平时在相互交流的时候,关于Tenant和User一般可能都用tenant来代替也不会出现问题,其实这是两个完全不同的概念
首先来看个简单的例子
~$ keystone tenant-list | grep testing_lihui | b1d13bdffd684de9b013b99f0a35bc66 | Project_testing_lihui | True | ~$ ~$ keystone user-list | grep testing_lihui | 85c9b4d3e1d54ffd92ad5f25d8c3f29a | testing_lihui | True | lihui@163.com |
这里还看不出来什么,只能看到Tenant比User多了一个前缀Project_,继续看下详细信息
~$ keystone tenant-get Project_testing_lihui +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Project for testing_lihui | | enabled | True | | id | b1d13bdffd684de9b013b99f0a35bc66 | | name | Project_testing_lihui | +-------------+----------------------------------+ ~$ keystone user-get testing_lihui +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | lihui@163.com | | enabled | True | | id | 85c9b4d3e1d54ffd92ad5f25d8c3f29a | | name | testing_lihui | | tenantId | b1d13bdffd684de9b013b99f0a35bc66 | +----------+----------------------------------+
wordpress换了个主题,貌似后台能对齐的,显示出来也不对齐了,肯定是CSS没用自带的原因
这里在user-get的表里,可以看到,有一项是tenantId的信息,从这里就可以看出来是先有tenant然后才有user
Tenant的name都有一个Project_前缀,可以理解成一个项目,一个工程或者说拥有资源的集合,在一个Tenant中可以有多个User,这些User根据权限的划分来使用Tenant中的资源
User上面说了,新创建一个用户,必须给这个用户指定一个Tenant,一个Project;定义了属于这个Tenant的User之后,那么该User就能够使用这个Tenant定义的一些资源了
总之我的理解,Tenant的作用,就是对不同的资源起到了隔离的作用;给Tenant指定一个User,那么就对该User指定了权限,能够操作对应Tenant的一些资源
下面以Nova的简单虚拟机操作说明(以devstack为例)
首先,admin通过nova boot创建一台虚拟机
~$ nova list +--------------------------------------+--------+--------+------------+-------------+---------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+--------+--------+------------+-------------+---------------------+ | e77bb302-15b3-4e91-836c-3bdd78c8044a | new-vm | ACTIVE | - | Running | public=172.24.4.231 | +--------------------------------------+--------+--------+------------+-------------+---------------------+
然后,demo想对上面这个虚拟机资源进行操作,查看详情,可惜他们属于不同的Tenant,是不可能能到结果的
~$ source devstack/openrc demo demo ~$ nova show e77bb302-15b3-4e91-836c-3bdd78c8044a ERROR: No server with a name or ID of 'e77bb302-15b3-4e91-836c-3bdd78c8044a' exists.
接着,给demo用户添加一个admin的角色,任何有关tenant操作都必须要admin权限才行
~$ source devstack/openrc demo demo ~$ keystone token-get +-----------+----------------------------------+ | Property | Value | +-----------+----------------------------------+ | expires | 2015-11-23T16:09:36Z | | id | 4f39fe9992ce4c8cb1c8690319fe25f5 | | tenant_id | 8ce127c78697410caf8cf903a401c113 | | user_id | f5ac64a42ad2411da91d9f6988c06cf6 | +-----------+----------------------------------+ ~$ source devstack/openrc admin admin ~$ keystone user-role-add --user=demo --role=admin --tenant-id=8ce127c78697410caf8cf903a401c113
最后,再通过demo来操作admin的虚拟机资源,发现成功了
~$ source devstack/openrc demo demo
~$ nova show e77bb302-15b3-4e91-836c-3bdd78c8044a
+----------------------------------------------+-----------------------------------------------------------------+
| Property | Value |
+----------------------------------------------+-----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | commonqa-devstack |
| OS-EXT-SRV-ATTR:hypervisor_hostname | commonqa-devstack |
| OS-EXT-SRV-ATTR:instance_name | instance-00000007 |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-STS:task_state | - |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2015-11-03T16:02:32.000000 |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| availability_zone | nova |
| config_drive | |
| created | 2015-11-03T16:01:28Z |
| flavor | m1.medium (3) |
| hostId | 331e6060050937f0bd1b36376115c76cda54b2fa124d42231170ca9e |
| hypervisor_type | - |
| id | e77bb302-15b3-4e91-836c-3bdd78c8044a |
| image | cirros-0.3.0-x86_64-disk (27261cdb-76cc-48e1-b834-9d28237815c9) |
| key_name | dev |
| metadata | {} |
| name | new-vm |
| os-extended-volumes:volumes_attached | [] |
| os-netease-extended-volumes:volumes_attached | [] |
| os-server-status | unknown |
| os_type | - |
| progress | 0 |
| public network | 172.24.4.231 |
| security_groups | default |
| status | ACTIVE |
| tenant_id | dac5abbadd32437bbf641412d3c48995 |
| updated | 2015-11-03T16:55:24Z |
| user_id | c49761abead044df83ab9a793da1e329 |
| vncPass | - |
+----------------------------------------------+-----------------------------------------------------------------+
查看下角色权限
~$ nova credentials
+------------------+------------------------------------------------------------------+
| User Credentials | Value |
+------------------+------------------------------------------------------------------+
| id | f5ac64a42ad2411da91d9f6988c06cf6 |
| name | demo |
| roles | [{"name": "anotherrole"}, {"name": "Member"}, {"name": "admin"}] |
| roles_links | [] |
| username | demo |
+------------------+------------------------------------------------------------------+
最后,再将admin去掉,验证一下,无法跨租户操作资源
~$ keystone user-role-remove --user=demo --role=admin --tenant-id=8ce127c78697410caf8cf903a401c113
~$ nova credentials
+------------------+-----------------------------------------------+
| User Credentials | Value |
+------------------+-----------------------------------------------+
| id | f5ac64a42ad2411da91d9f6988c06cf6 |
| name | demo |
| roles | [{"name": "anotherrole"}, {"name": "Member"}] |
| roles_links | [] |
| username | demo |
+------------------+-----------------------------------------------+
~$ nova show e77bb302-15b3-4e91-836c-3bdd78c8044a
ERROR: No server with a name or ID of 'e77bb302-15b3-4e91-836c-3bdd78c8044a' exists.
