openstack
/
keystone
Code Issues Proposed changes

moving in all the original docs from keystone

This commit is contained in:
Joe Heck 2012-01-24 09:43:06 -08:00
parent d23691b78b
commit 6b38e3ceb6
40 changed files with 5439 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

387
docs/source/adminAPI_curl_examples.rst Normal file
View File

@ -0,0 +1,387 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
=============================
Admin API Examples Using Curl
=============================
These examples assume a default port value of 35357, and depend on the
``sampledata`` bundled with keystone.
GET /
=====
Disover API version information, links to documentation (PDF, HTML, WADL),
and supported media types::
$ curl http://0.0.0.0:35357
or::
$ curl http://0.0.0.0:35357/v2.0/
Returns::
{
"version":{
"id":"v2.0",
"status":"beta",
"updated":"2011-11-19T00:00:00Z",
"links":[
{
"rel":"self",
"href":"http://127.0.0.1:35357/v2.0/"
},
{
"rel":"describedby",
"type":"text/html",
"href":"http://docs.openstack.org/api/openstack-identity-service/2.0/content/"
},
{
"rel":"describedby",
"type":"application/pdf",
"href":"http://docs.openstack.org/api/openstack-identity-service/2.0/identity-dev-guide-2.0.pdf"
},
{
"rel":"describedby",
"type":"application/vnd.sun.wadl+xml",
"href":"http://127.0.0.1:35357/v2.0/identity-admin.wadl"
}
],
"media-types":[
{
"base":"application/xml",
"type":"application/vnd.openstack.identity-v2.0+xml"
},
{
"base":"application/json",
"type":"application/vnd.openstack.identity-v2.0+json"
}
]
}
}
GET /extensions
===============
Discover the API extensions enabled at the endpoint::
$ curl http://0.0.0.0:35357/extensions
Returns::
{
"extensions":{
"values":[]
}
}
POST /tokens
============
Authenticate by exchanging credentials for an access token::
$ curl -d '{"auth":{"passwordCredentials":{"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens
Returns::
{
"access":{
"token":{
"expires":"2012-02-05T00:00:00",
"id":"887665443383838",
"tenant":{
"id":"1",
"name":"customer-x"
}
},
"serviceCatalog":[
{
"endpoints":[
{
"adminURL":"http://swift.admin-nets.local:8080/",
"region":"RegionOne",
"internalURL":"http://127.0.0.1:8080/v1/AUTH_1",
"publicURL":"http://swift.publicinternets.com/v1/AUTH_1"
}
],
"type":"object-store",
"name":"swift"
},
{
"endpoints":[
{
"adminURL":"http://cdn.admin-nets.local/v1.1/1",
"region":"RegionOne",
"internalURL":"http://127.0.0.1:7777/v1.1/1",
"publicURL":"http://cdn.publicinternets.com/v1.1/1"
}
],
"type":"object-store",
"name":"cdn"
}
],
"user":{
"id":"1",
"roles":[
{
"tenantId":"1",
"id":"3",
"name":"Member"
}
],
"name":"joeuser"
}
}
}
.. note::
Take note of the value ['access']['token']['id'] value produced here (``887665443383838``, above), as you can use it in the calls below.
GET /tokens/{token_id}
======================
.. note::
This call refers to a token known to be valid, ``887665443383838`` in this case.
Validate a token::
$ curl -H "X-Auth-Token:999888777666" http://localhost:35357/v2.0/tokens/887665443383838
If the token is valid, returns::
{
"access":{
"token":{
"expires":"2012-02-05T00:00:00",
"id":"887665443383838",
"tenant":{
"id":"1",
"name":"customer-x"
}
},
"user":{
"name":"joeuser",
"tenantName":"customer-x",
"id":"1",
"roles":[
{
"serviceId":"1",
"id":"3",
"name":"Member"
}
],
"tenantId":"1"
}
}
}
HEAD /tokens/{token_id}
=======================
This is a high-performance variant of the GET call documented above, which
by definition, returns no response body::
$ curl -I -H "X-Auth-Token:999888777666" http://localhost:35357/v2.0/tokens/887665443383838
... which returns ``200``, indicating the token is valid::
HTTP/1.1 200 OK
Content-Length: 0
Content-Type: None
Date: Tue, 08 Nov 2011 23:07:44 GMT
GET /tokens/{token_id}/endpoints
================================
List all endpoints for a token::
$ curl -H "X-Auth-Token:999888777666" http://localhost:35357/v2.0/tokens/887665443383838/endpoints
Returns::
{
"endpoints_links": [
{
"href": "http://127.0.0.1:35357/tokens/887665443383838/endpoints?'marker=5&limit=10'",
"rel": "next"
}
],
"endpoints": [
{
"internalURL": "http://127.0.0.1:8080/v1/AUTH_1",
"name": "swift",
"adminURL": "http://swift.admin-nets.local:8080/",
"region": "RegionOne",
"tenantId": 1,
"type": "object-store",
"id": 1,
"publicURL": "http://swift.publicinternets.com/v1/AUTH_1"
},
{
"internalURL": "http://localhost:8774/v1.0",
"name": "nova_compat",
"adminURL": "http://127.0.0.1:8774/v1.0",
"region": "RegionOne",
"tenantId": 1,
"type": "compute",
"id": 2,
"publicURL": "http://nova.publicinternets.com/v1.0/"
},
{
"internalURL": "http://localhost:8774/v1.1",
"name": "nova",
"adminURL": "http://127.0.0.1:8774/v1.1",
"region": "RegionOne",
"tenantId": 1,
"type": "compute",
"id": 3,
"publicURL": "http://nova.publicinternets.com/v1.1/
},
{
"internalURL": "http://127.0.0.1:9292/v1.1/",
"name": "glance",
"adminURL": "http://nova.admin-nets.local/v1.1/",
"region": "RegionOne",
"tenantId": 1,
"type": "image",
"id": 4,
"publicURL": "http://glance.publicinternets.com/v1.1/"
},
{
"internalURL": "http://127.0.0.1:7777/v1.1/1",
"name": "cdn",
"adminURL": "http://cdn.admin-nets.local/v1.1/1",
"region": "RegionOne",
"tenantId": 1,
"versionId": "1.1",
"versionList": "http://127.0.0.1:7777/",
"versionInfo": "http://127.0.0.1:7777/v1.1",
"type": "object-store",
"id": 5,
"publicURL": "http://cdn.publicinternets.com/v1.1/1"
}
]
}
GET /tenants
============
List all of the tenants in the system (requires an Admin ``X-Auth-Token``)::
$ curl -H "X-Auth-Token:999888777666" http://localhost:35357/v2.0/tenants
Returns::
{
"tenants_links": [],
"tenants": [
{
"enabled": false,
"description": "None",
"name": "project-y",
"id": "3"
},
{
"enabled": true,
"description": "None",
"name": "ANOTHER:TENANT",
"id": "2"
},
{
"enabled": true,
"description": "None",
"name": "customer-x",
"id": "1"
}
]
}
GET /tenants/{tenant_id}
========================
Retrieve information about a tenant, by tenant ID::
$ curl -H "X-Auth-Token:999888777666" http://localhost:35357/v2.0/tenants/1
Returns::
{
"tenant":{
"enabled":true,
"description":"None",
"name":"customer-x",
"id":"1"
}
}
GET /tenants/{tenant_id}/users/{user_id}/roles
==============================================
List the roles a user has been granted on a tenant::
$ curl -H "X-Auth-Token:999888777666" http://localhost:35357/v2.0/tenants/1/users/1/roles
Returns::
{
"roles_links":[],
"roles":[
{
"id":"3",
"name":"Member"
}
]
}
GET /users/{user_id}
====================
Retrieve information about a user, by user ID::
$ curl -H "X-Auth-Token:999888777666" http://localhost:35357/v2.0/users/1
Returns::
{
"user":{
"tenantId":"1",
"enabled":true,
"id":"1",
"name":"joeuser"
}
}
GET /users/{user_id}/roles
==========================
Retrieve the roles granted to a user, given a user ID::
$ curl -H "X-Auth-Token:999888777666" http://localhost:35357/v2.0/users/4/roles
Returns::
{
"roles_links":[],
"roles":[
{
"id":"2",
"name":"KeystoneServiceAdmin"
}
]
}

97
docs/source/architecture.rst Normal file
View File

@ -0,0 +1,97 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
Keystone Architecture
=====================
Keystone has two major components: Authentication and a Service Catalog.
Authentication
--------------
In providing a token-based authentication service for OpenStack, keystone
has several major concepts:
Tenant
A grouping used in OpenStack to contain relevant OpenStack services. A
tenant maps to a Nova "project-id", and in object storage, a tenant can
have multiple containers. Depending on the installation, a tenant can
represent a customer, account, organization, or project.
User
Represents an individual within OpenStack for the purposes of
authenticating them to OpenStack services. Users have credentials, and may
be assigned to one or more tenants. When authenticated, a token is
provided that is specific to a single tenant.
Credentials
Password or other information that uniquely identifies a User to Keystone
for the purposes of providing a token.
Token
A token is an arbitrary bit of text that is used to share authentication
with other OpenStack services so that Keystone can provide a central
location for authenticating users for access to OpenStack services. A
token may be "scoped" or "unscoped". A scoped token represents a user
authenticated to a Tenant, where an unscoped token represents just the
user.
Tokens are valid for a limited amount of time and may be revoked at any
time.
Role
A role is a set of permissions to access and use specific operations for
a given user when applied to a tenant. Roles are logical groupings of
those permissions to enable common permissions to be easily grouped and
bound to users associated with a given tenant.
Service Catalog
---------------
Keystone also provides a list of REST API endpoints as a definitive list for
an OpenStack installation. Key concepts include:
Service
An OpenStack service such as nova, swift, glance, or keystone. A service
may have one of more endpoints through which users can interact with
OpenStack services and resources.
Endpoint
A network accessible address (typically a URL) that represents the API
interface to an OpenStack service. Endpoints may also be grouped into
templates which represent a group of consumable OpenStack services
available across regions.
Template
A collection of endpoints representing a set of consumable OpenStack
service endpoints.
Components of Keystone
----------------------
Keystone includes a command-line interface which interacts with the Keystone
API for administrating keystone and related services.
* keystone - runs both keystone-admin and keystone-service
* keystone-admin - the administrative API for manipulating keystone
* keystone-service - the user oriented API for authentication
* keystone-manage - the command line interface to manipulate keystone
Keystone also includes WSGI middelware to provide authentication support
for Nova and Swift.
Keystone uses a built-in SQLite datastore - and may use an external LDAP
service to authenticate users instead of using stored credentials.

188
docs/source/backends.rst Normal file
View File

@ -0,0 +1,188 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
========
Backends
========
Keystone supports multiple types of data stores for things like users, tenants, and
tokens, including SQL, LDAP, and memcache.
SQL
===
In the default backend configuration (SQL-only), Keystone depends on the following database tables.
``users``
---------
``id``
Auto-incremented primary key.
``name``
Unqiue username used for authentication via ``passwordCredentials``.
``password``
Password used for authentication via ``passwordCredentials``.
Salted and hashed using ``passlib``.
``email``
Email address (uniqueness is expected, but not enforced).
``enabled``
If false, the user is unable to authenticate and the user's tokens will fail validation.
``tenant_id``
Default tenant for the user.
``tokens``
----------
``id``
The actual token provided after successful authentication (*plaintext*).
``user_id``
References the user who owns the token.
``tenant_id``
(*optional*) References the tenant the token is scoped to.
``expires``
Indicates the expiration date of the token, after which the token can no longer be validated successfully.
``tenants``
-----------
``id``
Auto-incremented primary key.
``name``
Unique string identifying the tenant.
``desc``
Description of the tenant.
``enabled``
If false, users are unable to scope to the tenant.
``roles``
---------
``id``
Auto-incremented primary key.
``name``
Name of the role.
If the role is owned by a service, the role name **must** follow the convention::
serviceName:roleName
``desc``
Description of the role.
``service_id``
(*optional*) References the service that owns the role.
``user_roles``
--------------
Maps users to the roles that have been granted to them (*optionally*, within the scope of a tenant).
``id``
Auto-incremented primary key.
``user_id``
References the user the role is granted to.
``role_id``
References the granted role.
``tenant_id``
(*optional*) References a tenant upon which this grant is applies.
``services``
------------
``id``
Auto-incremented primary key.
``name``
Unique name of the service.
``type``
Indicates the type of service (e.g. ``compute``, ``object``, ``identity``, etc).
This can also be extended to support non-core services. Extended services
follow the naming convention ``extension:type`` (e.g. ``dnsextension:dns``).
``desc``
Describes the service.
``owner_id``
(*optional*) References the user who owns the service.
``credentials``
---------------
Currently only used for Amazon EC2 credential storage, this table is designed to support multiple
types of credentials in the future.
``id``
Auto-incremented primary key.
``user_id``
References the user who owns the credential.
``tenant_id``
References the tenant upon which the credential is valid.
``types``
Indicates the type of credential (e.g. ``Password``, ``APIKey``, ``EC2``).
``key``
Amazon EC2 access key.
``secret``
Amazon EC2 secret key.
``endpoints``
-------------
Tenant-specific endpoints map endpoint templates to specific tenants.
The ``tenant_id`` which appears here replaces the
``%tenant_id%`` template variable in the specified endpoint template.
``id``
Auto-incremented primary key.
``tenant_id``
References the tenant this endpoint applies to.
``endpoint_template_id``
The endpoint template to appear in the user's service catalog.
``endpoint_templates``
----------------------
A multi-purpose model for the service catalog which can be:
- Provided to users of a specific tenants via ``endpoints``, when ``is_global`` is false.
- Provided to all users as-is, when ``is_global`` is true.
``id``
Auto-incremented primary key.
``region``
Identifies the geographic region the endpoint is physically located within.
``service_id``
TODO: References the service which owns the endpoints?
``public_url``
Appears in the service catalog [#first]_.
Represents an endpoint available on the public Internet.
``admin_url``
Appears in the service catalog [#first]_.
Users of this endpoint must have an Admin or ServiceAdmin role.
``internal_url``
Appears in the service catalog [#first]_.
Represents an endpoint on an internal, unmetered network.
``enabled``
If false, this endpoint template will not appear in the service catalog.
``is_global``
If true, this endpoint can not be mapped to tenant-specific endpoints, and ``%tenant_id%`` will not be substituted in endpoint URL's. Additionally, this endpoint will appear for all users.
``version_id``
Identifies the version of the API contract that endpoint supports.
``version_list``
A URL which lists versions supported by the endpoint.
``version_info``
A URL which provides detailed version info regarding the service.
.. [#first] ``%tenant_id%`` may be replaced by actual tenant references, depending on the value of ``is_global`` and the existence of a corresponding ``endpoints`` record.

