RBAC et Keystone
Introduction
Le RBAC (Role-Based Access Control) de Keystone gère les autorisations dans OpenStack. Une configuration fine des rôles et des politiques est essentielle pour la sécurité multi-tenant.
Prérequis
- OpenStack avec Keystone fonctionnel
- TLS configuré
- Compréhension du modèle d'identité OpenStack
Points à apprendre
Modèle d'identité Keystone
graph TB
subgraph Keystone
domains["Domains<br/>Isolation administrative<br/>Default, LDAP, etc."]
subgraph Domain_Example["Domain: Example"]
projects["Projects<br/>Tenants<br/>Quotas, ressources"]
users["Users<br/>Identités<br/>Credentials"]
groups["Groups<br/>Groupement users"]
roles["Roles<br/>Permissions<br/>admin, member, reader"]
end
end
assignments["Role Assignments<br/>User → Role → Project<br/>Group → Role → Project"]
users -->|Has| roles
groups -->|Contains| users
groups -->|Has| roles
roles -->|Scoped to| projects
assignments -->|Assign| roles
Rôles par défaut
| Rôle |
Description |
Permissions |
admin |
Administrateur cloud |
Toutes les opérations |
member |
Membre projet |
CRUD sur ressources projet |
reader |
Lecteur |
Lecture seule |
service |
Services OpenStack |
Communication inter-services |
Configuration des domaines
# Créer un domaine pour une organisation
openstack domain create --description "Corporate Domain" corporate
# Créer un admin de domaine
openstack user create --domain corporate \
--password-prompt \
domain-admin
openstack role add --domain corporate \
--user domain-admin \
admin
# Lister les domaines
openstack domain list
Gestion des projets
# Créer un projet avec quotas
openstack project create --domain corporate \
--description "Production environment" \
production
# Définir les quotas
openstack quota set production \
--instances 100 \
--cores 200 \
--ram 512000 \
--volumes 100 \
--gigabytes 10000
# Créer sous-projets (hierarchie)
openstack project create --domain corporate \
--parent production \
--description "Web tier" \
production-web
Attribution des rôles
# Attribuer un rôle à un utilisateur sur un projet
openstack role add --project production \
--user developer1 \
member
# Attribuer un rôle à un groupe
openstack group create developers --domain corporate
openstack group add user developers developer1 developer2
openstack role add --project production \
--group developers \
member
# Vérifier les attributions
openstack role assignment list --user developer1 --names
openstack role assignment list --project production --names
Politiques (policy.yaml)
# /etc/kolla/config/nova/policy.yaml
# Règles personnalisées pour Nova
# Seuls les admins peuvent resize
"os_compute_api:servers:resize": "role:admin"
# Members peuvent créer/supprimer leurs VMs
"os_compute_api:servers:create": "role:member"
"os_compute_api:servers:delete": "role:member and project_id:%(project_id)s"
# Readers peuvent lister
"os_compute_api:servers:index": "role:reader or role:member or role:admin"
# Interdire certaines actions aux non-admins
"os_compute_api:servers:create:forced_host": "role:admin"
"os_compute_api:os-migrate-server:migrate": "role:admin"
"os_compute_api:os-evacuate": "role:admin"
# /etc/kolla/config/neutron/policy.yaml
# Règles pour Neutron
# Seuls admins peuvent créer réseaux external
"create_network:provider:network_type": "role:admin"
"create_network:provider:physical_network": "role:admin"
"create_network:router:external": "role:admin"
# Members peuvent gérer leurs réseaux
"create_network": "role:member"
"delete_network": "role:member and project_id:%(project_id)s"
# Limiter la création de floating IPs
"create_floatingip": "role:member"
"delete_floatingip": "role:member and project_id:%(project_id)s"
Application Federation
# /etc/kolla/config/keystone/keystone.conf
[federation]
