节点多租户¶
本指南解释了启用节点多租户所需的步骤。此功能允许非管理员对节点执行 API 操作,受策略配置限制。Bare Metal 服务支持两种类型的非管理员用户
所有者:拥有特定节点并在其上执行管理操作
承租人:接收对节点的临时和有限访问权限
设置所有者和承租人¶
对节点的非管理访问通过节点的 owner 或 lessee 属性进行控制
baremetal node set --owner 080925ee2f464a2c9dce91ee6ea354e2 node-7
baremetal node set --lessee 2a210e5ff114c8f2b6e994218f51a904 node-10
配置 Bare Metal 服务策略¶
默认情况下,Bare Metal 服务策略配置为节点所有者或承租人无法访问任何节点 API。但是,策略文件 包含可用于启用节点 API 访问的规则
# Owner of node
#"is_node_owner": "project_id:%(node.owner)s"
# Lessee of node
#"is_node_lessee": "project_id:%(node.lessee)s"
管理员随后可以修改策略文件以按如下方式公开单个节点 API
# Change Node provision status
# PUT /nodes/{node_ident}/states/provision
#"baremetal:node:set_provision_state": "rule:is_admin"
"baremetal:node:set_provision_state": "rule:is_admin or rule:is_node_owner or rule:is_node_lessee"
# Update Node records
# PATCH /nodes/{node_ident}
#"baremetal:node:update": "rule:is_admin or rule:is_node_owner"
此外,暴露 baremetal:node:list 规则是安全的,因为节点列表功能现在会根据所有者和承租人过滤非管理员
# Retrieve multiple Node records, filtered by owner
# GET /nodes
# GET /nodes/detail
#"baremetal:node:list": "rule:baremetal:node:get"
"baremetal:node:list": ""
请注意,baremetal:node:list_all 允许用户查看所有节点,而不管所有者/承租人如何,因此应将其限制为管理员。
端口¶
端口 API 也可以类似地暴露给节点所有者和承租人
# Retrieve Port records
# GET /ports/{port_id}
# GET /nodes/{node_ident}/ports
# GET /nodes/{node_ident}/ports/detail
# GET /portgroups/{portgroup_ident}/ports
# GET /portgroups/{portgroup_ident}/ports/detail
#"baremetal:port:get": "rule:is_admin or rule:is_observer"
"baremetal:port:get": "rule:is_admin or rule:is_observer or rule:is_node_owner or rule:is_node_lessee"
# Retrieve multiple Port records, filtered by owner
# GET /ports
# GET /ports/detail
#"baremetal:port:list": "rule:baremetal:port:get"
"baremetal:port:list": ""
分配¶
分配也尊重节点租户关系。受限的分配会创建与项目关联的分配,并且该分配只能匹配项目是所有者或承租人的节点。以下是允许非管理员有效使用分配的示例策略规则集
# Retrieve Allocation records
# GET /allocations/{allocation_id}
# GET /nodes/{node_ident}/allocation
#"baremetal:allocation:get": "rule:is_admin or rule:is_observer"
"baremetal:allocation:get": "rule:is_admin or rule:is_observer or rule:is_allocation_owner"
# Retrieve multiple Allocation records, filtered by owner
# GET /allocations
#"baremetal:allocation:list": "rule:baremetal:allocation:get"
"baremetal:allocation:list": ""
# Retrieve multiple Allocation records
# GET /allocations
#"baremetal:allocation:list_all": "rule:baremetal:allocation:get"
# Create Allocation records
# POST /allocations
#"baremetal:allocation:create": "rule:is_admin"
# Create Allocation records that are restricted to an owner
# POST /allocations
#"baremetal:allocation:create_restricted": "rule:baremetal:allocation:create"
"baremetal:allocation:create_restricted": ""
# Delete Allocation records
# DELETE /allocations/{allocation_id}
# DELETE /nodes/{node_ident}/allocation
#"baremetal:allocation:delete": "rule:is_admin"
"baremetal:allocation:delete": "rule:is_admin or rule:is_allocation_owner"
# Change name and extra fields of an allocation
# PATCH /allocations/{allocation_id}
#"baremetal:allocation:update": "rule:is_admin"
"baremetal:allocation:update": "rule:is_admin or rule:is_allocation_owner"
部署和 Metalsmith¶
配置节点需要提供一组特定的 API。以下策略规范足以允许节点所有者使用 Metalsmith 在节点上进行部署
"baremetal:node:get": "rule:is_admin or rule:is_observer or rule:is_node_owner"
"baremetal:node:list": ""
"baremetal:node:update_extra": "rule:is_admin or rule:is_node_owner"
"baremetal:node:update_instance_info": "rule:is_admin or rule:is_node_owner"
"baremetal:node:validate": "rule:is_admin or rule:is_node_owner"
"baremetal:node:set_provision_state": "rule:is_admin or rule:is_node_owner"
"baremetal:node:vif:list": "rule:is_admin or rule:is_node_owner"
"baremetal:node:vif:attach": "rule:is_admin or rule:is_node_owner"
"baremetal:node:vif:detach": "rule:is_admin or rule:is_node_owner"
"baremetal:allocation:get": "rule:is_admin or rule:is_observer or rule:is_allocation_owner"
"baremetal:allocation:list": ""
"baremetal:allocation:create_restricted": ""
"baremetal:allocation:delete": "rule:is_admin or rule:is_allocation_owner"
"baremetal:allocation:update": "rule:is_admin or rule:is_allocation_owner"