100
docs/source/configuration.rst Normal file
View File

@ -0,0 +1,100 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
====================
Configuring Keystone
====================
.. toctree::
:maxdepth: 1
keystone.conf
man/keystone-manage
Once Keystone is installed, there are a number of configuration options
available and potentially some initial data to create and set up.
Sample data / Quick Setup
=========================
Default sampledata is provided for easy setup and testing in bin/sampeldata. To
set up the sample data run the following command while Keystone is running::
$ ./bin/sampledata
The sample data created comes from the file :doc:`sourcecode/keystone.test.sampledata`
Keystone Configuration File
===========================
Most configuration is done via configuration files. The default files are
in ``/etc/keystone.conf``
When starting up a Keystone server, you can specify the configuration file to
use (see :doc:`controllingservers`).
If you do **not** specify a configuration file, keystone will look in the following
directories for a configuration file, in order:
* ``~/.keystone``
* ``~/``
* ``/etc/keystone``
* ``/etc``
The keystone configuration file should be named ``keystone.conf``.
If you installed keystone via your operating system's
package management system, it is likely that you will have sample
configuration files installed in ``/etc/keystone``.
In addition to this documentation page, you can check the
``etc/keystone.conf`` sample configuration
files distributed with keystone for example configuration files for each server
application with detailed comments on what each options does.
Sample Configuration Files
--------------------------
Keystone ships with sample configuration files in keystone/etc. These files are:
1. keystone.conf
A standard configuration file for running keystone in stand-alone mode.
It has a set of default extensions loaded to support administering Keystone
over REST. It uses a local SQLite database.
2. memcache.conf
A configuration that uses memcached for storing tokens (but still SQLite for all
other entities). This requires memcached running.
3. ssl.conf
A configuration that runs Keystone with SSL (so all URLs are accessed over HTTPS).
To run any of these configurations, use the `-c` option::
./keystone -c ../etc/ssl.conf
Usefule Links
-------------
For a sample configuration file with explanations of the settings, see :doc:`keystone.conf`
For configuring an LDAP backend, see http://mirantis.blogspot.com/2011/08/ldap-identity-store-for-openstack.html
For configuration settings of middleware components, see :doc:`middleware`

333
docs/source/configuringservices.rst Normal file
View File

@ -0,0 +1,333 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
==========================================
Configuring Services to work with Keystone
==========================================
.. toctree::
:maxdepth: 1
Once Keystone is installed and running, services need to be configured to work
with it. These are the steps to configure a service to work with Keystone:
1. Create or get credentials for the service to use
A set of credentials are needed for each service (they may be
shared if you chose to). Depending on the service, these credentials are
either a username and password or a long-lived token..
2. Register the service, endpoints, roles and other entities
In order for a service to have it's endpoints and roles show in the service
catalog returned by Keystone, a service record needs to be added for the
service. Endpoints and roles associated with that service can then be created.
This can be done through the REST interface (using the OS-KSCATALOG extension)
or using keystone-manage.
3. Install and configure middleware for the service to handle authentication
Clients making calls to the service will pass in an authentication token. The
Keystone middleware will look for and validate that token, taking the
appropriate action. It will also retrive additional information from the token
such as user name, id, tenant name, id, roles, etc...
The middleware will pass those data down to the service as headers. The
detailed description of this architecture is available here :doc:`middleware_architecture`
Setting up credentials
======================
First admin user - bootstrapping
--------------------------------
For a default installation of Keystone, before you can use the REST API, you
need to create your first initial user and grant that user the right to
administer Keystone.
For the keystone service itself, two
Roles are pre-defined in the keystone configuration file
(:doc:`keystone.conf`).
#Role that allows admin operations (access to all operations)
keystone-admin-role = Admin
#Role that allows acting as service (validate tokens, register service,
etc...)
keystone-service-admin-role = KeystoneServiceAdmin
In order to create your first user, once Keystone is running use
the `keystone-manage` command:
$ keystone-manage user add admin secrete
$ keystone-manage role add Admin
$ keystone-manage role add KeystoneServiceAdmin
$ keystone-manage role grant Admin admin
$ keystone-manage role grant KeystoneServiceAdmin admin
This creates the `admin` user (with a password of `secrete`), creates
two roles (`Admin` and `KeystoneServiceAdmin`), and assigns those roles to
the `admin` user. From here, you should now have the choice of using the
administrative API (as well as the :doc:`man/keystone-manage` commands) to
further configure keystone. There are a number of examples of how to use
that API at :doc:`adminAPI_curl_examples`.
Setting up services
===================
Defining Services and Service Endpoints
---------------------------------------
Keystone also acts as a service catalog to let other OpenStack systems know
where relevant API endpoints exist for OpenStack Services. The OpenStack
Dashboard, in particular, uses this heavily - and this **must** be configured
for the OpenStack Dashboard to properly function.
Here's how we define the services::
$ keystone-manage service add nova compute "Nova Compute Service"
$ keystone-manage service add glance image "Glance Image Service"
$ keystone-manage service add swift storage "Swift Object Storage Service"
$ keystone-manage service add keystone identity "Keystone Identity Service"
Once the services are defined, we create endpoints for them. Each service
has three relevant URL's associated with it that are used in the command:
* the public API URL
* an administrative API URL
* an internal URL
The "internal URL" is an endpoint the generally offers the same API as the
public URL, but over a high-bandwidth, low-latency, unmetered (free) network.
You would use that to transfer images from nova to glance for example, and
not the Public URL which would go over the internet and be potentially chargeable.
The "admin URL" is for administering the services and is not exposed or accessible
to customers without the apporpriate privileges.
An example of setting up the endpoint for Nova::
$ keystone-manage endpointTemplates add RegionOne nova \
http://nova-api.mydomain:8774/v1.1/%tenant_id% \
http://nova-api.mydomain:8774/v1.1/%tenant_id% \
http://nova-api.mydomain:8774/v1.1/%tenant_id% \
1 1
Glance::
$ keystone-manage endpointTemplates add RegionOne glance \
http://glance.mydomain:9292/v1 \
http://glance.mydomain:9292/v1 \
http://glance.mydomain:9292/v1 \
1 1
Swift::
$ keystone-manage endpointTemplates add RegionOne swift \
http://swift.mydomain:8080/v1/AUTH_%tenant_id% \
http://swift.mydomain:8080/v1.0/ \
http://swift.mydomain:8080/v1/AUTH_%tenant_id% \
1 1
And setting up an endpoint for Keystone::
$ keystone-manage endpointTemplates add RegionOne keystone \
http://keystone.mydomain:5000/v2.0 \
http://keystone.mydomain:35357/v2.0 \
http://keystone.mydomain:5000/v2.0 \
1 1
Defining an Administrative Service Token
----------------------------------------
An Administrative Service Token is a bit of arbitrary text which is configured
in Keystone and used (typically configured into) Nova, Swift, Glance, and any
other OpenStack projects, to be able to use Keystone services.
This token is an arbitrary text string, but must be identical between Keystone
and the services using Keystone. This token is bound to a user and tenant as
well, so those also need to be created prior to setting it up.
The *admin* user was set up above, but we haven't created a tenant for that
user yet::
$ keystone-manage tenant add admin
and while we're here, let's grant the admin user the 'Admin' role to the
'admin' tenant::
$ keystone-manage role add Admin
$ keystone-manage role grant Admin admin admin
Now we can create a service token::
$ keystone-manage token add 999888777666 admin admin 2015-02-05T00:00
This creates a service token of '999888777666' associated to the admin user,
admin tenant, and expires on February 5th, 2015. This token will be used when
configuring Nova, Glance, or other OpenStack services.
Securing Communications with SSL
--------------------------------
To encrypt traffic between services and Keystone, see :doc:`ssl`
Setting up OpenStack users
==========================
Creating Tenants, Users, and Roles
----------------------------------
Let's set up a 'demo' tenant::
$ keystone-manage tenant add demo
And add a 'demo' user with the password 'guest'::
$ keystone-manage user add demo guest
Now let's add a role of "Member" and grant 'demo' user that role
as it pertains to the tenant 'demo'::
$ keystone-manage role add Member
$ keystone-manage role grant Member demo demo
Let's also add the admin user as an Admin role to the demo tenant::
$ keystone-manage role grant Admin admin demo
Creating EC2 credentials
------------------------
To add EC2 credentials for the `admin` and `demo` accounts::
$ keystone-manage credentials add admin EC2 'admin' 'secretpassword'
$ keystone-manage credentials add admin EC2 'demo' 'secretpassword'
If you have a large number of credentials to create, you can put them all
into a single large file and import them using :doc:`man/keystone-import`. The
format of the document looks like::
credentials add admin EC2 'username' 'password'
credentials add admin EC2 'username' 'password'
Then use::
$ keystone-import `filename`
Setting Up Middleware
=====================
Keystone Auth-Token Middleware
--------------------------------
The Keystone auth_token middleware is a WSGI component that can be inserted in
the WSGI pipeline to handle authenticating tokens with Keystone. See :doc:`middleware`
for details on middleware and configuration parameters.
Configuring Nova to use Keystone
--------------------------------
To configure Nova to use Keystone for authentication, the Nova API service
can be run against the api-paste file provided by Keystone. This is most
easily accomplished by setting the `--api_paste_config` flag in nova.conf to
point to `examples/paste/nova-api-paste.ini` from Keystone. This paste file
included references to the WSGI authentication middleware provided with the
keystone installation.
When configuring Nova, it is important to create a admin service token for
the service (from the Configuration step above) and include that as the key
'admin_token' in the nova-api-paste.ini. See the documented
:doc:`nova-api-paste` file for references.
Configuring Swift to use Keystone
---------------------------------
Similar to Nova, swift can be configured to use Keystone for authentication
rather than it's built in 'tempauth'.
1. Add a service endpoint for Swift to Keystone
2. Configure the paste file for swift-proxy (`/etc/swift/swift-proxy.conf`)
3. Reconfigure Swift's proxy server to use Keystone instead of TempAuth.
Here's an example `/etc/swift/proxy-server.conf`::
[DEFAULT]
bind_port = 8888
user = <user>
[pipeline:main]
pipeline = catch_errors cache keystone proxy-server
[app:proxy-server]
use = egg:swift#proxy
account_autocreate = true
[filter:keystone]
use = egg:keystone#tokenauth
auth_protocol = http
auth_host = 127.0.0.1
auth_port = 35357
admin_token = 999888777666
delay_auth_decision = 0
service_protocol = http
service_host = 127.0.0.1
service_port = 8100
service_pass = dTpw
cache = swift.cache
[filter:cache]
use = egg:swift#memcache
set log_name = cache
[filter:catch_errors]
use = egg:swift#catch_errors
Note that the optional "cache" property in the keystone filter allows any
service (not just Swift) to register its memcache client in the WSGI
environment. If such a cache exists, Keystone middleware will utilize it
to store validated token information, which could result in better overall
performance.
4. Restart swift
5. Verify that keystone is providing authentication to Swift
Use `swift` to check everything works (note: you currently have to create a
container or upload something as your first action to have the account
created; there's a Swift bug to be fixed soon)::
$ swift -A http://127.0.0.1:5000/v1.0 -U joeuser -K secrete post container
$ swift -A http://127.0.0.1:5000/v1.0 -U joeuser -K secrete stat -v
StorageURL: http://127.0.0.1:8888/v1/AUTH_1234
Auth Token: 74ce1b05-e839-43b7-bd76-85ef178726c3
Account: AUTH_1234
Containers: 1
Objects: 0
Bytes: 0
Accept-Ranges: bytes
X-Trans-Id: tx25c1a6969d8f4372b63912f411de3c3b
.. WARNING::
Keystone currently allows any valid token to do anything with any account.

