openstack/nova
Code Issues Proposed changes
Files
7712287139c5dbd058909f205609d02065097878
nova/doc/build/html/adminguide/managing.users.html
Anne Gentle 908f750579 Documenting all nova-manage commands
2010-11-17 15:54:19 -06:00

271 lines
13 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Managing Users &mdash; nova v2010.1 documentation</title>
<link rel="stylesheet" href="../_static/sphinxdoc.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/tweaks.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '2010.1',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<script type="text/javascript" src="../_static/jquery.tweet.js"></script>
<link rel="top" title="nova v2010.1 documentation" href="../index.html" />
<link rel="up" title="Administration Guide" href="index.html" />
<link rel="next" title="Managing Projects" href="managing.projects.html" />
<link rel="prev" title="Euca2ools" href="euca2ools.html" />
<script type='text/javascript'>
$(document).ready(function(){
$("#twitter_feed").tweet({
username: "openstack",
query: "from:openstack",
avatar_size: 32,
count: 10,
loading_text: "loading tweets..."
});
});
</script>
</head>
<body>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="managing.projects.html" title="Managing Projects"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="euca2ools.html" title="Euca2ools"
accesskey="P">previous</a> |</li>
<li><a href="../index.html">nova v2010.1 documentation</a> &raquo;</li>
<li><a href="index.html" accesskey="U">Administration Guide</a> &raquo;</li>
</ul>
</div>
<div class="sphinxsidebar">
<div class="sphinxsidebarwrapper">
<h3><a href="../index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Managing Users</a><ul>
<li><a class="reference internal" href="#users-and-access-keys">Users and Access Keys</a></li>
<li><a class="reference internal" href="#credentials">Credentials</a></li>
<li><a class="reference internal" href="#role-based-access-control">Role Based Access Control</a><ul>
<li><a class="reference internal" href="#user-commands">User Commands</a></li>
<li><a class="reference internal" href="#user-role-management">User Role Management</a></li>
</ul>
</li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="euca2ools.html"
title="previous chapter">Euca2ools</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="managing.projects.html"
title="next chapter">Managing Projects</a></p>
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../_sources/adminguide/managing.users.txt"
rel="nofollow">Show Source</a></li>
</ul>
<div id="searchbox" style="display: none">
<h3>Quick search</h3>
<form class="search" action="../search.html" method="get">
<input type="text" name="q" size="18" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
<p class="searchtip" style="font-size: 90%">
Enter search terms or a module, class or function name.
</p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="section" id="managing-users">
<h1>Managing Users<a class="headerlink" href="#managing-users" title="Permalink to this headline"></a></h1>
<div class="section" id="users-and-access-keys">
<h2>Users and Access Keys<a class="headerlink" href="#users-and-access-keys" title="Permalink to this headline"></a></h2>
<p>Access to the ec2 api is controlled by an access and secret key. The user&#8217;s access key needs to be included in the request, and the request must be signed with the secret key. Upon receipt of api requests, nova will verify the signature and execute commands on behalf of the user.</p>
<p>In order to begin using nova, you will need a to create a user. This can be easily accomplished using the user create or user admin commands in nova-manage. <cite>user create</cite> will create a regular user, whereas <cite>user admin</cite> will create an admin user. The syntax of the command is nova-manage user create username [access] [secret]. For example:</p>
<div class="highlight-python"><pre>nova-manage user create john my-access-key a-super-secret-key</pre>
</div>
<p>If you do not specify an access or secret key, a random uuid will be created automatically.</p>
</div>
<div class="section" id="credentials">
<h2>Credentials<a class="headerlink" href="#credentials" title="Permalink to this headline"></a></h2>
<p>Nova can generate a handy set of credentials for a user. These credentials include a CA for bundling images and a file for setting environment variables to be used by euca2ools. If you don&#8217;t need to bundle images, just the environment script is required. You can export one with the <cite>project environment</cite> command. The syntax of the command is nova-manage project environment project_id user_id [filename]. If you don&#8217;t specify a filename, it will be exported as novarc. After generating the file, you can simply source it in bash to add the variables to your environment:</p>
<div class="highlight-python"><pre>nova-manage project environment john_project john
. novarc</pre>
</div>
<p>If you do need to bundle images, you will need to get all of the credentials using <cite>project zipfile</cite>. Note that zipfile will give you an error message if networks haven&#8217;t been created yet. Otherwise zipfile has the same syntax as environment, only the default file name is nova.zip. Example usage:</p>
<div class="highlight-python"><pre>nova-manage project zipfile john_project john
unzip nova.zip
. novarc</pre>
</div>
</div>
