Step-by-step guide
Create a new RBAC policy
View the list of available networks:$ neutron net-list neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead. +--------------------------------------+----------------------------------------------------+----------------------------------+-------------------------------------------------------+ | id | name | tenant_id | subnets | +--------------------------------------+----------------------------------------------------+----------------------------------+-------------------------------------------------------+ | 09d98da5-79a9-4c17-be53-fba71915442c | Services | f193a967e75644e085fb7f558a97dd9f | f16eee1f-f552-474b-8520-24d79cd45cc7 10.168.56.0/21 | | 0b175f48-e94e-4d5c-b28e-611da36be114 | HA network tenant 30d69308d72b49d2a5b1de9cbc3cae2c | | 466f0214-3553-41d2-83b3-e290c4e1f0bc 169.254.192.0/18 | | 1315c4ce-241f-4f30-87fc-cc7c8990e82c | HA network tenant 41ee8680580e4b319ec921b6f3087c51 | | 905c04f0-fc4c-43db-bccf-72d7ba10f089 169.254.192.0/18 | | 2678cdc2-c406-48b2-992d-518577c12926 | admin | 3598428b5ccb4b91832ddc455eb98c76 | f85dc992-a7bb-494e-9e34-53c84d42175f 10.0.0.0/24 | | 3079941a-f965-4dc3-94b3-6111880ae791 | nova | 3598428b5ccb4b91832ddc455eb98c76 | ed9fefba-2ec7-4518-819b-32b0b0eae081 192.168.68.0/22 | | 3ff6e401-71b8-463b-adfd-4454f7ca73fd | Management | f193a967e75644e085fb7f558a97dd9f | e6fade0e-ac7e-4343-aa1c-486baa0b5351 10.3.0.0/22 | | 48e9fedb-fed0-4b4c-b353-fc69c7130560 | internal | 41ee8680580e4b319ec921b6f3087c51 | d1b84e2b-bd78-416f-92a1-40f2202070f8 10.10.0.0/24 | | 4dc6be5c-b400-43f2-91b8-be0563a3020a | Access | f193a967e75644e085fb7f558a97dd9f | acfb6c41-b92c-4939-9858-7577773c0f0d 10.1.0.0/22 | | 4e9fe322-c1b2-44e3-841e-538523afb61d | ONIE | daa269324f5f4e6b9ee6a1aa700841e1 | cdb0404d-bfce-4491-ae28-892c7f624a18 10.0.4.0/24 | | 52ae7392-3e5f-4fe0-b1aa-893eea4dc317 | HA network tenant 3598428b5ccb4b91832ddc455eb98c76 | | 9b8f9807-78a4-4cd2-a60d-fb9812eacdb8 169.254.192.0/18 | | 585dda7e-24bc-4a9d-9d79-405f9a39e996 | Control Network | 8b13d4e4bd154a96b9dd00c73105e6f6 | a746e174-ccee-4df1-8b9d-82abaf4aef8d 10.5.0.0/24 | | 5dd2ed44-1b5c-4701-9c8a-cea74e658286 | aws-vlan542 | 3598428b5ccb4b91832ddc455eb98c76 | | | 63f4dee3-be5c-495a-ab92-242b7574d802 | Jenkins Network | 09f31bbbf0f74e39878a4c9bd2492724 | 6165e38c-04f9-4cd5-8663-f3abf7d67f45 10.6.6.0/24 | | 652f5850-c5a0-461e-93c9-465bce907f22 | HA network tenant 4712acc168284dfba4fa55d084745f83 | | 638f0926-6026-463c-82aa-2045fd81c70e 169.254.192.0/18 | | 6760aa48-f0ef-46ab-a6a8-de5cbfdbe9ee | lab1-vlan541 | 3598428b5ccb4b91832ddc455eb98c76 | | | 69fa4081-6109-43ff-a22d-b5332d7aed49 | Management | 09f31bbbf0f74e39878a4c9bd2492724 | 745b24ac-2e17-4642-a818-6dfddef67b88 10.0.0.0/24 | | 75f4e477-aa7a-4c8b-8d3e-d3b7ceb70da7 | ONIE | 400552f5531b44dabe843575641da543 | bc2b29fa-bf94-41b6-8fe0-e7fa074a500f 10.0.3.0/24 | | 77b5f95a-0c09-4438-941a-238d0d65e478 | HA network tenant 8b38c1145c9842eda09594ae8732767d | | ff6ea32f-ad6d-4bc5-900c-f0e0e1d43929 169.254.192.0/18 | | 7950e1fe-634f-4436-a936-e6a8579d93bb | HA network tenant 8b13d4e4bd154a96b9dd00c73105e6f6 | | 1cf8acf6-94d2-4e10-b78c-a3956fb8916b 169.254.192.0/18 | | 7addaab3-f4ad-47b4-a0a5-9046999edad3 | net1 | 30d69308d72b49d2a5b1de9cbc3cae2c | 9c322bad-c82d-417e-8466-d77fb6cde281 192.168.0.0/24 | | 819a2c77-84cd-4b30-8281-469d2806f602 | micro services | c8a3012e9f064715b6f7b5fd3906fd8e | 47407fe2-6a4d-4a6c-8a39-3dd5aa5d4cf2 10.1.0.0/22 | | 8a0d40cb-1d56-4920-b6a8-e6801e9cbbb5 | HA network tenant 7f39d41b3d3b493f940f031bb2321632 | | c0a44b39-8348-4d3e-8094-3b217830315a 169.254.192.0/18 | | 901885f2-2c4b-4612-b290-6b0bcb138cb5 | Internal | 76262cf1335e481ab547413743384dbd | 1e602c71-ca17-4426-beab-e93af25a45bc 10.2.0.0/24 | | 90e17805-fa3f-4bd5-b273-0bac8e837771 | HA network tenant 09f31bbbf0f74e39878a4c9bd2492724 | | 9221b69c-7551-4e16-b70a-7bba2193ecc0 169.254.192.0/18 | | 94a0af5f-10b2-4436-8c6a-d730725435d4 | HA network tenant a786b2523ba64f34bf517cc7e85aa00a | | 4e613128-5ec6-41eb-a7c1-22cad3a448c5 169.254.192.0/18 | | 9a73ac09-69b3-4011-b09b-263256029e67 | Internal | 8b38c1145c9842eda09594ae8732767d | b56a6ef2-a8ff-437c-a707-b5805df23447 10.0.0.0/24 | | ad4d7fef-daa9-4518-8b6c-62b631f04acf | test | e11e896fd9ab4ecc8091c6e6fcfc8af8 | 025fe046-7bc8-413a-a32d-01d91764876c 10.1.0.0/22 | | b7541b5c-c70e-400e-b6f0-8a67438179c0 | Backend | f193a967e75644e085fb7f558a97dd9f | 264e780a-904b-46ff-96a4-647192e37a83 10.2.0.0/22 | | b80516a5-9760-4ff3-8882-250670403699 | HA network tenant f193a967e75644e085fb7f558a97dd9f | | c42bbd85-a493-4ef0-af54-8890f93e34fa 169.254.192.0/18 | | bc9e2378-de64-4413-a091-df816256fd6c | staging | 7f39d41b3d3b493f940f031bb2321632 | e7e1adac-e0d2-4997-91b4-c47a8bf7d2ab 192.168.0.0/24 | | c86e7904-a97d-4872-b909-cd9f7dbff6fc | Internal | 48734ec06e16443a81044cce57498894 | fb0be38c-00af-4d75-8ffb-07023ed41b94 10.0.2.0/24 | | d1dd21a8-e516-444a-8843-7114fd87b6b7 | HA network tenant 48734ec06e16443a81044cce57498894 | | a4d0e4d0-e105-4b62-821a-b18cd68b3f80 169.254.192.0/18 | | d541f8a5-cd7a-47d7-b4dd-ff8d0b34e2f8 | HA network tenant e11e896fd9ab4ecc8091c6e6fcfc8af8 | | 355e3785-0587-4474-9259-5c4d173a343d 169.254.192.0/18 | | d7057ab0-3b77-495f-967a-e017e1c1e17a | IDM | 4712acc168284dfba4fa55d084745f83 | cbda6431-6889-4f87-bbda-5681fde66781 10.0.0.0/22 | | d8d2fcef-d694-4702-a2f6-494dded1e7ce | internal | a6024170acd045c59ae9f2fb6b14feeb | b439e409-ef95-4c60-abb2-59077841f094 10.0.0.0/24 | | db36b9d8-4d2f-4d0d-93bc-2bc199262759 | tts | 400552f5531b44dabe843575641da543 | 65772eea-2adf-4536-aa25-86ab79440497 10.0.2.0/24 | | dc5f817f-8920-425d-996c-04591b95c006 | HA network tenant a6024170acd045c59ae9f2fb6b14feeb | | 72888b09-050c-4f17-a12f-e2c353a9a059 169.254.192.0/18 | | dd2c4653-1d9d-493e-b489-f4227d592eb6 | HA network tenant daa269324f5f4e6b9ee6a1aa700841e1 | | 28083754-cfec-4f66-936f-0b0b98ca2e70 169.254.192.0/18 | | ecf46570-c7af-4907-948c-b5888b709c43 | HA network tenant 76262cf1335e481ab547413743384dbd | | a369574b-a961-411e-98a3-520df2a3b2c9 169.254.192.0/18 | | f0e2fa5f-8d02-4bb0-8b6f-8c02964795d9 | AWS Gateway | a786b2523ba64f34bf517cc7e85aa00a | 20e4fb24-a4d0-4e17-9ca6-ae59688db301 10.1.1.0/24 | | f7988602-dee2-4f5c-9709-47948db426b2 | HA network tenant 400552f5531b44dabe843575641da543 | | 87f50f7a-1bd8-4481-8ab0-1264f073f038 169.254.192.0/18 | +--------------------------------------+----------------------------------------------------+----------------------------------+-------------------------------------------------------+
View the list of tenants:
$ openstack project list +----------------------------------+--------------------------------+ | ID | Name | +----------------------------------+--------------------------------+ | 09f31bbbf0f74e39878a4c9bd2492724 | Jenkins | | 2a1bf13216b64664814c9a27dad95d06 | service | | 30d69308d72b49d2a5b1de9cbc3cae2c | play-ground | | 3598428b5ccb4b91832ddc455eb98c76 | admin | | 400552f5531b44dabe843575641da543 | tts | | 4712acc168284dfba4fa55d084745f83 | IDM | | 48734ec06e16443a81044cce57498894 | production | | 7f39d41b3d3b493f940f031bb2321632 | Stage | | a6024170acd045c59ae9f2fb6b14feeb | Search | | a786b2523ba64f34bf517cc7e85aa00a | AWS_Storage_and_IDM_Management | | c8a3012e9f064715b6f7b5fd3906fd8e | openshift | | daa269324f5f4e6b9ee6a1aa700841e1 | ONIE-00 | | e2af574ac98540d1888ed84d89c1b552 | sandbox | | f193a967e75644e085fb7f558a97dd9f | IT | +----------------------------------+--------------------------------+
Create a RBAC entry for the aws-vlan542 network that grants access to the Jenkins (09f31bbbf0f74e39878a4c9bd2492724):
$ neutron rbac-create 5dd2ed44-1b5c-4701-9c8a-cea74e658286 --type network --target-tenant 09f31bbbf0f74e39878a4c9bd2492724 --action access_as_shared neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead. Created a new rbac_policy: +---------------+--------------------------------------+ | Field | Value | +---------------+--------------------------------------+ | action | access_as_shared | | id | 54eed9b9-def5-4d2b-994f-2cd15465b8b7 | | object_id | 5dd2ed44-1b5c-4701-9c8a-cea74e658286 | | object_type | network | | project_id | 3598428b5ccb4b91832ddc455eb98c76 | | target_tenant | 09f31bbbf0f74e39878a4c9bd2492724 | | tenant_id | 3598428b5ccb4b91832ddc455eb98c76 | +---------------+--------------------------------------+
Review your configured RBAC policies