288
docs/source/controllingservers.rst Normal file
View File

@ -0,0 +1,288 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
============================
Controlling Keystone Servers
============================
This section describes the ways to start, stop, and reload the Keystone
services.
Keystone Services
-----------------
Keystone can serve a number of REST APIs and extensions on different TCP/IP
ports.
The Service API
~~~~~~~~~~~~~~~~
The core Keystone
API is primarily a read-only API (the only write operation being POST /tokens
which authenticates a client, and returns a generated token).
This API is sufficient to use OpenStack if all users, roles, endpoints already
exist. This is often the case if Keystone is using an enterprise backend
and the backend is managed through other entperrise tools and business
processes. This core API is called the Service API and can be started
separately from the more complete Admin API. By default, Keystone runs
this API on port 5000. This is not an IANA assigned port and should not
be relied upon (instead, use the Admin API on port 35357 to look for
this endpoint - more on this later)
The Service API is started using this command in the /bin directory::
$ ./keystone-auth
The Admin API
~~~~~~~~~~~~~
Inn order for Keystone to be a fully functional service out of the box,
API extensions that provide full CRUD operations is included with Keystone.
This full set of API calls includes the OS-KSCATALOG, OS-KSADM, and OS-KSEC2
extensions. These extensions provide a full set of create, read, update, delete
(CRUD) operations that can be used to manage Keystone objects through REST
calls. By default Keystone runs this full REST API on TCP/IP port 35357
(assigned by IANA to Keystone).
The Admin API is started using this command in the /bin directory::
$ ./keystone-admin
Both APIs can be loaded simultaneously (on different ports) using this command::
$ ./keystone
Starting a server
-----------------
There are two ways to start a Keystone service (either the Service API server
or the Admin API server):
- Manually calling the server program
- Using the ``keystone-control`` server daemon wrapper program
We recommend using the second way in production and the first for development
and debugging.
Manually starting the server
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The first is by directly calling the server program, passing in command-line
options and a single argument for a ``paste.deploy`` configuration file to
use when configuring the server application.
.. note::
Keystone ships with an ``etc/`` directory that contains a sample ``paste.deploy``
configuration files that you can copy to a standard configuration directory and
adapt for your own uses.
If you do `not` specify a configuration file on the command line, Keystone will
do its best to locate a configuration file in one of the
following directories, stopping at the first config file it finds:
- ``$CWD``
- ``~/.keystone``
- ``~/``
- ``/etc/keystone``
- ``/etc``
The filename that is searched for is ``keystone.conf`` by default.
If no configuration file is found, you will see an error, like::
$ keystone
ERROR: Unable to locate any configuration file. Cannot load application keystone
Here is an example showing how you can manually start the ``keystone-auth`` server and ``keystone-registry`` in a shell::
$ ./keystone -d
keystone-legacy-auth: INFO **************************************************
keystone-legacy-auth: INFO Configuration options gathered from config file:
keystone-legacy-auth: INFO /Users/ziadsawalha/Documents/Code/keystone/etc/keystone.conf
keystone-legacy-auth: INFO ================================================
keystone-legacy-auth: INFO admin_host 0.0.0.0
keystone-legacy-auth: INFO admin_port 35357
keystone-legacy-auth: INFO admin_ssl False
keystone-legacy-auth: INFO backends keystone.backends.sqlalchemy
keystone-legacy-auth: INFO ca_certs /etc/keystone/ssl/certs/ca.pem
keystone-legacy-auth: INFO cert_required True
keystone-legacy-auth: INFO certfile /etc/keystone/ssl/certs/keystone.pem
keystone-legacy-auth: INFO debug True
keystone-legacy-auth: INFO default_store sqlite
keystone-legacy-auth: INFO extensions osksadm,oskscatalog,hpidm
keystone-legacy-auth: INFO hash-password True
keystone-legacy-auth: INFO keyfile /etc/keystone/ssl/private/keystonekey.pem
keystone-legacy-auth: INFO keystone-admin-role Admin
keystone-legacy-auth: INFO keystone-service-admin-role KeystoneServiceAdmin
keystone-legacy-auth: INFO log_dir .
keystone-legacy-auth: INFO log_file keystone.log
keystone-legacy-auth: INFO service-header-mappings {
'nova' : 'X-Server-Management-Url',
'swift' : 'X-Storage-Url',
'cdn' : 'X-CDN-Management-Url'}
keystone-legacy-auth: INFO service_host 0.0.0.0
keystone-legacy-auth: INFO service_port 5000
keystone-legacy-auth: INFO service_ssl False
keystone-legacy-auth: INFO verbose False
keystone-legacy-auth: INFO **************************************************
passlib.registry: INFO registered crypt handler 'sha512_crypt': <class 'passlib.handlers.sha2_crypt.sha512_crypt'>
Starting the RAX-KEY extension
Starting the Legacy Authentication component
admin : INFO **************************************************
admin : INFO Configuration options gathered from config file:
admin : INFO /Users/ziadsawalha/Documents/Code/keystone/etc/keystone.conf
admin : INFO ================================================
admin : INFO admin_host 0.0.0.0
admin : INFO admin_port 35357
admin : INFO admin_ssl False
admin : INFO backends keystone.backends.sqlalchemy
admin : INFO ca_certs /etc/keystone/ssl/certs/ca.pem
admin : INFO cert_required True
admin : INFO certfile /etc/keystone/ssl/certs/keystone.pem
admin : INFO debug True
admin : INFO default_store sqlite
admin : INFO extensions osksadm,oskscatalog,hpidm
admin : INFO hash-password True
admin : INFO keyfile /etc/keystone/ssl/private/keystonekey.pem
admin : INFO keystone-admin-role Admin
admin : INFO keystone-service-admin-role KeystoneServiceAdmin
admin : INFO log_dir .
admin : INFO log_file keystone.log
admin : INFO service-header-mappings {
'nova' : 'X-Server-Management-Url',
'swift' : 'X-Storage-Url',
'cdn' : 'X-CDN-Management-Url'}
admin : INFO service_host 0.0.0.0
admin : INFO service_port 5000
admin : INFO service_ssl False
admin : INFO verbose False
admin : INFO **************************************************
Using config file: /Users/ziadsawalha/Documents/Code/keystone/etc/keystone.conf
Service API (ssl=False) listening on 0.0.0.0:5000
Admin API (ssl=False) listening on 0.0.0.0:35357
eventlet.wsgi.server: DEBUG (77128) wsgi starting up on http://0.0.0.0:5000/
eventlet.wsgi.server: DEBUG (77128) wsgi starting up on http://0.0.0.0:35357/
$ sudo keystone-registry keystone-registry.conf &
jsuh@mc-ats1:~$ 2011-04-13 14:51:16 INFO [sqlalchemy.engine.base.Engine.0x...feac] PRAGMA table_info("images")
2011-04-13 14:51:16 INFO [sqlalchemy.engine.base.Engine.0x...feac] ()
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Col ('cid', 'name', 'type', 'notnull', 'dflt_value', 'pk')
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (0, u'created_at', u'DATETIME', 1, None, 0)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (1, u'updated_at', u'DATETIME', 0, None, 0)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (2, u'deleted_at', u'DATETIME', 0, None, 0)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (3, u'deleted', u'BOOLEAN', 1, None, 0)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (4, u'id', u'INTEGER', 1, None, 1)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (5, u'name', u'VARCHAR(255)', 0, None, 0)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (6, u'disk_format', u'VARCHAR(20)', 0, None, 0)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (7, u'container_format', u'VARCHAR(20)', 0, None, 0)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (8, u'size', u'INTEGER', 0, None, 0)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (9, u'status', u'VARCHAR(30)', 1, None, 0)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (10, u'is_public', u'BOOLEAN', 1, None, 0)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (11, u'location', u'TEXT', 0, None, 0)
2011-04-13 14:51:16 INFO [sqlalchemy.engine.base.Engine.0x...feac] PRAGMA table_info("image_properties")
2011-04-13 14:51:16 INFO [sqlalchemy.engine.base.Engine.0x...feac] ()
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Col ('cid', 'name', 'type', 'notnull', 'dflt_value', 'pk')
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (0, u'created_at', u'DATETIME', 1, None, 0)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (1, u'updated_at', u'DATETIME', 0, None, 0)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (2, u'deleted_at', u'DATETIME', 0, None, 0)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (3, u'deleted', u'BOOLEAN', 1, None, 0)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (4, u'id', u'INTEGER', 1, None, 1)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (5, u'image_id', u'INTEGER', 1, None, 0)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (6, u'key', u'VARCHAR(255)', 1, None, 0)
2011-04-13 14:51:16 DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (7, u'value', u'TEXT', 0, None, 0)
$ ps aux | grep keystone
myuser 77148 0.0 0.0 2434892 472 s012 U+ 11:50AM 0:00.01 grep keystone
myuser 77128 0.0 0.6 2459356 25360 s011 S+ 11:48AM 0:00.82 python ./keystone -d
Simply supply the configuration file as the first argument
and then any common options
you want to use (``-d`` was used above to show some of the debugging
output that the server shows when starting up. Call the server program
with ``--help`` to see all available options you can specify on the
command line.)
Using ``--trace-calls`` is useful for showing a trace of calls (errors in red)
for debugging.
For more information on configuring the server via the ``paste.deploy``
configuration files, see the section entitled
:doc:`Configuring Keystone <configuration>`
Note that the server `daemonizes` itself by using the standard
shell backgrounding indicator, ``&``, in the previous example. For most use cases, we recommend
using the ``keystone-control`` server daemon wrapper for daemonizing. See below
for more details on daemonization with ``keystone-control``.
Using ``keystone-control`` to start the server
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The second way to start up a Keystone server is to use the ``keystone-control``
program. ``keystone-control`` is a wrapper script that allows the user to
start, stop, restart, and reload the other Keystone server programs in
a fashion that is more conducive to automation and scripting.
Servers started via the ``keystone-control`` program are always `daemonized`,
meaning that the server program process runs in the background.
To start a Keystone server with ``keystone-control``, simply call
``keystone-control`` with a server and the word "start", followed by
any command-line options you wish to provide. Start the server with ``keystone-control``
in the following way::
$ sudo keystone-control <SERVER> start [CONFPATH]
.. note::
You must use the ``sudo`` program to run ``keystone-control`` currently, as the
pid files for the server programs are written to /var/run/keystone/
Start the ``keystone-admin`` server using ``keystone-control``::
$ sudo keystone-control admin start
Starting keystone-admin with /etc/keystone.conf
The same ``paste.deploy`` configuration files are used by ``keystone-control``
to start the Keystone server programs, and you can specify (as the example above
shows) a configuration file when starting the server.
Stopping a server
-----------------
If you started a Keystone server manually and did not use the ``&`` backgrounding
function, simply send a terminate signal to the server process by typing
``Ctrl-C``
If you started the Keystone server using ``keystone-control``, you can
use the ``keystone-control`` program to stop it::
$ sudo keystone-control <SERVER> stop
For example::
$ sudo keystone-control auth stop
Stopping keystone-auth pid: 77401 signal: 15
Restarting a server
-------------------
Restart the Keystone server using ``keystone-control``::
$ sudo keystone-control admin restart /etc/keystone.conf
Stopping keystone-admin pid: 77401 signal: 15
Starting keystone-admin with /etc/keystone.conf

430
docs/source/endpoints.rst Normal file
View File

@ -0,0 +1,430 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
================================
Endpoints and Endpoint Templates
================================
.. toctree::
:maxdepth: 1
What are Endpoints?
-------------------
Simply, endpoints are URLs that point to OpenStack services. When you
authenticate to Keystone you get back a token which has a service catalog in
it. The service catalog is basically a list of the OpenStack services that
you have access to and the URLs you can use to get to them; their endpoints.
Here is an example response from Keystone when you authenticate::
{
"access":{
"token":{
"id":"ab48a9efdfedb23ty3494",
"expires":"2010-11-01T03:32:15-05:00",
"tenant":{
"id": "t1000",
"name": "My Project"
}
},
"user":{
"id":"u123",
"name":"jqsmith",
"roles":[{
"id":"100",
"name":"compute:admin"
},
{
"id":"101",
"name":"object-store:admin",
"tenantId":"t1000"
}
],
"roles_links":[]
},
"serviceCatalog":[{
"name":"Nova",
"type":"compute",
"endpoints":[{
"tenantId":"t1000",
"publicURL":"https://compute.north.host.com/v1/t1000",
"internalURL":"https://compute.north.internal/v1/t1000",
"region":"North",
"versionId":"1",
"versionInfo":"https://compute.north.host.com/v1/",
"versionList":"https://compute.north.host.com/"
},
{
"tenantId":"t1000",
"publicURL":"https://compute.north.host.com/v1.1/t1000",
"internalURL":"https://compute.north.internal/v1.1/t1000",
"region":"North",
"versionId":"1.1",
"versionInfo":"https://compute.north.host.com/v1.1/",
"versionList":"https://compute.north.host.com/"
}
],
"endpoints_links":[]
},
{
"name":"Swift",
"type":"object-store",
"endpoints":[{
"tenantId":"t1000",
"publicURL":"https://storage.north.host.com/v1/t1000",
"internalURL":"https://storage.north.internal/v1/t1000",
"region":"North",
"versionId":"1",
"versionInfo":"https://storage.north.host.com/v1/",
"versionList":"https://storage.north.host.com/"
},
{
"tenantId":"t1000",
"publicURL":"https://storage.south.host.com/v1/t1000",
"internalURL":"https://storage.south.internal/v1/t1000",
"region":"South",
"versionId":"1",
"versionInfo":"https://storage.south.host.com/v1/",
"versionList":"https://storage.south.host.com/"
}
]
},
{
"name":"DNS-as-a-Service",
"type":"dnsextension:dns",
"endpoints":[{
"tenantId":"t1000",
"publicURL":"https://dns.host.com/v2.0/t1000",
"versionId":"2.0",
"versionInfo":"https://dns.host.com/v2.0/",
"versionList":"https://dns.host.com/"
}
]
}
]
}
}
Note the following about this response:
#. There are two endpoints given to the Nova compute service. The only
difference between them is the version (1.0 vs. 1.1). This allows for code
written to look for the version 1.0 endpoint to still work even after the 1.1
version is released.
#. There are two endpoints for the Swift object-store service. The difference
between them is they are in different regions (North and South).
#. Note the DNS service is global; it does not have a Region. Also, since DNS
is not a core OpenStack service, the endpoint type is "dnsextension:dns"
showing it is coming from an extension to the Keystone service.
#. The Region, Tenant, and versionId are listed under the endpoint. You do not
(and should not) have to parse those out of the URL. In fact, they may not be
embedded in the URL if the service developer so chooses.
What do the fields in an Endpoint mean?
---------------------------------------
The schema definition for an endpoint is in endpoints.xsd under
keystone/content/common/xsd in the Keystone code repo. The fields are:
id
A unique ID for the endpoint.
type
The OpenStack-registered type (ex. 'compute', 'object-store', 'image service')
This can also be extended using the OpenStack Extension mechanism to support
non-core services. Extended services will be in the form ``extension:type``
(e.g. ``dnsextension:dns``)
name
This can be anything that the operator of OpenStack chooses. It could be a
brand or marketing name (ex. Rackspace Cloud Servers).
region
This is a string that identifies the region where this endpoint exists.
Examples are 'North America', 'Europe', 'Asia'. Or 'North' and 'South'. Or
'Data Center 1', 'Data Center 2'.
The list of regions and what a region means is decided by the operator. The
spec treats them as opaque strings.
publicURL
This is the URL to use to access that endpoint over the internet.
internalURL
This is the URL to use to communicate between services. This is genenrally
a way to communicate between services over a high bandwidth, low latency,
unmetered (free, no bandwidth charges) network. An example would be if you
want to access a swift cluster from inside your Nova VMs and want to make
sure the communication stays local and does not go over a public network
and rack up your bandwidth charges.
adminURL
This is the URL to use to administer the service. In Keystone, this URL
is only shown to users with the appropriate rights.
tenantId
If an endpoint is specific to a tenant, the tenantId field identifies the
tenant that URL applies to. Some operators include the tenant in the
URLs for a service, while others may provide one endpoint and use some
other mechanism to identify the tenant. This field is therefore optional.
Having this field also means you do not have to parse the URL to identify
a tenant if the operator includes it in the URL.
versionId
This identifies the version of the API contract that endpoint supports.
While many APIs include the version in the URL (ex: https://compute.host/v1),
this field allows you to identify the version without parsing the URL. It
therefore also allows operators and service developers to publish endpoints
that do not have versions embedded in the URL.
versionInfo
This is the URL to call to get some information on the version. This returns
information in this format::
{
"version": {
"id": "v2.0",
"status": "CURRENT",
"updated": "2011-01-21T11:33:21-06:00",
"links": [
{
"rel": "self",
"href": "http://identity.api.openstack.org/v2.0/"
}, {
"rel": "describedby",
"type": "application/pdf",
"href": "http://docs.openstack.org/identity/api/v2.0/identity-latest.pdf"
}, {
"rel": "describedby",
"type": "application/vnd.sun.wadl+xml",
"href": "http://docs.openstack.org/identity/api/v2.0/identity.wadl"
}
],
"media-types": [
{
"base": "application/xml",
"type": "application/vnd.openstack.identity+xml;version=2.0"
}, {
"base": "application/json",
"type": "application/vnd.openstack.identity+json;version=2.0"
}
]
}
}
versionList
This is the URL to call to find out which versions are supported at that
endpoint. The response is in this format::
{
"versions":[{
"id":"v1.0",
"status":"DEPRECATED",
"updated":"2009-10-09T11:30:00Z",
"links":[{
"rel":"self",
"href":"http://identity.api.openstack.org/v1.0/"
}
]
},
{
"id":"v1.1",
"status":"CURRENT",
"updated":"2010-12-12T18:30:02.25Z",
"links":[{
"rel":"self",
"href":"http://identity.api.openstack.org/v1.1/"
}
]
},
{
"id":"v2.0",
"status":"BETA",
"updated":"2011-05-27T20:22:02.25Z",
"links":[{
"rel":"self",
"href":"http://identity.api.openstack.org/v2.0/"
}
]
}
],
"versions_links":[]
}
Here, the response shows that the endpoint supports version 1.0, 1.1, and 2.0.
It also shows that 1.0 is in DEPRECTAED status and 2.0 is in BETA.
What are Endpoint Templates?
----------------------------
Endpoint Templates are a way for an administrator to manage endpoints en masse.
They provide a way to define Endpoints that apply to many or all tenants
without having to a create each endpoint on each tenant manually. Without
Endpoint Templates, if I wanted to create Endpoints for each tenant in my
OpenStack deployment, I'd have to manually create a bunch of endpoints on
each tenant (probably when I created the tenant). And then I'd have to go change
them all whenever a service changed versions or I added a new service.
To provide a simpler mechanism to manage endpoints on tenants, Keystone uses
Endpoint Templates. I can, for example, define a template with parametrized URLs
and set it's `global` to true and that will show up as an endpoint on all the tenants
I have. Here is an example:
Define a global Endpoint Template::
$ ./keystone-manage endpointTemplates add North nova https://compute.north.example.com/v1/%tenant_id%/ https://compute.north.example.corp/v1/ https://compute.north.example.local/v1/%tenant_id%/ 1 1
The arguments are: object_type action 'region' 'service_name' 'publicURL' 'adminURL' 'internalURL' 'enabled' 'global'
This creates a global endpoint (global means it gets applied to all tenants automatically).
Now, when a user authenticates, they get that endpoint in their service catalog. Here's an example
authentication request for use against tenant 1::
$ curl -H "Content-type: application/json" -d '{"auth":{"passwordCredentials":{"username":"joeuser","password":"secrete"}, "tenantId": "1"}}' http://localhost:5000/v2.0/tokens
The response is::
{
"access": {
"serviceCatalog": [
{
"endpoints": [
{
"internalURL": "https://compute.north.example.local",
"publicURL": "https://compute.north.example.com/v1/1/",
"region": "North"
}
],
"name": "nova",
"type": "compute"
}
],
"token": {
"expires": "2012-02-05T00:00:00",
"id": "887665443383838",
"tenant": {
"id": "1",
"name": "customer-x"
}
},
"user": {
"id": "1",
"name": "joeuser",
"roles": [
{
"id": "3",
"name": "Member",
"tenantId": "1"
}
]
}
}
}
Notice the adminURL is not showing (this user is a regular user and does not
have rights to see the adminURL) and the tenant ID has been substituted in the
URL::
"publicURL": "https://compute.north.example.com/v1/1/",
This endpoint will show up for all tenants. The OpenStack administrator does
not need to create the endpoint manually.
.. note:: Endpoint Templates are not part of the core Keystone API (but Endpoints are).
What parameters can I use in a Template URL
-------------------------------------------
Currently the only parameterization available is %tenant_id% which gets
substituted by the Tenant ID.
Endpoint Template Types: Global or not
--------------------------------------
When the global flag is set to true on an Endpoint Template, it means it should
be available to all tenants. Whenever someone authenticates to a tenant, they
will see the Endpoint generated by that template.
When the global flag is not set, the template only shows up when it is added to
a tenant manually. To add an endpoint to a tenant manually, you must create
the Endpoint and supply the Endpoint Template ID:
Create the Endpoint Template::
$ ./keystone-manage endpointTemplates add West nova https://compute.west.example.com/v1/%tenant_id%/ https://compute.west.example.corp https://compute.west.example.local 1 0
Note the 0 at the end - this Endpoint Template is not global. So it will not show up for users authenticating.
Find the Endpoint Template ID::
$ ./keystone-manage endpointTemplates list
All EndpointTemplates
id service type region enabled is_global Public URL Admin URL
-------------------------------------------------------------------------------
15 nova compute North True True https://compute.north.example.com/v1/%tenant_id%/ https://compute.north.example.corp
16 nova compute West True False https://compute.west.example.com/v1/%tenant_id%/ https://compute.west.example.corp
Add the Endpoint to the tenant::
$ ./keystone-manage endpoint add customer-x 16
Now, when the user authenticates, they get the endpoint::
{
"internalURL": "https://compute.west.example.local",
"publicURL": "https://compute.west.example.com/v1/1/",
"region": "West"
}
Who can see the AdminURL?
-------------------------
Users who have the Keystone `Admin` or `Service Admin` roles will see the
AdminURL when they authenticate or when they retrieve token information:
Using an administrator token to authenticate, GET a client token's endpoints::
$ curl -H "X-Auth-Token: 999888777666" http://localhost:35357/v2.0/tokens/887665443383838/endpoints
{
"endpoints": [
{
"adminURL": "https://compute.west.example.corp",
"id": 6,
"internalURL": "https://compute.west.example.local",
"name": "nova",
"publicURL": "https://compute.west.example.com/v1/1/",
"region": "West",
"tenantId": 1,
"type": "compute"
}
],
"endpoints_links": [
{
"href": "http://127.0.0.1:35357/tokens/887665443383838/endpoints?marker=6&limit=10",
"rel": "next"
}
]
}