# Activer la fédération
enabled_identity_providers = ldap_corp,saml_idp
[auth]
# Méthodes d'authentification
methods = password,token,mapped,application_credential
# Configuration LDAP
[ldap]
url = ldaps://ldap.example.com
user = cn=keystone,ou=services,dc=example,dc=com
password = secret
suffix = dc=example,dc=com
user_tree_dn = ou=users,dc=example,dc=com
group_tree_dn = ou=groups,dc=example,dc=com
user_objectclass = inetOrgPerson
group_objectclass = groupOfNames
Application Credentials
# Créer un credential pour CI/CD (pas de password)
openstack application credential create myapp \
--description "CI/CD automation" \
--expiration "2025-12-31T23:59:59" \
--role member \
--secret auto
# Utiliser le credential
export OS_AUTH_TYPE=v3applicationcredential
export OS_APPLICATION_CREDENTIAL_ID=<id>
export OS_APPLICATION_CREDENTIAL_SECRET=<secret>
openstack server list # Fonctionne sans password
Diagramme RBAC
sequenceDiagram
actor User
participant KS as Keystone
participant Nova as Nova API
participant Policy as Policy Engine
User->>KS: Authenticate<br/>(username/password)
KS->>KS: Validate credentials
KS-->>User: Token + Roles<br/>(admin, member@project-A)
User->>Nova: Create VM<br/>(Token, project-A)
Nova->>KS: Validate token
KS-->>Nova: Token valid<br/>Roles: [member@project-A]
Nova->>Policy: Check policy<br/>"create_server"<br/>Roles: [member]
Policy->>Policy: Evaluate:<br/>"role:member" → True
Policy-->>Nova: ALLOWED
Nova->>Nova: Create VM
Nova-->>User: 201 Created
Audit des accès
#!/bin/bash
# audit-rbac.sh
echo "=== Domain Admins ==="
openstack role assignment list --role admin --names | grep -v "admin project"
echo -e "\n=== Project Admins ==="
for project in $(openstack project list -f value -c ID); do
admins=$(openstack role assignment list --project $project --role admin --names -f value)
if [ -n "$admins" ]; then
echo "Project: $(openstack project show $project -f value -c name)"
echo "$admins"
fi
done
echo -e "\n=== Users with Multiple Projects ==="
for user in $(openstack user list -f value -c ID); do
projects=$(openstack role assignment list --user $user -f value -c Project | sort -u | wc -l)
if [ $projects -gt 1 ]; then
echo "$(openstack user show $user -f value -c name): $projects projects"
fi
done
echo -e "\n=== Unused Roles ==="
for role in $(openstack role list -f value -c ID); do
count=$(openstack role assignment list --role $role -f value | wc -l)
if [ $count -eq 0 ]; then
echo "$(openstack role show $role -f value -c name): no assignments"
fi
done
Rôles personnalisés
# Créer un rôle custom
openstack role create network-admin
# Policy pour ce rôle
# /etc/kolla/config/neutron/policy.yaml
# "create_router": "role:network-admin or role:admin"
# "create_floatingip": "role:network-admin or role:admin"
Exemples pratiques
Matrice de permissions
| Action |
admin |
member |
reader |
service |
| Create VM |
✓ |
✓ |
✗ |
✗ |
| Delete any VM |
✓ |
✗ |
✗ |
✗ |
| Delete own VM |
✓ |
✓ |
✗ |
✗ |
| List VMs |
✓ |
✓ |
✓ |
✓ |
| Create external network |
✓ |
✗ |
✗ |
✗ |
| Live migrate |
✓ |
✗ |
✗ |
✗ |
Script de setup projet
#!/bin/bash
# setup-project.sh
PROJECT=$1
ADMIN_USER=$2
MEMBERS=$3 # comma-separated
# Créer le projet
openstack project create $PROJECT
# Créer le groupe
openstack group create ${PROJECT}-team
# Ajouter l'admin
openstack role add --project $PROJECT --user $ADMIN_USER admin
# Ajouter les membres
for member in ${MEMBERS//,/ }; do
openstack group add user ${PROJECT}-team $member
done
openstack role add --project $PROJECT --group ${PROJECT}-team member
# Configurer les quotas par défaut
openstack quota set $PROJECT \
--instances 20 \
--cores 40 \
--ram 81920
echo "Project $PROJECT created with admin $ADMIN_USER"
Ressources
Checkpoint