$ neutron rbac-list neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead. +--------------------------------------+----------------------------------+-------------+--------------------------------------+ | id | tenant_id | object_type | object_id | +--------------------------------------+----------------------------------+-------------+--------------------------------------+ | 43d60101-8aaf-4f43-928a-fd1bfd9b9803 | 3598428b5ccb4b91832ddc455eb98c76 | network | 3079941a-f965-4dc3-94b3-6111880ae791 | | 470fc12b-4612-45b2-b4eb-962c72b36522 | f193a967e75644e085fb7f558a97dd9f | network | 09d98da5-79a9-4c17-be53-fba71915442c | | 54eed9b9-def5-4d2b-994f-2cd15465b8b7 | 3598428b5ccb4b91832ddc455eb98c76 | network | 5dd2ed44-1b5c-4701-9c8a-cea74e658286 | | d9d7ae00-974d-4dc5-b182-4deaa6b77acc | 3598428b5ccb4b91832ddc455eb98c76 | network | 6760aa48-f0ef-46ab-a6a8-de5cbfdbe9ee | | d9d83aef-774a-41f4-8bb6-ecfa0576efc1 | 3598428b5ccb4b91832ddc455eb98c76 | network | 5dd2ed44-1b5c-4701-9c8a-cea74e658286 | +--------------------------------------+----------------------------------+-------------+--------------------------------------+
Use
neutron rbac-showto view the details of a specific RBAC entry:$ neutron rbac-show 54eed9b9-def5-4d2b-994f-2cd15465b8b7 neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead. +---------------+--------------------------------------+ | Field | Value | +---------------+--------------------------------------+ | action | access_as_shared | | id | 54eed9b9-def5-4d2b-994f-2cd15465b8b7 | | object_id | 5dd2ed44-1b5c-4701-9c8a-cea74e658286 | | object_type | network | | project_id | 3598428b5ccb4b91832ddc455eb98c76 | | target_tenant | 09f31bbbf0f74e39878a4c9bd2492724 | | tenant_id | 3598428b5ccb4b91832ddc455eb98c76 | +---------------+--------------------------------------+
Delete a RBAC policy
$ neutron rbac-delete 54eed9b9-def5-4d2b-994f-2cd15465b8b7 neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead. Deleted rbac_policy(s): 54eed9b9-def5-4d2b-994f-2cd15465b8b7
RBAC for external networks
You can grant RBAC access to external networks (networks with gateway interfaces attached) using the
--action access_as_externalparameter.$ neutron rbac-create 5dd2ed44-1b5c-4701-9c8a-cea74e658286 --type network --target-tenant 09f31bbbf0f74e39878a4c9bd2492724 --action access_as_external neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead. Created a new rbac_policy: +---------------+--------------------------------------+ | Field | Value | +---------------+--------------------------------------+ | action | access_as_external | | id | 4b586e3c-5d1d-4c37-9265-f082701c47da | | object_id | 5dd2ed44-1b5c-4701-9c8a-cea74e658286 | | object_type | network | | project_id | 3598428b5ccb4b91832ddc455eb98c76 | | target_tenant | 09f31bbbf0f74e39878a4c9bd2492724 | | tenant_id | 3598428b5ccb4b91832ddc455eb98c76 | +---------------+--------------------------------------+
Related articles
Content by label
There is no content with the specified labels
Overview
Content Tools