183
docs/source/extensions.rst Normal file
View File

@ -0,0 +1,183 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
==========
Extensions
==========
Extensions support adding features and functions to OpenStack APIs at any time, without prior
approval or waiting for a new API and release cycles.
The extension framework is in development and documented in extensions_ and extensionspresentation_.
This document describes the extensions included with Keystone, how to enable and disable them,
and briefly touches on how to write your own extensions.
.. _extensions: http://docs.openstack.org/trunk/openstack-compute/developer/openstack-api-extensions/content/ch02s01.html
.. _extensionspresentation: http://www.slideshare.net/RackerWilliams/openstack-extensions
Built-in Extensions
-------------------
Keystone ships with a number of extensions found under the
``keystone/contib/extensions`` folder.
The following built-in extensions are included:
OS-KSADM
This is an extensions that supports managing users, tenants, and roles
through the API. Without this extensions, the ony way to manage those
objects is through keystone-manage or directly in the underlying database.
This is an Admin API extension only.
OS-KSCATALOG
This extensions supports managing Endpoints and prrovides the Endpoint
Template mechanism for managing bulk endpoints.
This is an Admin API extension only.
OS-EC2
This extension adds support for EC2 credentials.
This is an Admin and Service API extension.
RAX-GRP
This extension adds functionality the enables groups.
This is an Admin and Service API extension.
RAX-KEY
This extensions adds support for authentication with an API Key (the core
Keystone API only supports username/password credentials)
This is an Admin and Service API extension.
HP-IDM
This extension adds capability to filter roles with optional service IDs
for token validation to mitigate security risks with role name conflicts.
See https://bugs.launchpad.net/keystone/+bug/890411 for more details.
This is an Admin API extension. Applicable to validate token (GET)
and check token (HEAD) APIs only.
OS-KSVALIDATE
This extensions supports admin calls to /tokens without having to specify
the token ID in the URL. Instead, the ID is supplied in a header called
X-Subject-Token. This is provided as an alternative to address any security
concerns that arise when token IDs are passed as part of the URL which is
often (and by default) logged to insecure media.
This is an Admin API extension only.
.. note::
The included extensions are in the process of being rewritten. Currently
osksadm, oskscatalog, hpidm, and osksvalidate work with this new
extensions design.
Enabling & Disabling Extensions
-------------------------------
The Keystone conf file has a property called extensions. This property holds
the list of supported extensions that you want enabled. If you want to
add/remove an extension from being supported, add/remove the extension key
from this property. The key is the name of the folder of the extension
under the keystone/contrib/extensions folder.
.. note::
If you want to load different extensions in the service API than the Admin API
you need to use different config files.
Creating New Extensions
-----------------------
#. **Adopt a unique organization abbreviation.**
This prefix should uniquely identify your organization within the community.
The goal is to avoid schema and resource collisions with similiar extensions.
(e.g. ``OS`` for OpenStack, ``RAX`` for Rackspace, or ``HP`` for Hewlett-Packard)
#. **Adopt a unique extension abbreviation.**
Select an abbreviation to identify your extension, and append to
your organization prefix using a hyphen (``-``), by convention
(e.g. ``OS-KSADM`` (for OpenStack's Keystone Administration extension).
This combination is referred to as your extension's prefix.
#. **Determine the scope of your extension.**
Extensions can enhance the Admin API, Service API or both.
#. **Create a new module.**
Create a module to isolate your namespace based on the extension prefix
you selected::
keystone/contrib/extensions/admin
... and/or::
keystone/contrib/extensions/service/
... based on which API you are enhancing.
.. note::
In the future, we will support loading external extensions.
#. Add static extension files for JSON (``*.json``) and XML
(``*.xml``) to the new extension module.
Refer to `Service Guide <https://github.com/openstack/keystone/blob/master/keystone/content/admin/identityadminguide.pdf?raw=true>`_
`Sample extension XML <https://github.com/openstack/keystone/blob/master/keystone/content/common/samples/extension.json>`_
`Sample extension JSON <https://github.com/openstack/keystone/blob/master/keystone/content/common/samples/extension.xml>`_ for the the content and structure.
#. If your extension is adding additional methods override the base class
``BaseExtensionHandler``, name it ``ExtensionHandler``, and add your methods.
#. **Document your work.**
Provide documentation to support your extension.
Extensions documentation, WADL, and XSD files can be stored in the
``keystone/content`` folder.
#. Add your extension name to the list of supported extensions in The
``keystone.conf`` file.
Which extensions are enabled?
-----------------------------
Discover which extensions are available (service API)::
curl http://localhost:5000/v2.0/extensions
... or (admin API)::
curl http://localhost:35357/v2.0/extensions
The response will list the extensions available.

158
docs/source/images/305.svg Normal file
View File

@ -0,0 +1,158 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="193.58089"
height="100.32214"
id="svg2"
version="1.1"
inkscape:version="0.48.0 r9654"
sodipodi:docname="proxyAuth.svg">
<defs
id="defs4" />
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="0.98901497"
inkscape:cx="134.39587"
inkscape:cy="72.635488"
inkscape:document-units="px"
inkscape:current-layer="layer1"
showgrid="false"
fit-margin-top="0"
fit-margin-left="0"
fit-margin-right="0"
fit-margin-bottom="0"
inkscape:window-width="912"
inkscape:window-height="842"
inkscape:window-x="66"
inkscape:window-y="87"
inkscape:window-maximized="0" />
<metadata
id="metadata7">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(-240.60414,-504.67553)">
<g
id="1"
transform="translate(239.41667,503.49764)">
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="25.6"
x="136"
xml:space="preserve"
id="2">Request</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="36"
x="136"
xml:space="preserve"
id="3">service directly</text>
<path
d="m 1.85,14.45 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="4"
inkscape:connector-curvature="0" />
<path
d="m 1.85,43.25 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="5"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="25.6"
x="24.799999"
xml:space="preserve"
id="6">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="37.599998"
x="8.8000002"
xml:space="preserve"
id="7">Component</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="53.599998"
x="79.199997"
xml:space="preserve"
id="8">305 </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="53.599998"
x="96"
xml:space="preserve"
id="9">Use proxy to </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="63.200001"
x="79.199997"
xml:space="preserve"
id="10">redirect to Auth</text>
<path
d="M 64.25,72.05 C 83.45,33.65 87.8,15.9 75.1,6.45 67.75,1 54.85,-1.65 42.3,7.85"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="11"
inkscape:connector-curvature="0" />
<path
d="m 45.35,9.75 -9.9,4.7 5.1,-9.65 4.8,4.95 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="12"
inkscape:connector-curvature="0" />
<path
d="m 154.25,14.45 c 0,0 -4.85,0.5 -9.45,0.95 -7,0.7 -13.45,1.2 -17.85,5.1 -2.95,2.65 -5.05,6.8 -3.6,10.1 2.65,6.1 17.05,9.3 23.85,14 5,3.45 5.95,7.65 4.9,11.1 -1.9,6.35 -10.5,10 -23.85,16.2 -8.35,3.9 -18.6,8.85 -26.1,11.85"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="13"
inkscape:connector-curvature="0" />
<path
d="M 104,86.8 93.05,86.45 102,80.2 l 2,6.6 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="14"
inkscape:connector-curvature="0" />
<path
d="m 25.85,72.05 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="15"
inkscape:connector-curvature="0" />
<path
d="m 25.85,100.85 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="16"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="83.199997"
x="34.400002"
xml:space="preserve"
id="17">OpenStack</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="95.199997"
x="42.400002"
xml:space="preserve"
id="18">Service</text>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 6.1 KiB

174
docs/source/images/authComp.svg Normal file
View File

@ -0,0 +1,174 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="131.44359"
height="154.62857"
id="svg2"
version="1.1"
inkscape:version="0.48.0 r9654"
sodipodi:docname="New document 1">
<defs
id="defs4" />
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="0.98901497"
inkscape:cx="111.31439"
inkscape:cy="-34.431283"
inkscape:document-units="px"
inkscape:current-layer="layer1"
showgrid="false"
fit-margin-top="0"
fit-margin-left="0"
fit-margin-right="0"
fit-margin-bottom="0"
inkscape:window-width="912"
inkscape:window-height="842"
inkscape:window-x="66"
inkscape:window-y="87"
inkscape:window-maximized="0" />
<metadata
id="metadata7">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(-263.68561,-343.30233)">
<g
id="1"
transform="translate(262.49833,342.08712)">
<path
d="m 1.85,49.6 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="2"
inkscape:connector-curvature="0" />
<path
d="m 1.85,78.4 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="3"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="60.799999"
x="24.799999"
xml:space="preserve"
id="4">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="72.800003"
x="8.8000002"
xml:space="preserve"
id="5">Component</text>
<path
d="m 1.85,126.4 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="6"
inkscape:connector-curvature="0" />
<path
d="m 1.85,155.2 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="7"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="137.60001"
x="10.4"
xml:space="preserve"
id="8">OpenStack</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="149.60001"
x="18.4"
xml:space="preserve"
id="9">Service</text>
<path
d="m 35.45,78.4 0,38.5"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="10"
inkscape:connector-curvature="0" />
<path
d="M 38.9,116.05 35.45,126.4 32,116.05 l 6.9,0 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="11"
inkscape:connector-curvature="0" />
<path
d="m 16.25,1.6 15.7,39.2"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="12"
inkscape:connector-curvature="0" />
<path
d="M 34.8,38.7 35.45,49.6 28.4,41.25 34.8,38.7 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="13"
inkscape:connector-curvature="0" />
<path
d="M 41.05,49.6 56.75,10.45"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="14"
inkscape:connector-curvature="0" />
<path
d="M 53.2,9.95 60.25,1.6 59.6,12.5 53.2,9.95 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="15"
inkscape:connector-curvature="0" />
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="18.4"
x="69.599998"
xml:space="preserve"
id="16">Reject</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="28.799999"
x="69.599998"
xml:space="preserve"
id="17">unauthenticated</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="39.200001"
x="69.599998"
xml:space="preserve"
id="18">requests</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="95.199997"
x="52"
xml:space="preserve"
id="19">Forward</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="105.6"
x="52"
xml:space="preserve"
id="20">authenticated</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="116"
x="52"
xml:space="preserve"
id="21">requests</text>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 6.6 KiB

135
docs/source/images/both.svg Normal file
View File

@ -0,0 +1,135 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="68.500092"
height="110.50006"
id="svg2"
version="1.1"
inkscape:version="0.48.0 r9654"
sodipodi:docname="mapper.svg">
<defs
id="defs4" />
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="0.98901497"
inkscape:cx="34.262561"
inkscape:cy="55.237534"
inkscape:document-units="px"
inkscape:current-layer="layer1"
showgrid="false"
fit-margin-top="0"
fit-margin-left="0"
fit-margin-right="0"
fit-margin-bottom="0"
inkscape:window-width="912"
inkscape:window-height="842"
inkscape:window-x="66"
inkscape:window-y="87"
inkscape:window-maximized="0" />
<metadata
id="metadata7">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(-340.73745,-315.32253)">
<g
id="1"
transform="translate(339.55001,314.13506)">
<path
d="m 1.85,1.85 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="2"
inkscape:connector-curvature="0" />
<path
d="m 1.85,30.65 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="3"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="13.6"
x="24.799999"
xml:space="preserve"
id="4">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="24.799999"
x="8.8000002"
xml:space="preserve"
id="5">Component</text>
<path
d="m 1.85,81.05 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#a6a6a6;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="6"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#bfbfbf;font-family:Arial"
y="64"
x="24.799999"
xml:space="preserve"
id="7">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#bfbfbf;font-family:Arial"
y="75.199997"
x="8.8000002"
xml:space="preserve"
id="8">Component</text>
<path
d="m 1.85,82.25 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="9"
inkscape:connector-curvature="0" />
<path
d="m 1.85,111.05 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="10"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="93.599998"
x="10.4"
xml:space="preserve"
id="11">OpenStack</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="105.6"
x="18.4"
xml:space="preserve"
id="12">Service</text>
<path
d="m 35.45,30.65 0,40.9"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="13"
inkscape:connector-curvature="0" />
<path
d="M 38.9,70.7 35.45,81.05 32,70.7 l 6.9,0 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="14"
inkscape:connector-curvature="0" />
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 4.9 KiB

41
docs/source/images/graphs_305.svg Normal file
View File

@ -0,0 +1,41 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: Handle305 Pages: 1 -->
<svg width="310pt" height="208pt"
viewBox="0.00 0.00 310.00 208.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 204)">
<title>Handle305</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-204 307,-204 307,5 -4,5"/>
<!-- AuthComp -->
<g id="node2" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="98,-146 0,-146 0,-106 98,-106 98,-146"/>
<text text-anchor="middle" x="49" y="-129.4" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="49" y="-113.4" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Service -->
<g id="node4" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="119,-40 25,-40 25,-0 119,-0 119,-40"/>
<text text-anchor="middle" x="72" y="-23.4" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="72" y="-7.4" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<!-- Service&#45;&gt;AuthComp -->
<g id="edge5" class="edge"><title>Service:n&#45;&gt;AuthComp:n</title>
<path fill="none" stroke="black" d="M72,-40C72,-62.2222 76.6172,-67.8558 86,-88 90.0596,-96.7157 95.2138,-96.7977 98,-106 103.152,-123.015 110.312,-133.175 98,-146 92.6344,-151.589 70.1318,-155.75 57.5709,-153.773"/>
<polygon fill="black" stroke="black" points="59.2494,-150.684 49,-148 55.3388,-156.489 59.2494,-150.684"/>
<text text-anchor="middle" x="144" y="-75.4" font-family="Times,serif" font-size="14.00">305 Use Proxy</text>
<text text-anchor="middle" x="144" y="-60.4" font-family="Times,serif" font-size="14.00">To Redirect to Auth</text>
</g>
<!-- Start -->
<!-- Start&#45;&gt;Service -->
<g id="edge7" class="edge"><title>Start:sw&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M216,-164C182.398,-130.398 232.934,-94.0727 202,-58 192.167,-46.5338 159.461,-37.0056 129.317,-30.3582"/>
<polygon fill="black" stroke="black" points="129.738,-26.8696 119.229,-28.2156 128.284,-33.7169 129.738,-26.8696"/>
<text text-anchor="middle" x="255.5" y="-128.4" font-family="Times,serif" font-size="14.00">Request</text>
<text text-anchor="middle" x="255.5" y="-113.4" font-family="Times,serif" font-size="14.00">Service Directly</text>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.6 KiB