<div class="section" id="role-based-access-control">
<h2>Role Based Access Control<a class="headerlink" href="#role-based-access-control" title="Permalink to this headline"></a></h2>
<p>Roles control the api actions that a user is allowed to perform. For example, a user cannot allocate a public ip without the <cite>netadmin</cite> role. It is important to remember that a users de facto permissions in a project is the intersection of user (global) roles and project (local) roles. So for john to have netadmin permissions in his project, he needs to separate roles specified. You can add roles with <cite>role add</cite>. The syntax is nova-manage role add user_id role [project_id]. Let&#8217;s give john the netadmin role for his project:</p>
<div class="highlight-python"><pre>nova-manage role add john netadmin
nova-manage role add john netadmin john_project</pre>
</div>
<p>Role-based access control (RBAC) is an approach to restricting system access to authorized users based on an individuals role within an organization. Various employee functions require certain levels of system access in order to be successful. These functions are mapped to defined roles and individuals are categorized accordingly. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of assigning appropriate roles to the user. This simplifies common operations, such as adding a user, or changing a user&#8217;s department.</p>
<p>Novas rights management system employs the RBAC model and currently supports the following five roles:</p>
<ul class="simple">
<li><strong>Cloud Administrator.</strong> (admin) Users of this class enjoy complete system access.</li>
<li><strong>IT Security.</strong> (itsec) This role is limited to IT security personnel. It permits role holders to quarantine instances.</li>
<li><strong>Project Manager.</strong> (projectmanager)The default for project owners, this role affords users the ability to add other users to a project, interact with project images, and launch and terminate instances.</li>
<li><strong>Network Administrator.</strong> (netadmin) Users with this role are permitted to allocate and assign publicly accessible IP addresses as well as create and modify firewall rules.</li>
<li><strong>Developer.</strong> This is a general purpose role that is assigned to users by default.</li>
</ul>
<p>RBAC management is exposed through the dashboard for simplified user management.</p>
<div class="section" id="user-commands">
<h3>User Commands<a class="headerlink" href="#user-commands" title="Permalink to this headline"></a></h3>
<p>Users, including admins, are created through the <tt class="docutils literal"><span class="pre">user</span></tt> commands.</p>
<ul>
<li><dl class="first docutils">
<dt>user admin: creates a new admin and prints exports</dt>
<dd><ul class="first last simple">
<li>arguments: name [access] [secret]</li>
</ul>
</dd>
</dl>
</li>
<li><dl class="first docutils">
<dt>user create: creates a new user and prints exports</dt>
<dd><ul class="first last simple">
<li>arguments: name [access] [secret]</li>
</ul>
</dd>
</dl>
</li>
<li><dl class="first docutils">
<dt>user delete: deletes an existing user</dt>
<dd><ul class="first last simple">
<li>arguments: name</li>
</ul>
</dd>
</dl>
</li>
<li><dl class="first docutils">
<dt>user exports: prints access and secrets for user in export format</dt>
<dd><ul class="first last simple">
<li>arguments: name</li>
</ul>
</dd>
</dl>
</li>
<li><dl class="first docutils">
<dt>user list: lists all users</dt>
<dd><ul class="first last simple">
<li>arguments: none</li>
</ul>
</dd>
</dl>
</li>
<li><dl class="first docutils">
<dt>user modify: update a users keys &amp; admin flag</dt>
<dd><ul class="first last simple">
<li>arguments: accesskey secretkey admin</li>
<li>leave any field blank to ignore it, admin should be &#8216;T&#8217;, &#8216;F&#8217;, or blank</li>
</ul>
</dd>
</dl>
</li>
</ul>
</div>
<div class="section" id="user-role-management">
<h3>User Role Management<a class="headerlink" href="#user-role-management" title="Permalink to this headline"></a></h3>
<ul>
<li><dl class="first docutils">
<dt>role add: adds role to user</dt>
<dd><ul class="first last simple">
<li>if project is specified, adds project specific role</li>
<li>arguments: user, role [project]</li>
</ul>
</dd>
</dl>
</li>
<li><dl class="first docutils">
<dt>role has: checks to see if user has role</dt>
<dd><ul class="first last simple">
<li>if project is specified, returns True if user has
the global role and the project role</li>
<li>arguments: user, role [project]</li>
</ul>
</dd>
</dl>
</li>
<li><dl class="first docutils">
<dt>role remove: removes role from user</dt>
<dd><ul class="first last simple">
<li>if project is specified, removes project specific role</li>
<li>arguments: user, role [project]</li>
</ul>
</dd>
</dl>
</li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="managing.projects.html" title="Managing Projects"
>next</a> |</li>
<li class="right" >
<a href="euca2ools.html" title="Euca2ools"
>previous</a> |</li>
<li><a href="../index.html">nova v2010.1 documentation</a> &raquo;</li>
<li><a href="index.html" >Administration Guide</a> &raquo;</li>
</ul>
</div>
<div class="footer">
&copy; Copyright 2010, United States Government as represented by the Administrator of the National Aeronautics and Space Administration..
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.0.4.
</div>
</body>
</html>
View Git Blame Copy Permalink