分的admin_token_auth
2.取消临时token和url
[mw_shl_code=bash,true]unset OS_TOKEN OS_URL[/mw_shl_code]
3.使用admin用户验证,需要输入admin的密码
[mw_shl_code=bash,true]openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
token issue[/mw_shl_code]
[mw_shl_code=bash,true]+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-03-24T18:55:01Z |
| id | ff5ed908984c4a4190f584d826d75fed |
| project_id | cf12a15c5ea84b019aec3dc45580896b |
| user_id | 4d411f2291f34941b30eef9bd797505a |
+------------+----------------------------------+[/mw_shl_code]
4.使用默认域获取token
openstack --os-auth-url http://controller:35357 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name admin --os-username admin --os-auth-type password \
token issue
[mw_shl_code=bash,true]+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-03-24T18:55:01Z |
| id | ff5ed908984c4a4190f584d826d75fed |
| project_id | cf12a15c5ea84b019aec3dc45580896b |
| user_id | 4d411f2291f34941b30eef9bd797505a |
+------------+----------------------------------+[/mw_shl_code]
5.admin列出租户
[mw_shl_code=bash,true]openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
project list[/mw_shl_code]
[mw_shl_code=bash,true]+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 55cbd79c0c014c8a95534ebd16213ca1 | service |
| ab8ea576c0574b6092bb99150449b2d3 | demo |
| cf12a15c5ea84b019aec3dc45580896b | admin |
+----------------------------------+---------+[/mw_shl_code]
6.admin列出用户
[mw_shl_code=bash,true]openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
user list[/mw_shl_code]
[mw_shl_code=bash,true]+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 4d411f2291f34941b30eef9bd797505a | admin |
| 3a81e6c8103b46709ef8d141308d4c72 | demo |
+----------------------------------+-------+[/mw_shl_code]
7.admin列出角色
[mw_shl_code=bash,true]openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
role list[/mw_shl_code]
[mw_shl_code=bash,true]+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 9fe2ff9ee4384b1894a90878d3e92bab | user |
| cd2cb9a39e874ea69e5d4b896eb16128 | admin |
+----------------------------------+-------+[/mw_shl_code]
8.demo用户获取token相关信息
[mw_shl_code=bash,true]openstack --os-auth-url http://controller:5000 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo --os-auth-type password \
token issue[/mw_shl_code]
[mw_shl_code=bash,true]+------------+----------------------------------+
| Property | Value |
+------------+----------------------------------+
| expires | 2014-10-10T12:51:33Z |
| id | 1b87ceae9e08411ba4a16e4dada04802 |
| project_id | 4aa51bb942be4dd0ac0555d7591f80a6 |
| user_id | 7004dfa0dda84d63aef81cf7f100af01 |
+------------+----------------------------------+[/mw_shl_code]
9.作为demo 用户,查看用户【不具有权限查看】
[mw_shl_code=bash,true]openstack --os-auth-url http://controller:5000 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo --os-auth-type password \
user list[/mw_shl_code]
[mw_shl_code=bash,true]ERROR: openstack You are not authorized to perform the requested action, admin_required. (HTTP 403)
[/mw_shl_code]
相关篇章
openstack【Kilo】入门 【准备篇】一:整体介绍【centos】
http://www.aboutyun.com/thread-15205-1-1.html
openstack【Kilo】入门 【准备篇】二:检测网络互通性【centos】
http://www.aboutyun.com/thread-15206-1-1.html
openstack【Kilo】入门 【准备篇】三:NTP安装【centos】
http://www.aboutyun.com/thread-15207-1-1.html
openstack【Kilo】入门 【准备篇】四:openstack包【centos】
http://www.aboutyun.com/thread-15210-1-1.html
openstack【Kilo】入门 【准备篇】五:mysql及rabbitmq安装【centos】
http://www.aboutyun.com/thread-15213-1-1.html
openstack【Kilo】入门 【keystone篇】六:keystone安装配置【centos】
http://www.aboutyun.com/thread-15214-1-1.html
openstack【Kilo】入门 【keystone篇】七:创建服务实例和API endpoint【centos】
http://www.aboutyun.com/thread-15215-1-1.html
openstack【Kilo】入门 【keystone篇】八:创建租户, 用户, 和角色【centos】
http://www.aboutyun.com/thread-15216-1-1.html
openstack【Kilo】入门 【keystone篇】九:验证keystone安装【centos】
http://www.aboutyun.com/thread-15233-1-1.html
openstack【Kilo】入门 【keystone篇】十:创建openstack客户端脚本【centos】
http://www.aboutyun.com/thread-15234-1-1.html
openstack【Kilo】入门 【glance篇】十一:安装配置glance【centos】
http://www.aboutyun.com/thread-15242-1-1.html
openstack【Kilo】入门 【glance篇】十二:glance安装验证【centos】
http://www.aboutyun.com/thread-15243-1-1.html
openstack【Kilo】入门 【nova篇】十三:nova安装配置1:控制节点【centos】
http://www.aboutyun.com/thread-15258-1-1.html
openstack【Kilo】入门 【nova篇】十四:nova安装配置2:计算节点【centos】
http://www.aboutyun.com/thread-15259-1-1.html
openstack【Kilo】入门 【neutron篇】十五:neutron安装配置:控制节点【centos】
http://www.aboutyun.com/thread-15260-1-1.html
openstack【Kilo】入门 【neutron篇】十六:neutron安装配置:网络节点【centos】
http://www.aboutyun.com/thread-15272-1-1.html
openstack【Kilo】入门 【neutron篇】十七:neutron安装配置:计算节点【centos】
http://www.aboutyun.com/thread-15330-1-1.html
openstack【Kilo】入门 【neutron篇】十八:实例化网络【centos】
http://www.aboutyun.com/thread-15342-1-1.html
openstack【Kilo】入门 【neutron篇】十九:dasboard安装配置【centos】
http://www.aboutyun.com/thread-15352-1-1.html
openstack【Kilo】入门 【neutron篇】二十:创建实例(neutron)【centos】
http://www.aboutyun.com/thread-15356-1-1.html