48
docs/source/images/graphs_authComp.svg Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: AuthComp Pages: 1 -->
<svg width="510pt" height="118pt"
viewBox="0.00 0.00 510.00 118.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 114)">
<title>AuthComp</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-114 507,-114 507,5 -4,5"/>
<!-- AuthComp -->
<g id="node2" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="292,-65 194,-65 194,-25 292,-25 292,-65"/>
<text text-anchor="middle" x="243" y="-48.4" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="243" y="-32.4" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Reject -->
<!-- AuthComp&#45;&gt;Reject -->
<g id="edge3" class="edge"><title>AuthComp&#45;&gt;Reject</title>
<path fill="none" stroke="black" d="M193.933,-51.2787C157.514,-55.939 108.38,-62.2263 73.8172,-66.649"/>
<polygon fill="black" stroke="black" points="73.0637,-63.2168 63.5888,-67.9578 73.9522,-70.1602 73.0637,-63.2168"/>
<text text-anchor="middle" x="129" y="-97.4" font-family="Times,serif" font-size="14.00">Reject</text>
<text text-anchor="middle" x="129" y="-82.4" font-family="Times,serif" font-size="14.00">Unauthenticated</text>
<text text-anchor="middle" x="129" y="-67.4" font-family="Times,serif" font-size="14.00">Requests</text>
</g>
<!-- Service -->
<g id="node6" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="502,-65 408,-65 408,-25 502,-25 502,-65"/>
<text text-anchor="middle" x="455" y="-48.4" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="455" y="-32.4" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M292.17,-45C323.626,-45 364.563,-45 397.52,-45"/>
<polygon fill="black" stroke="black" points="397.917,-48.5001 407.917,-45 397.917,-41.5001 397.917,-48.5001"/>
<text text-anchor="middle" x="350" y="-77.4" font-family="Times,serif" font-size="14.00">Forward</text>
<text text-anchor="middle" x="350" y="-62.4" font-family="Times,serif" font-size="14.00">Authenticated</text>
<text text-anchor="middle" x="350" y="-47.4" font-family="Times,serif" font-size="14.00">Requests</text>
</g>
<!-- Start -->
<!-- Start&#45;&gt;AuthComp -->
<g id="edge7" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M59.1526,-21.4745C90.4482,-25.4792 142.816,-32.1802 183.673,-37.4084"/>
<polygon fill="black" stroke="black" points="183.43,-40.9057 193.793,-38.7034 184.318,-33.9623 183.43,-40.9057"/>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.9 KiB

53
docs/source/images/graphs_authCompDelegate.svg Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: AuthCompDelegate Pages: 1 -->
<svg width="588pt" height="104pt"
viewBox="0.00 0.00 588.00 104.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 100)">
<title>AuthCompDelegate</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-100 585,-100 585,5 -4,5"/>
<!-- AuthComp -->
<g id="node2" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="338,-65 240,-65 240,-25 338,-25 338,-65"/>
<text text-anchor="middle" x="289" y="-48.4" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="289" y="-32.4" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Reject -->
<!-- AuthComp&#45;&gt;Reject -->
<g id="edge3" class="edge"><title>AuthComp&#45;&gt;Reject</title>
<path fill="none" stroke="black" d="M239.6,-50.1899C191.406,-55.2531 118.917,-62.8686 73.5875,-67.6309"/>
<polygon fill="black" stroke="black" points="73.0928,-64.1635 63.5132,-68.6893 73.8242,-71.1252 73.0928,-64.1635"/>
<text text-anchor="middle" x="152" y="-83.4" font-family="Times,serif" font-size="14.00">Reject Requests</text>
<text text-anchor="middle" x="152" y="-68.4" font-family="Times,serif" font-size="14.00">Indicated by the Service</text>
</g>
<!-- Service -->
<g id="node6" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="580,-65 486,-65 486,-25 580,-25 580,-65"/>
<text text-anchor="middle" x="533" y="-48.4" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="533" y="-32.4" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M338.009,-49.0804C344.065,-49.4598 350.172,-49.7828 356,-50 405.743,-51.8535 418.259,-51.9103 468,-50 470.523,-49.9031 473.101,-49.7851 475.704,-49.6504"/>
<polygon fill="black" stroke="black" points="476.03,-53.1374 485.807,-49.0576 475.62,-46.1494 476.03,-53.1374"/>
<text text-anchor="middle" x="412" y="-68.4" font-family="Times,serif" font-size="14.00">Forward Requests</text>
<text text-anchor="middle" x="412" y="-53.4" font-family="Times,serif" font-size="14.00">with Identiy Status</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge7" class="edge"><title>Service&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M495.062,-24.9037C486.397,-21.2187 477.064,-17.9304 468,-16 419.314,-5.63183 404.743,-5.9037 356,-16 349.891,-17.2653 343.655,-19.116 337.566,-21.2803"/>
<polygon fill="black" stroke="black" points="336.234,-18.0426 328.158,-24.9003 338.748,-24.5757 336.234,-18.0426"/>
<text text-anchor="middle" x="412" y="-33.4" font-family="Times,serif" font-size="14.00">Send Response OR</text>
<text text-anchor="middle" x="412" y="-18.4" font-family="Times,serif" font-size="14.00">Reject Message</text>
</g>
<!-- Start -->
<!-- Start&#45;&gt;AuthComp -->
<g id="edge9" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M59.0178,-20.8384C99.2135,-25.0613 175.782,-33.1055 229.492,-38.7482"/>
<polygon fill="black" stroke="black" points="229.265,-42.2435 239.576,-39.8076 229.997,-35.2818 229.265,-42.2435"/>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.5 KiB

36
docs/source/images/graphs_both.svg Normal file
View File

@ -0,0 +1,36 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: Both Pages: 1 -->
<svg width="116pt" height="180pt"
viewBox="0.00 0.00 116.00 180.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 176)">
<title>Both</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-176 113,-176 113,5 -4,5"/>
<!-- AuthComp -->
<g id="node2" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="104,-172 6,-172 6,-132 104,-132 104,-172"/>
<text text-anchor="middle" x="55" y="-155.4" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="55" y="-139.4" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Together -->
<g id="node4" class="node"><title>Together</title>
<polygon fill="white" stroke="white" points="108,-95.5 0,-95.5 0,-0.5 108,-0.5 108,-95.5"/>
<polygon fill="white" stroke="white" points="8,-47 8,-91 101,-91 101,-47 8,-47"/>
<polygon fill="none" stroke="#c00000" points="8,-47 8,-91 101,-91 101,-47 8,-47"/>
<text text-anchor="start" x="38" y="-75.2333" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="start" x="13.5" y="-58.4333" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
<polygon fill="#d1ebf1" stroke="#d1ebf1" points="8,-4 8,-47 101,-47 101,-4 8,-4"/>
<polygon fill="none" stroke="#1f477d" points="8,-4 8,-47 101,-47 101,-4 8,-4"/>
<text text-anchor="start" x="15.5" y="-31.7333" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="start" x="28" y="-14.9333" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Together -->
<g id="edge3" class="edge"><title>AuthComp&#45;&gt;Together:OStack:n</title>
<path fill="none" stroke="black" d="M55,-131.871C55,-113.129 55,-84.1127 55,-57.1901"/>
<polygon fill="black" stroke="black" points="58.5001,-57 55,-47 51.5001,-57 58.5001,-57"/>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.2 KiB

52
docs/source/images/graphs_delegate_accept.svg Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: DelegateAcceptAuth Pages: 1 -->
<svg width="656pt" height="81pt"
viewBox="0.00 0.00 656.00 81.23" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 77.234)">
<title>DelegateAcceptAuth</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-77.234 653,-77.234 653,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="348,-48.234 250,-48.234 250,-8.23398 348,-8.23398 348,-48.234"/>
<text text-anchor="middle" x="299" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="299" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.0748,-28.234C97.1107,-28.234 182.142,-28.234 239.791,-28.234"/>
<polygon fill="black" stroke="black" points="239.864,-31.7341 249.863,-28.234 239.863,-24.7341 239.864,-31.7341"/>
<text text-anchor="middle" x="152" y="-30.634" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge9" class="edge"><title>AuthComp&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M249.934,-12.6562C243.944,-11.2496 237.868,-10.0499 232,-9.23398 161.567,0.55976 141.697,4.87673 72,-9.23398 69.1948,-9.80192 66.3471,-10.5503 63.5169,-11.4218"/>
<polygon fill="black" stroke="black" points="62.3066,-8.13733 54.0489,-14.7751 64.6436,-14.7357 62.3066,-8.13733"/>
<text text-anchor="middle" x="152" y="-11.634" font-family="Times,serif" font-size="14.00">200 Okay</text>
</g>
<!-- Service -->
<g id="node6" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="648,-48.234 554,-48.234 554,-8.23398 648,-8.23398 648,-48.234"/>
<text text-anchor="middle" x="601" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="601" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M348.194,-28.234C401.691,-28.234 487.101,-28.234 543.616,-28.234"/>
<polygon fill="black" stroke="black" points="543.818,-31.7341 553.818,-28.234 543.818,-24.7341 543.818,-31.7341"/>
<text text-anchor="middle" x="451" y="-60.634" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
<text text-anchor="middle" x="451" y="-45.634" font-family="Times,serif" font-size="14.00">X&#45;Authorization: Proxy U</text>
<text text-anchor="middle" x="451" y="-30.634" font-family="Times,serif" font-size="14.00">X&#45;Identity&#45;Status: Confirmed</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge7" class="edge"><title>Service&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M553.774,-12.7435C547.845,-11.2995 541.819,-10.067 536,-9.23398 461.207,1.47328 440.836,1.17187 366,-9.23398 363.341,-9.6037 360.639,-10.0522 357.922,-10.5631"/>
<polygon fill="black" stroke="black" points="357.121,-7.15517 348.066,-12.6562 358.575,-14.0025 357.121,-7.15517"/>
<text text-anchor="middle" x="451" y="-11.634" font-family="Times,serif" font-size="14.00">200 Okay</text>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.6 KiB

53
docs/source/images/graphs_delegate_forbiden_basic.svg Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: DelegateRejectForbidden Pages: 1 -->
<svg width="670pt" height="102pt"
viewBox="0.00 0.00 670.00 101.64" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 97.6355)">
<title>DelegateRejectForbidden</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-97.6355 667,-97.6355 667,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="348,-61.6355 250,-61.6355 250,-21.6355 348,-21.6355 348,-61.6355"/>
<text text-anchor="middle" x="299" y="-45.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="299" y="-29.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.0748,-41.6355C97.1107,-41.6355 182.142,-41.6355 239.791,-41.6355"/>
<polygon fill="black" stroke="black" points="239.864,-45.1356 249.863,-41.6355 239.863,-38.1356 239.864,-45.1356"/>
<text text-anchor="middle" x="152" y="-44.0355" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M249.934,-26.0577C243.944,-24.6511 237.868,-23.4514 232,-22.6355 161.567,-12.8417 141.697,-8.52478 72,-22.6355 69.1948,-23.2034 66.3471,-23.9518 63.5169,-24.8233"/>
<polygon fill="black" stroke="black" points="62.3066,-21.5388 54.0489,-28.1766 64.6436,-28.1372 62.3066,-21.5388"/>
<text text-anchor="middle" x="152" y="-25.0355" font-family="Times,serif" font-size="14.00">403 Forbidden</text>
</g>
<!-- Service -->
<g id="node7" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="662,-61.6355 568,-61.6355 568,-21.6355 662,-21.6355 662,-61.6355"/>
<text text-anchor="middle" x="615" y="-45.0355" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="615" y="-29.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge7" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M348.009,-45.7159C354.065,-46.0953 360.172,-46.4183 366,-46.6355 447.721,-49.6805 468.282,-49.7738 550,-46.6355 552.523,-46.5386 555.101,-46.4206 557.704,-46.2859"/>
<polygon fill="black" stroke="black" points="558.03,-49.7729 567.807,-45.6931 557.62,-42.7849 558.03,-49.7729"/>
<text text-anchor="middle" x="458" y="-81.0355" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
<text text-anchor="middle" x="458" y="-66.0355" font-family="Times,serif" font-size="14.00">X&#45;Authorization: Proxy U</text>
<text text-anchor="middle" x="458" y="-51.0355" font-family="Times,serif" font-size="14.00">X&#45;Identity&#45;Status: Confirmed</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge9" class="edge"><title>Service&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M577.062,-21.5392C568.397,-17.8542 559.064,-14.5658 550,-12.6355 470.016,4.39794 446.078,3.95128 366,-12.6355 359.891,-13.9008 353.655,-15.7515 347.566,-17.9158"/>
<polygon fill="black" stroke="black" points="346.234,-14.6781 338.158,-21.5358 348.748,-21.2112 346.234,-14.6781"/>
<text text-anchor="middle" x="458" y="-30.0355" font-family="Times,serif" font-size="14.00">403 Forbidden</text>
<text text-anchor="middle" x="458" y="-15.0355" font-family="Times,serif" font-size="14.00">WWW&#45;Authenticate: Delegated</text>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.9 KiB

52
docs/source/images/graphs_delegate_forbiden_proxy.svg Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: DelegateForbiddnProxy Pages: 1 -->
<svg width="656pt" height="81pt"
viewBox="0.00 0.00 656.00 81.23" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 77.234)">
<title>DelegateForbiddnProxy</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-77.234 653,-77.234 653,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="348,-48.234 250,-48.234 250,-8.23398 348,-8.23398 348,-48.234"/>
<text text-anchor="middle" x="299" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="299" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.0748,-28.234C97.1107,-28.234 182.142,-28.234 239.791,-28.234"/>
<polygon fill="black" stroke="black" points="239.864,-31.7341 249.863,-28.234 239.863,-24.7341 239.864,-31.7341"/>
<text text-anchor="middle" x="152" y="-30.634" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M249.934,-12.6562C243.944,-11.2496 237.868,-10.0499 232,-9.23398 161.567,0.55976 141.697,4.87673 72,-9.23398 69.1948,-9.80192 66.3471,-10.5503 63.5169,-11.4218"/>
<polygon fill="black" stroke="black" points="62.3066,-8.13733 54.0489,-14.7751 64.6436,-14.7357 62.3066,-8.13733"/>
<text text-anchor="middle" x="152" y="-11.634" font-family="Times,serif" font-size="14.00">500 Internal Error</text>
</g>
<!-- Service -->
<g id="node7" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="648,-48.234 554,-48.234 554,-8.23398 648,-8.23398 648,-48.234"/>
<text text-anchor="middle" x="601" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="601" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge7" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M348.194,-28.234C401.691,-28.234 487.101,-28.234 543.616,-28.234"/>
<polygon fill="black" stroke="black" points="543.818,-31.7341 553.818,-28.234 543.818,-24.7341 543.818,-31.7341"/>
<text text-anchor="middle" x="451" y="-60.634" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
<text text-anchor="middle" x="451" y="-45.634" font-family="Times,serif" font-size="14.00">X&#45;Authorization: Proxy U</text>
<text text-anchor="middle" x="451" y="-30.634" font-family="Times,serif" font-size="14.00">X&#45;Identity&#45;Status: Confirmed</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge9" class="edge"><title>Service&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M553.774,-12.7435C547.845,-11.2995 541.819,-10.067 536,-9.23398 461.207,1.47328 440.836,1.17187 366,-9.23398 363.341,-9.6037 360.639,-10.0522 357.922,-10.5631"/>
<polygon fill="black" stroke="black" points="357.121,-7.15517 348.066,-12.6562 358.575,-14.0025 357.121,-7.15517"/>
<text text-anchor="middle" x="451" y="-11.634" font-family="Times,serif" font-size="14.00">403 Forbidden</text>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.6 KiB

55
docs/source/images/graphs_delegate_reject_basic.svg Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: DelegateRejectAuthBasic Pages: 1 -->
<svg width="670pt" height="113pt"
viewBox="0.00 0.00 670.00 112.84" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 108.841)">
<title>DelegateRejectAuthBasic</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-108.841 667,-108.841 667,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="346,-72.8409 248,-72.8409 248,-32.8409 346,-32.8409 346,-72.8409"/>
<text text-anchor="middle" x="297" y="-56.2409" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="297" y="-40.2409" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.3777,-61.3549C60.1429,-62.8044 66.2278,-64.0845 72,-64.8409 141.627,-73.9651 160.053,-71.0554 230,-64.8409 232.523,-64.6168 235.094,-64.346 237.686,-64.038"/>
<polygon fill="black" stroke="black" points="238.294,-67.4878 247.737,-62.6852 237.36,-60.5504 238.294,-67.4878"/>
<text text-anchor="middle" x="151" y="-72.2409" font-family="Times,serif" font-size="14.00">Authorization: Basic Yjpw</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M268.012,-32.6508C256.688,-25.9141 243.253,-19.2572 230,-15.8409 162.001,1.68741 138.106,7.84667 72,-15.8409 64.6685,-18.468 57.6762,-22.8621 51.4824,-27.7226"/>
<polygon fill="black" stroke="black" points="48.8781,-25.3457 43.5743,-34.5174 53.44,-30.655 48.8781,-25.3457"/>
<text text-anchor="middle" x="151" y="-48.2409" font-family="Times,serif" font-size="14.00">401 Unauthorized</text>
<text text-anchor="middle" x="151" y="-33.2409" font-family="Times,serif" font-size="14.00">WWW&#45;Authenticate: Basic</text>
<text text-anchor="middle" x="151" y="-18.2409" font-family="Times,serif" font-size="14.00">Realm=&quot;API Realm&quot;</text>
</g>
<!-- Service -->
<g id="node7" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="662,-72.8409 568,-72.8409 568,-32.8409 662,-32.8409 662,-72.8409"/>
<text text-anchor="middle" x="615" y="-56.2409" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="615" y="-40.2409" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge7" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M346.009,-56.9214C352.065,-57.3007 358.172,-57.6238 364,-57.8409 446.609,-60.9191 467.394,-61.0134 550,-57.8409 552.523,-57.744 555.101,-57.626 557.704,-57.4913"/>
<polygon fill="black" stroke="black" points="558.03,-60.9783 567.807,-56.8985 557.62,-53.9903 558.03,-60.9783"/>
<text text-anchor="middle" x="457" y="-92.2409" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
<text text-anchor="middle" x="457" y="-77.2409" font-family="Times,serif" font-size="14.00">X&#45;Authorization: Proxy b</text>
<text text-anchor="middle" x="457" y="-62.2409" font-family="Times,serif" font-size="14.00">X&#45;Identity&#45;Status: Indeterminate</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge9" class="edge"><title>Service&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M577.062,-32.7447C568.397,-29.0597 559.064,-25.7713 550,-23.8409 469.146,-6.62237 444.948,-7.07388 364,-23.8409 357.891,-25.1063 351.655,-26.957 345.566,-29.1213"/>
<polygon fill="black" stroke="black" points="344.234,-25.8836 336.158,-32.7413 346.748,-32.4166 344.234,-25.8836"/>
<text text-anchor="middle" x="457" y="-41.2409" font-family="Times,serif" font-size="14.00">401 Unauthorized</text>
<text text-anchor="middle" x="457" y="-26.2409" font-family="Times,serif" font-size="14.00">WWW&#45;Authenticate: Delegated</text>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 4.2 KiB

56
docs/source/images/graphs_delegate_reject_oauth.svg Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: DelegateRejectAuthOAuth Pages: 1 -->
<svg width="722pt" height="128pt"
viewBox="0.00 0.00 722.00 127.50" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 123.504)">
<title>DelegateRejectAuthOAuth</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-123.504 719,-123.504 719,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="398,-87.504 300,-87.504 300,-47.504 398,-47.504 398,-87.504"/>
<text text-anchor="middle" x="349" y="-70.904" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="349" y="-54.904" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.4752,-81.8682C60.1286,-84.2034 66.1458,-86.2617 72,-87.504 163.3,-106.879 189.647,-100.994 282,-87.504 284.667,-87.1144 287.375,-86.642 290.098,-86.104"/>
<polygon fill="black" stroke="black" points="290.972,-89.4951 299.969,-83.9 289.446,-82.6633 290.972,-89.4951"/>
<text text-anchor="middle" x="177" y="-101.904" font-family="Times,serif" font-size="14.00">Authorization: OAuth 000&#45;999&#45;222</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M325.91,-47.4946C313.721,-38.2548 297.999,-28.2878 282,-23.504 192.578,3.23327 158.428,11.7282 72,-23.504 62.489,-27.3811 53.8955,-34.3434 46.8279,-41.6023"/>
<polygon fill="black" stroke="black" points="43.8515,-39.6795 39.7866,-49.4636 49.0657,-44.3499 43.8515,-39.6795"/>
<text text-anchor="middle" x="177" y="-70.904" font-family="Times,serif" font-size="14.00">401 Unauthorized</text>
<text text-anchor="middle" x="177" y="-55.904" font-family="Times,serif" font-size="14.00">WWW&#45;Authenticate: OAuth</text>
<text text-anchor="middle" x="177" y="-40.904" font-family="Times,serif" font-size="14.00">Realm=API Realm,</text>
<text text-anchor="middle" x="177" y="-25.904" font-family="Times,serif" font-size="14.00">Error=invalid&#45;token</text>
</g>
<!-- Service -->
<g id="node7" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="714,-87.504 620,-87.504 620,-47.504 714,-47.504 714,-87.504"/>
<text text-anchor="middle" x="667" y="-70.904" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="667" y="-54.904" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge7" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M398.009,-71.5844C404.065,-71.9638 410.172,-72.2868 416,-72.504 498.609,-75.5822 519.394,-75.6765 602,-72.504 604.523,-72.4071 607.101,-72.2891 609.704,-72.1544"/>
<polygon fill="black" stroke="black" points="610.03,-75.6414 619.807,-71.5616 609.62,-68.6534 610.03,-75.6414"/>
<text text-anchor="middle" x="509" y="-106.904" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
<text text-anchor="middle" x="509" y="-91.904" font-family="Times,serif" font-size="14.00">X&#45;Authorization: Proxy</text>
<text text-anchor="middle" x="509" y="-76.904" font-family="Times,serif" font-size="14.00">X&#45;Identity&#45;Status: Indeterminate</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge9" class="edge"><title>Service&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M629.062,-47.4077C620.397,-43.7227 611.064,-40.4344 602,-38.504 521.146,-21.2854 496.948,-21.7369 416,-38.504 409.891,-39.7693 403.655,-41.62 397.566,-43.7843"/>
<polygon fill="black" stroke="black" points="396.234,-40.5466 388.158,-47.4043 398.748,-47.0797 396.234,-40.5466"/>
<text text-anchor="middle" x="509" y="-55.904" font-family="Times,serif" font-size="14.00">401 Unauthorized</text>
<text text-anchor="middle" x="509" y="-40.904" font-family="Times,serif" font-size="14.00">WWW&#45;Authenticate: Delegated</text>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 4.3 KiB

53
docs/source/images/graphs_delegate_unimplemented.svg Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: DelegateUnimplemented Pages: 1 -->
<svg width="670pt" height="102pt"
viewBox="0.00 0.00 670.00 101.64" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 97.6355)">
<title>DelegateUnimplemented</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-97.6355 667,-97.6355 667,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="348,-61.6355 250,-61.6355 250,-21.6355 348,-21.6355 348,-61.6355"/>
<text text-anchor="middle" x="299" y="-45.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="299" y="-29.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.0748,-41.6355C97.1107,-41.6355 182.142,-41.6355 239.791,-41.6355"/>
<polygon fill="black" stroke="black" points="239.864,-45.1356 249.863,-41.6355 239.863,-38.1356 239.864,-45.1356"/>
<text text-anchor="middle" x="152" y="-44.0355" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M249.934,-26.0577C243.944,-24.6511 237.868,-23.4514 232,-22.6355 161.567,-12.8417 141.697,-8.52478 72,-22.6355 69.1948,-23.2034 66.3471,-23.9518 63.5169,-24.8233"/>
<polygon fill="black" stroke="black" points="62.3066,-21.5388 54.0489,-28.1766 64.6436,-28.1372 62.3066,-21.5388"/>
<text text-anchor="middle" x="152" y="-25.0355" font-family="Times,serif" font-size="14.00">500 Internal Error</text>
</g>
<!-- Service -->
<g id="node7" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="662,-61.6355 568,-61.6355 568,-21.6355 662,-21.6355 662,-61.6355"/>
<text text-anchor="middle" x="615" y="-45.0355" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="615" y="-29.0355" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge7" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M348.009,-45.7159C354.065,-46.0953 360.172,-46.4183 366,-46.6355 447.721,-49.6805 468.282,-49.7738 550,-46.6355 552.523,-46.5386 555.101,-46.4206 557.704,-46.2859"/>
<polygon fill="black" stroke="black" points="558.03,-49.7729 567.807,-45.6931 557.62,-42.7849 558.03,-49.7729"/>
<text text-anchor="middle" x="458" y="-81.0355" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
<text text-anchor="middle" x="458" y="-66.0355" font-family="Times,serif" font-size="14.00">X&#45;Authorization: Proxy U</text>
<text text-anchor="middle" x="458" y="-51.0355" font-family="Times,serif" font-size="14.00">X&#45;Identity&#45;Status: Confirmed</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge9" class="edge"><title>Service&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M577.062,-21.5392C568.397,-17.8542 559.064,-14.5658 550,-12.6355 470.016,4.39794 446.078,3.95128 366,-12.6355 359.891,-13.9008 353.655,-15.7515 347.566,-17.9158"/>
<polygon fill="black" stroke="black" points="346.234,-14.6781 338.158,-21.5358 348.748,-21.2112 346.234,-14.6781"/>
<text text-anchor="middle" x="458" y="-30.0355" font-family="Times,serif" font-size="14.00">501 Unimplemented</text>
<text text-anchor="middle" x="458" y="-15.0355" font-family="Times,serif" font-size="14.00">WWW&#45;Authenticate: Delegated</text>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.9 KiB

73
docs/source/images/graphs_mapper.svg Normal file
View File

@ -0,0 +1,73 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: Mapper Pages: 1 -->
<svg width="174pt" height="264pt"
viewBox="0.00 0.00 174.00 264.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 260)">
<title>Mapper</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-260 171,-260 171,5 -4,5"/>
<!-- Start -->
<!-- Mapper -->
<g id="node4" class="node"><title>Mapper</title>
<polygon fill="#ebf1de" stroke="#687b37" points="119,-184 49,-184 49,-148 119,-148 119,-184"/>
<text text-anchor="middle" x="84" y="-161.4" font-family="Helvetica,sans-Serif" font-size="14.00">Mapper</text>
</g>
<!-- Start&#45;&gt;Mapper -->
<g id="edge3" class="edge"><title>Start&#45;&gt;Mapper</title>
<path fill="none" stroke="black" d="M84,-219.831C84,-212.131 84,-202.974 84,-194.417"/>
<polygon fill="black" stroke="black" points="87.5001,-194.413 84,-184.413 80.5001,-194.413 87.5001,-194.413"/>
</g>
<!-- Auths -->
<g id="node6" class="node"><title>Auths</title>
<polygon fill="white" stroke="white" points="166,-112 0,-112 0,-76 166,-76 166,-112"/>
<polygon fill="#fdefe3" stroke="#fdefe3" points="8,-81 8,-106 59,-106 59,-81 8,-81"/>
<polygon fill="none" stroke="#c00000" points="8,-81 8,-106 59,-106 59,-81 8,-81"/>
<text text-anchor="start" x="13.5" y="-90.2333" font-family="Helvetica,sans-Serif" font-size="14.00">Auth1</text>
<polygon fill="#fdefe3" stroke="#fdefe3" points="59,-81 59,-106 109,-106 109,-81 59,-81"/>
<polygon fill="none" stroke="#c00000" points="59,-81 59,-106 109,-106 109,-81 59,-81"/>
<text text-anchor="start" x="64" y="-90.2333" font-family="Helvetica,sans-Serif" font-size="14.00">Auth2</text>
<polygon fill="#fdefe3" stroke="#fdefe3" points="109,-81 109,-106 159,-106 159,-81 109,-81"/>
<polygon fill="none" stroke="#c00000" points="109,-81 109,-106 159,-106 159,-81 109,-81"/>
<text text-anchor="start" x="114" y="-90.2333" font-family="Helvetica,sans-Serif" font-size="14.00">Auth3</text>
</g>
<!-- Mapper&#45;&gt;Auths -->
<g id="edge5" class="edge"><title>Mapper:sw&#45;&gt;Auths:auth1</title>
<path fill="none" stroke="black" d="M49,-148C37.5237,-136.524 34.1339,-129.157 33.2662,-116.083"/>
<polygon fill="black" stroke="black" points="36.7628,-115.904 33,-106 29.7652,-116.089 36.7628,-115.904"/>
</g>
<!-- Mapper&#45;&gt;Auths -->
<g id="edge7" class="edge"><title>Mapper:s&#45;&gt;Auths:auth2</title>
<path fill="none" stroke="black" d="M84,-148C84,-133.271 84,-127.258 84,-116.207"/>
<polygon fill="black" stroke="black" points="87.5001,-116 84,-106 80.5001,-116 87.5001,-116"/>
</g>
<!-- Mapper&#45;&gt;Auths -->
<g id="edge9" class="edge"><title>Mapper:se&#45;&gt;Auths:auth3</title>
<path fill="none" stroke="black" d="M119,-148C130.388,-136.612 133.173,-129.088 133.817,-116.035"/>
<polygon fill="black" stroke="black" points="137.317,-116.062 134,-106 130.318,-115.934 137.317,-116.062"/>
</g>
<!-- Service -->
<g id="node10" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="131,-40 37,-40 37,-0 131,-0 131,-40"/>
<text text-anchor="middle" x="84" y="-23.4" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="84" y="-7.4" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- Auths&#45;&gt;Service -->
<g id="edge11" class="edge"><title>Auths:auth1&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M33,-81C33,-68.2561 39.6326,-56.7707 48.1141,-47.2933"/>
<polygon fill="black" stroke="black" points="50.6575,-49.6992 55.221,-40.1376 45.6908,-44.7664 50.6575,-49.6992"/>
</g>
<!-- Auths&#45;&gt;Service -->
<g id="edge13" class="edge"><title>Auths:auth2&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M84,-81C84,-70.9674 84,-60.0066 84,-50.1784"/>
<polygon fill="black" stroke="black" points="87.5001,-50.0559 84,-40.056 80.5001,-50.056 87.5001,-50.0559"/>
</g>
<!-- Auths&#45;&gt;Service -->
<g id="edge15" class="edge"><title>Auths:auth3&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M134,-81C134,-68.4835 127.626,-57.1283 119.429,-47.7009"/>
<polygon fill="black" stroke="black" points="121.686,-45.0006 112.215,-40.2521 116.658,-49.8705 121.686,-45.0006"/>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 4.3 KiB

51
docs/source/images/graphs_proxyAuth.svg Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: ProxyAuth Pages: 1 -->
<svg width="644pt" height="74pt"
viewBox="0.00 0.00 644.00 73.70" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 69.7025)">
<title>ProxyAuth</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-69.7025 641,-69.7025 641,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="348,-55.7025 250,-55.7025 250,-15.7025 348,-15.7025 348,-55.7025"/>
<text text-anchor="middle" x="299" y="-39.1025" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="299" y="-23.1025" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.0748,-35.7025C97.1107,-35.7025 182.142,-35.7025 239.791,-35.7025"/>
<polygon fill="black" stroke="black" points="239.864,-39.2026 249.863,-35.7025 239.863,-32.2026 239.864,-39.2026"/>
<text text-anchor="middle" x="152" y="-38.1025" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge9" class="edge"><title>AuthComp:w&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M250,-35.7025C238.368,-35.7025 242.686,-21.2988 232,-16.7025 166.676,11.3956 141.697,-2.59182 72,-16.7025 69.1948,-17.2705 66.3471,-18.0189 63.5169,-18.8903"/>
<polygon fill="black" stroke="black" points="62.3066,-15.6059 54.0489,-22.2437 64.6436,-22.2043 62.3066,-15.6059"/>
<text text-anchor="middle" x="152" y="-19.1025" font-family="Times,serif" font-size="14.00">500 Internal Error</text>
</g>
<!-- Service -->
<g id="node6" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="636,-55.7025 542,-55.7025 542,-15.7025 636,-15.7025 636,-55.7025"/>
<text text-anchor="middle" x="589" y="-39.1025" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="589" y="-23.1025" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M348.195,-35.7025C399.052,-35.7025 478.372,-35.7025 531.947,-35.7025"/>
<polygon fill="black" stroke="black" points="531.971,-39.2026 541.971,-35.7025 531.971,-32.2026 531.971,-39.2026"/>
<text text-anchor="middle" x="445" y="-53.1025" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
<text text-anchor="middle" x="445" y="-38.1025" font-family="Times,serif" font-size="14.00">X&#45;Authorization: Proxy U</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge7" class="edge"><title>Service:w&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M542,-35.7025C530.368,-35.7025 534.686,-21.2988 524,-16.7025 459.492,11.0444 435.553,-7.03121 366,-16.7025 363.341,-17.0723 360.639,-17.5208 357.922,-18.0316"/>
<polygon fill="black" stroke="black" points="357.121,-14.6237 348.066,-20.1248 358.575,-21.471 357.121,-14.6237"/>
<text text-anchor="middle" x="445" y="-19.1025" font-family="Times,serif" font-size="14.00">403 Forbidden</text>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.5 KiB

30
docs/source/images/graphs_separate.svg Normal file
View File

@ -0,0 +1,30 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: Seperate Pages: 1 -->
<svg width="106pt" height="124pt"
viewBox="0.00 0.00 106.00 124.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 120)">
<title>Seperate</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-120 103,-120 103,5 -4,5"/>
<!-- AuthComp -->
<g id="node2" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="98,-116 0,-116 0,-76 98,-76 98,-116"/>
<text text-anchor="middle" x="49" y="-99.4" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="49" y="-83.4" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Service -->
<g id="node4" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="96,-40 2,-40 2,-0 96,-0 96,-40"/>
<text text-anchor="middle" x="49" y="-23.4" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="49" y="-7.4" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge3" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M49,-75.6334C49,-67.8186 49,-58.7253 49,-50.183"/>
<polygon fill="black" stroke="black" points="52.5001,-50.1593 49,-40.1593 45.5001,-50.1593 52.5001,-50.1593"/>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.6 KiB

51
docs/source/images/graphs_standard_accept.svg Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: StandardAcceptAuth Pages: 1 -->
<svg width="644pt" height="66pt"
viewBox="0.00 0.00 644.00 66.23" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 62.234)">
<title>StandardAcceptAuth</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-62.234 641,-62.234 641,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="348,-48.234 250,-48.234 250,-8.23398 348,-8.23398 348,-48.234"/>
<text text-anchor="middle" x="299" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="299" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.0748,-28.234C97.1107,-28.234 182.142,-28.234 239.791,-28.234"/>
<polygon fill="black" stroke="black" points="239.864,-31.7341 249.863,-28.234 239.863,-24.7341 239.864,-31.7341"/>
<text text-anchor="middle" x="152" y="-30.634" font-family="Times,serif" font-size="14.00">Authorization: Basic VTpQ</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge9" class="edge"><title>AuthComp&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M249.934,-12.6562C243.944,-11.2496 237.868,-10.0499 232,-9.23398 161.567,0.55976 141.697,4.87673 72,-9.23398 69.1948,-9.80192 66.3471,-10.5503 63.5169,-11.4218"/>
<polygon fill="black" stroke="black" points="62.3066,-8.13733 54.0489,-14.7751 64.6436,-14.7357 62.3066,-8.13733"/>
<text text-anchor="middle" x="152" y="-11.634" font-family="Times,serif" font-size="14.00">200 Okay</text>
</g>
<!-- Service -->
<g id="node6" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="636,-48.234 542,-48.234 542,-8.23398 636,-8.23398 636,-48.234"/>
<text text-anchor="middle" x="589" y="-31.634" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="589" y="-15.634" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Service</title>
<path fill="none" stroke="black" d="M348.195,-28.234C399.052,-28.234 478.372,-28.234 531.947,-28.234"/>
<polygon fill="black" stroke="black" points="531.971,-31.7341 541.971,-28.234 531.971,-24.7341 531.971,-31.7341"/>
<text text-anchor="middle" x="445" y="-45.634" font-family="Times,serif" font-size="14.00">Authorization: Basic dTpw</text>
<text text-anchor="middle" x="445" y="-30.634" font-family="Times,serif" font-size="14.00">X&#45;Authorization: Proxy U</text>
</g>
<!-- Service&#45;&gt;AuthComp -->
<g id="edge7" class="edge"><title>Service&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M541.774,-12.7435C535.845,-11.2995 529.819,-10.067 524,-9.23398 454.486,0.717471 435.553,0.437338 366,-9.23398 363.341,-9.6037 360.639,-10.0522 357.922,-10.5631"/>
<polygon fill="black" stroke="black" points="357.121,-7.15517 348.066,-12.6562 358.575,-14.0025 357.121,-7.15517"/>
<text text-anchor="middle" x="445" y="-11.634" font-family="Times,serif" font-size="14.00">200 Okay</text>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.5 KiB

39
docs/source/images/graphs_standard_reject.svg Normal file
View File

@ -0,0 +1,39 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: StandardRejectAuth Pages: 1 -->
<svg width="590pt" height="84pt"
viewBox="0.00 0.00 590.00 84.11" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 80.1142)">
<title>StandardRejectAuth</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-80.1142 587,-80.1142 587,5 -4,5"/>
<!-- Start -->
<!-- AuthComp -->
<g id="node4" class="node"><title>AuthComp</title>
<polygon fill="#fdefe3" stroke="#c00000" points="470,-72.1142 372,-72.1142 372,-32.1142 470,-32.1142 470,-72.1142"/>
<text text-anchor="middle" x="421" y="-55.5142" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="middle" x="421" y="-39.5142" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
</g>
<!-- Start&#45;&gt;AuthComp -->
<g id="edge3" class="edge"><title>Start&#45;&gt;AuthComp</title>
<path fill="none" stroke="black" d="M54.087,-55.6146C59.9818,-56.239 66.1921,-56.7925 72,-57.1142 197.142,-64.0451 228.754,-61.7811 354,-57.1142 356.55,-57.0192 359.153,-56.9039 361.782,-56.7725"/>
<polygon fill="black" stroke="black" points="362.204,-60.2543 371.991,-56.1946 361.809,-53.2655 362.204,-60.2543"/>
<text text-anchor="middle" x="213" y="-63.5142" font-family="Times,serif" font-size="14.00">Authorization: Basic Yjpw</text>
</g>
<!-- AuthComp&#45;&gt;Start -->
<g id="edge5" class="edge"><title>AuthComp&#45;&gt;Start</title>
<path fill="none" stroke="black" d="M381.842,-32.0145C372.913,-28.3297 363.309,-25.0423 354,-23.1142 231.272,2.30687 192.234,12.2721 72,-23.1142 67.3413,-24.4853 62.7097,-26.5048 58.2883,-28.8508"/>
<polygon fill="black" stroke="black" points="56.3831,-25.9114 49.5663,-34.022 59.9531,-31.9327 56.3831,-25.9114"/>
<text text-anchor="middle" x="213" y="-40.5142" font-family="Times,serif" font-size="14.00">401 Unauthorized</text>
<text text-anchor="middle" x="213" y="-25.5142" font-family="Times,serif" font-size="14.00">WWW&#45;Authenticate: Basic Realm=&quot;API Realm&quot;</text>
</g>
<!-- Service -->
<g id="node8" class="node"><title>Service</title>
<polygon fill="#d1ebf1" stroke="#1f477d" points="582,-72.1142 488,-72.1142 488,-32.1142 582,-32.1142 582,-72.1142"/>
<text text-anchor="middle" x="535" y="-55.5142" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="middle" x="535" y="-39.5142" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.7 KiB

24
docs/source/images/graphs_together.svg Normal file
View File

@ -0,0 +1,24 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.27.20101213.0545 (20101213.0545)
-->
<!-- Title: Together Pages: 1 -->
<svg width="116pt" height="104pt"
viewBox="0.00 0.00 116.00 104.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph1" class="graph" transform="scale(1 1) rotate(0) translate(4 100)">
<title>Together</title>
<polygon fill="white" stroke="white" points="-4,5 -4,-100 113,-100 113,5 -4,5"/>
<!-- Together -->
<g id="node2" class="node"><title>Together</title>
<polygon fill="#fdefe3" stroke="#fdefe3" points="8,-47 8,-91 101,-91 101,-47 8,-47"/>
<polygon fill="none" stroke="#c00000" points="8,-47 8,-91 101,-91 101,-47 8,-47"/>
<text text-anchor="start" x="38" y="-75.2333" font-family="Helvetica,sans-Serif" font-size="14.00">Auth</text>
<text text-anchor="start" x="13.5" y="-58.4333" font-family="Helvetica,sans-Serif" font-size="14.00">Component</text>
<polygon fill="#d1ebf1" stroke="#d1ebf1" points="8,-4 8,-47 101,-47 101,-4 8,-4"/>
<polygon fill="none" stroke="#1f477d" points="8,-4 8,-47 101,-47 101,-4 8,-4"/>
<text text-anchor="start" x="15.5" y="-31.7333" font-family="Helvetica,sans-Serif" font-size="14.00">OpenStack</text>
<text text-anchor="start" x="28" y="-14.9333" font-family="Helvetica,sans-Serif" font-size="14.00">Service</text>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

200
docs/source/images/images_layouts.svg Normal file
View File

@ -0,0 +1,200 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="222pt"
height="135pt"
viewBox="0.00 0.00 245.00 135.00"
id="svg3479"
version="1.1"
inkscape:version="0.48.0 r9654"
sodipodi:docname="layouts-full.svg">
<metadata
id="metadata3492">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
</cc:Work>
</rdf:RDF>
</metadata>
<defs
id="defs3490" />
<sodipodi:namedview
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1"
objecttolerance="10"
gridtolerance="10"
guidetolerance="10"
inkscape:pageopacity="0"
inkscape:pageshadow="2"
inkscape:window-width="1680"
inkscape:window-height="1002"
id="namedview3488"
showgrid="false"
inkscape:zoom="1"
inkscape:cx="-0.58191504"
inkscape:cy="23.096747"
inkscape:window-x="0"
inkscape:window-y="22"
inkscape:window-maximized="0"
inkscape:current-layer="svg3479" />
<g
id="layouts">
<title
id="title3482">Auth Layouts</title>
<text
text-anchor="middle"
x="58"
y="134"
font-family="Helvetica,sans-Serif"
font-size="14.00"
id="text3484">(a)</text>
<text
text-anchor="middle"
x="178"
y="134"
font-family="Helvetica,sans-Serif"
font-size="14.00"
id="text3486">(b)</text>
</g>
<g
id="graph1"
class="graph"
transform="matrix(0.81928538,0,0,0.77044025,18.190271,97.915731)">
<title
id="title3172">Together</title>
<polygon
style="fill:#ffffff;stroke:#ffffff"
points="-4,5 -4,5 -4,-100 113,-100 113,5 "
id="polygon3174" />
<!-- Together -->
<g
id="node2"
class="node">
<title
id="title3177">Together</title>
<polygon
style="fill:#fdefe3;stroke:#fdefe3"
points="8,-47 8,-47 8,-91 101,-91 101,-47 "
id="polygon3179" />
<polygon
style="fill:none;stroke:#c00000"
points="8,-47 8,-47 8,-91 101,-91 101,-47 "
id="polygon3181" />
<text
style="font-size:14px;text-anchor:start;font-family:'Helvetica,sans-Serif'"
x="38"
y="-75.233299"
font-size="14.00"
id="text3183">Auth</text>
<text
style="font-size:14px;text-anchor:start;font-family:'Helvetica,sans-Serif'"
x="13.5"
y="-58.4333"
font-size="14.00"
id="text3185">Component</text>
<polygon
style="fill:#d1ebf1;stroke:#d1ebf1"
points="8,-4 8,-4 8,-47 101,-47 101,-4 "
id="polygon3187" />
<polygon
style="fill:none;stroke:#1f477d"
points="8,-4 8,-4 8,-47 101,-47 101,-4 "
id="polygon3189" />
<text
style="font-size:14px;text-anchor:start;font-family:'Helvetica,sans-Serif'"
x="15.5"
y="-31.733299"
font-size="14.00"
id="text3191">OpenStack</text>
<text
style="font-size:14px;text-anchor:start;font-family:'Helvetica,sans-Serif'"
x="28"
y="-14.9333"
font-size="14.00"
id="text3193">Service</text>
</g>
</g>
<g
id="graph2"
class="graph"
transform="matrix(0.84200867,0,0,0.82332332,134.01425,108.66091)">
<title
id="title3134">Seperate</title>
<polygon
style="fill:#ffffff;stroke:#ffffff"
points="-4,-120 103,-120 103,5 -4,5 -4,5 "
id="polygon3136" />
<!-- AuthComp -->
<g
id="node2-9"
class="node">
<title
id="title3139">AuthComp</title>
<polygon
style="fill:#fdefe3;stroke:#c00000"
points="0,-116 0,-76 98,-76 98,-116 98,-116 "
id="polygon3141" />
<text
style="font-size:14px;text-anchor:middle;font-family:'Helvetica,sans-Serif'"
x="49"
y="-99.400002"
font-size="14.00"
id="text3143">Auth</text>
<text
style="font-size:14px;text-anchor:middle;font-family:'Helvetica,sans-Serif'"
x="49"
y="-83.400002"
font-size="14.00"
id="text3145">Component</text>
</g>
<!-- Service -->
<g
id="node4"
class="node">
<title
id="title3148">Service</title>
<polygon
style="fill:#d1ebf1;stroke:#1f477d"
points="2,-40 2,0 96,0 96,-40 96,-40 "
id="polygon3150" />
<text
style="font-size:14px;text-anchor:middle;font-family:'Helvetica,sans-Serif'"
x="49"
y="-23.4"
font-size="14.00"
id="text3152">OpenStack</text>
<text
style="font-size:14px;text-anchor:middle;font-family:'Helvetica,sans-Serif'"
x="49"
y="-7.4000001"
font-size="14.00"
id="text3154">Service</text>
</g>
<!-- AuthComp&#45;&gt;Service -->
<g
id="edge3"
class="edge">
<title
id="title3157">AuthComp-&gt;Service</title>
<path
style="fill:none;stroke:#000000"
inkscape:connector-curvature="0"
d="m 49,-75.6334 c 0,7.8148 0,16.9081 0,25.4504"
id="path3159" />
<polygon
style="fill:#000000;stroke:#000000"
points="52.5001,-50.1593 49,-40.1593 45.5001,-50.1593 52.5001,-50.1593 "
id="polygon3161" />
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 5.7 KiB

215
docs/source/images/layouts.svg Normal file
View File

@ -0,0 +1,215 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="183.71901"
height="100.41289"
id="svg2"
version="1.1"
inkscape:version="0.48.0 r9654"
sodipodi:docname="authComp.svg">
<defs
id="defs4" />
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="0.98901497"
inkscape:cx="69.71099"
inkscape:cy="-12.532713"
inkscape:document-units="px"
inkscape:current-layer="layer1"
showgrid="false"
fit-margin-top="0"
fit-margin-left="0"
fit-margin-right="0"
fit-margin-bottom="0"
inkscape:window-width="912"
inkscape:window-height="842"
inkscape:window-x="66"
inkscape:window-y="87"
inkscape:window-maximized="0" />
<metadata
id="metadata7">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(-305.28902,-419.41658)">
<g
id="1"
transform="translate(304.10174,415.42322)">
<path
d="m 117.05,14.8 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="2"
inkscape:connector-curvature="0" />
<path
d="m 117.05,43.6 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="3"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="26.4"
x="140"
xml:space="preserve"
id="4">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="37.599998"
x="124"
xml:space="preserve"
id="5">Component</text>
<path
d="m 117.05,72.4 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="6"
inkscape:connector-curvature="0" />
<path
d="m 117.05,101.2 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="7"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="84"
x="125.6"
xml:space="preserve"
id="8">OpenStack</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="95.199997"
x="133.60001"
xml:space="preserve"
id="9">Service</text>
<path
d="m 150.65,43.6 0,19.3"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="10"
inkscape:connector-curvature="0" />
<path
d="m 154.1,62.05 -3.45,10.35 -3.45,-10.35 6.9,0 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="11"
inkscape:connector-curvature="0" />
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="131.2"
xml:space="preserve"
id="12">Option </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="158.39999"
xml:space="preserve"
id="13">(</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="161.60001"
xml:space="preserve"
id="14">b</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="166.39999"
xml:space="preserve"
id="15">)</text>
<path
d="m 1.85,14.8 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="16"
inkscape:connector-curvature="0" />
<path
d="m 1.85,43.6 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="17"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="26.4"
x="24.799999"
xml:space="preserve"
id="18">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="37.599998"
x="8.8000002"
xml:space="preserve"
id="19">Component</text>
<path
d="m 1.85,44.8 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="20"
inkscape:connector-curvature="0" />
<path
d="m 1.85,73.6 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="21"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="56"
x="10.4"
xml:space="preserve"
id="22">OpenStack</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="68"
x="18.4"
xml:space="preserve"
id="23">Service</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="13.6"
xml:space="preserve"
id="24">Option </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="41.599998"
xml:space="preserve"
id="25">(</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="44"
xml:space="preserve"
id="26">a</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="48.799999"
xml:space="preserve"
id="27">)</text>
<path
d="m 93.45,5.2 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,5.6 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-5.6 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z m 0,9.6 0,2.4 c 0,0.25 -0.15,0.4 -0.4,0.4 -0.2,0 -0.4,-0.15 -0.4,-0.4 l 0,-2.4 c 0,-0.2 0.2,-0.4 0.4,-0.4 0.25,0 0.4,0.2 0.4,0.4 z"
style="fill:#1f477d;fill-opacity:1;fill-rule:nonzero;stroke:#1f477d;stroke-width:0.80000001px;stroke-linecap:butt;stroke-linejoin:bevel;stroke-opacity:1;stroke-dasharray:none"
id="28"
inkscape:connector-curvature="0" />
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 9.7 KiB

237
docs/source/images/mapper.svg Normal file
View File

@ -0,0 +1,237 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="118.9"
height="159.425"
id="svg2"
version="1.1"
inkscape:version="0.48.0 r9654"
sodipodi:docname="mapper.svg">
<defs
id="defs4" />
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="1"
inkscape:cx="50.251985"
inkscape:cy="133.71622"
inkscape:document-units="px"
inkscape:current-layer="layer1"
showgrid="false"
fit-margin-top="0"
fit-margin-left="0"
fit-margin-right="0"
fit-margin-bottom="0"
inkscape:window-width="1920"
inkscape:window-height="1024"
inkscape:window-x="-4"
inkscape:window-y="-4"
inkscape:window-maximized="1" />
<metadata
id="metadata7">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title />
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(106.03799,-264.63332)">
<g
id="g3015">
<path
d="m -80.18799,394.60832 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="2"
inkscape:connector-curvature="0" />
<path
d="m -80.18799,423.40832 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="3"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="405.85831"
x="-72.037987"
xml:space="preserve"
id="4">OpenStack</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="417.85831"
x="-64.037987"
xml:space="preserve"
id="5">Service</text>
<path
d="m -46.58799,265.00832 0,19.3"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="6"
inkscape:connector-curvature="0" />
<path
d="m -42.804657,340.4626 -3.45,10.35 -3.45,-10.35 6.9,0 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="7"
inkscape:connector-curvature="0" />
<path
d="m -46.58799,365.80832 0,19.3"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="10"
inkscape:connector-curvature="0" />
<path
d="m -43.13799,384.25832 -3.45,10.35 -3.45,-10.35 6.9,0 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="11"
inkscape:connector-curvature="0" />
<path
d="m -80.18799,322.60832 c -7.2,7.2 -7.2,13.45 -7.2,17.1 0,0.6 0,1.1 0,1.6"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="12"
inkscape:connector-curvature="0" />
<path
d="m -83.98799,340.25832 -2.8,10.55 -4.1,-10.15 6.9,-0.4 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="13"
inkscape:connector-curvature="0" />
<path
d="m -12.98799,322.60832 c 4.4,7 5.3,13.3 4.9,18.7"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="14"
inkscape:connector-curvature="0" />
<path
d="m -4.68799,340.25832 -2.9,10.55 -4,-10.15 6.9,-0.4 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="15"
inkscape:connector-curvature="0" />
<path
d="m -6.98799,366.40832 -17.75,20.4"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="16"
inkscape:connector-curvature="0" />
<path
d="m -21.58799,388.45832 -9.4,5.55 4.2,-10.1 5.2,4.55 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="17"
inkscape:connector-curvature="0" />
<path
d="m -85.58799,366.40832 15.25,20.05"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="18"
inkscape:connector-curvature="0" />
<path
d="m -68.08799,383.65832 3.5,10.35 -9,-6.15 5.5,-4.2 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="19"
inkscape:connector-curvature="0" />
<path
d="m -80.18799,293.80832 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#ebf1de;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="20"
inkscape:connector-curvature="0" />
<path
d="m -80.18799,322.60832 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#688037;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="21"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="311.45834"
x="-64.037987"
xml:space="preserve"
id="22">Mapper</text>
<path
d="m -105.38799,351.40832 0,14.4 38.4,0 0,-14.4 -38.4,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="23"
inkscape:connector-curvature="0" />
<path
d="m -105.38799,365.80832 38.4,0 0,-14.4 -38.4,0 0,14.4 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="24"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="361.85831"
x="-100.03799"
xml:space="preserve"
id="25">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="361.85831"
x="-77.637993"
xml:space="preserve"
id="26">1</text>
<path
d="m -65.78799,351.40832 0,14.4 38.4,0 0,-14.4 -38.4,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="27"
inkscape:connector-curvature="0" />
<path
d="m -65.78799,365.80832 38.4,0 0,-14.4 -38.4,0 0,14.4 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="28"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="361.85831"
x="-60.037991"
xml:space="preserve"
id="29">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="361.85831"
x="-38.437988"
xml:space="preserve"
id="30">2</text>
<path
d="m -26.18799,351.40832 0,14.4 38.4,0 0,-14.4 -38.4,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="31"
inkscape:connector-curvature="0" />
<path
d="m -26.18799,365.80832 38.4,0 0,-14.4 -38.4,0 0,14.4 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="32"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="361.85831"
x="-20.837988"
xml:space="preserve"
id="33">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="361.85831"
x="1.562013"
xml:space="preserve"
id="34">3</text>
<path
d="m -46.000001,323.49386 0,18.51832"
style="fill:none;stroke:#000000;stroke-width:0.73465496;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none"
id="6-1"
inkscape:connector-curvature="0" />
<path
d="m -42.883334,284.52051 -3.45,10.35 -3.45,-10.35 6.9,0 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="7-7"
inkscape:connector-curvature="0" />
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 9.8 KiB

238
docs/source/images/proxyAuth.svg Normal file
View File

@ -0,0 +1,238 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="360.43942"
height="43.693935"
id="svg2"
version="1.1"
inkscape:version="0.48.0 r9654"
sodipodi:docname="layouts.svg">
<defs
id="defs4" />
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="0.98901497"
inkscape:cx="238.80946"
inkscape:cy="161.99774"
inkscape:document-units="px"
inkscape:current-layer="layer1"
showgrid="false"
fit-margin-top="0"
fit-margin-left="0"
fit-margin-right="0"
fit-margin-bottom="0"
inkscape:window-width="912"
inkscape:window-height="842"
inkscape:window-x="66"
inkscape:window-y="87"
inkscape:window-maximized="0" />
<metadata
id="metadata7">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(-136.19055,-650.66599)">
<g
id="1"
transform="translate(134.9737,646.56521)">
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="190.39999"
xml:space="preserve"
id="2">Authorization</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="240.8"
xml:space="preserve"
id="3">: </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="10.4"
x="245.60001"
xml:space="preserve"
id="4">Basic dTpw</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="20"
x="190.39999"
xml:space="preserve"
id="5">X</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="20"
x="196"
xml:space="preserve"
id="6">-</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="20"
x="199.2"
xml:space="preserve"
id="7">Authorization</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="20"
x="248.8"
xml:space="preserve"
id="8">: </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="20"
x="253.60001"
xml:space="preserve"
id="9">Proxy U</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="20"
x="5.5999999"
xml:space="preserve"
id="10">Authorization</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="20"
x="56"
xml:space="preserve"
id="11">: </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#1f477d;font-family:Arial"
y="20"
x="60.799999"
xml:space="preserve"
id="12">Basic VTpQ</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#ff0000;font-family:Arial"
y="31.200001"
x="34.400002"
xml:space="preserve"
id="13">500 </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#ff0000;font-family:Arial"
y="31.200001"
x="50.400002"
xml:space="preserve"
id="14">Internal Error</text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#ff0000;font-family:Arial"
y="32.799999"
x="190.39999"
xml:space="preserve"
id="15">403 </text>
<text
style="font-size:8.80000019px;font-style:italic;font-weight:normal;text-align:start;text-anchor:start;fill:#ff0000;font-family:Arial"
y="32.799999"
x="206.39999"
xml:space="preserve"
id="16">Proxy Unauthorized</text>
<path
d="m 114.4,23.3 c 1,12.6 -38.55,19.05 -91.35,14.85"
style="fill:none;stroke:#ff0000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="17"
inkscape:connector-curvature="0" />
<path
d="m 23.6,41.65 -10,-4.35 10.65,-2.55 -0.65,6.9 z"
style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="18"
inkscape:connector-curvature="0" />
<path
d="m 115.6,8.5 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#fdefe3;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="19"
inkscape:connector-curvature="0" />
<path
d="m 115.6,37.3 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#c00000;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="20"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="20"
x="138.39999"
xml:space="preserve"
id="21">Auth</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="31.200001"
x="122.4"
xml:space="preserve"
id="22">Component</text>
<path
d="M 292.6,22.9 C 295,47.25 251.2,54.6 192,39.75"
style="fill:none;stroke:#ff0000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="23"
inkscape:connector-curvature="0" />
<path
d="m 191.95,43.3 -9.15,-6 10.9,-0.7 -1.75,6.7 z"
style="fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="24"
inkscape:connector-curvature="0" />
<path
d="m 293.8,8.5 0,28.8 67.2,0 0,-28.8 -67.2,0 z"
style="fill:#d1ebf1;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="25"
inkscape:connector-curvature="0" />
<path
d="m 293.8,37.3 67.2,0 0,-28.8 -67.2,0 0,28.8 z"
style="fill:none;stroke:#1f477d;stroke-width:1.29999995px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="26"
inkscape:connector-curvature="0" />
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="20"
x="302.39999"
xml:space="preserve"
id="27">OpenStack</text>
<text
style="font-size:9.60000038px;font-style:normal;font-weight:bold;text-align:start;text-anchor:start;fill:#000000;font-family:Arial"
y="31.200001"
x="310.39999"
xml:space="preserve"
id="28">Service</text>
<path
d="m 182.8,22.9 101.5,0"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="29"
inkscape:connector-curvature="0" />
<path
d="m 283.45,19.4 10.35,3.5 -10.35,3.45 0,-6.95 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="30"
inkscape:connector-curvature="0" />
<path
d="M 1.6,22.9 106.7,22.85"
style="fill:none;stroke:#000000;stroke-width:0.75px;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1;stroke-dasharray:none"
id="31"
inkscape:connector-curvature="0" />
<path
d="m 105.85,19.35 10.35,3.5 -10.35,3.45 0,-6.95 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
id="32"
inkscape:connector-curvature="0" />
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 9.3 KiB

169
docs/source/middleware.rst Normal file
View File

@ -0,0 +1,169 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
==========
Middleware
==========
The Keystone middleware sits in front of an OpenStack service and handles authenticating
incoming requests. The middleware was designed according to `this spec`.
The middleware is found in source under Keystone/middleware.
The middleware supports two interfaces; WSGI and REST/HTTP.
.. _`this spec`: http://wiki.openstack.org/openstack-authn
REST & HTTP API
===============
If an unauthenticated call comes in, the middleware will respond with a 401 Unauthorized error. As per
HTTP standards, it will also return a WWW-Authenticate header informing the caller
of what protocols are supported. For Keystone authentication, the response syntax will be::
WWW-Authenticate: Keystone uri="url to Keystone server"
The client can then make the necessary calls to the Keystone server, obtain a token, and retry the call with the token.
The token is passed in using ther X-Auth-Token header.
WSGI API (Headers)
==================
Upon successful authentication the middleware sends the following
headers to the downstream WSGI app:
X-Identity-Status
Provides information on whether the request was authenticated or not.
X-Tenant
Provides the tenant ID (as it appears in the URL in Keystone). This is to support any legacy implementations before Keystone switched to an ID/Name schema for tenants.
X-Tenant-Id
The unique, immutable tenant Id
X-Tenant-Name
The unique, but mutable (it can change) tenant name.
X-User-Id
The user id of the user used to log in
X-User-Name
The username used to log in
X-User
The username used to log in. This is to support any legacy implementations before Keystone switched to an ID/Name schema for tenants.
X-Roles
The roles associated with that user
Configuration
=============
The middleware is configured within the config file of the main application as
a WSGI component. Example for the auth_token middleware::
[app:myService]
paste.app_factory = myService:app_factory
[pipeline:main]
pipeline =
tokenauth
myService
[filter:tokenauth]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_token = 999888777666
;Uncomment next line and check ip:port to use memcached to cache token requests
;memcache_hosts = 127.0.0.1:11211
*The required configuration entries are:*
auth_host
The IP address or DNS name of the Keystone server
auth_port
The TCP/IP port of the Keystone server
auth_protocol
The protocol of the Keystone server ('http' or 'https')
auth_uri
The externally accessible URL of the Keystone server. This will be where unauthenticated
clients are redirected to. This is in the form of a URL. For example, if they make an
unauthenticated call, they get this response::
HTTP/1.1 401 Unauthorized
Www-Authenticate: Keystone uri='https://auth.example.com/'
Content-Length: 381
In this case, the auth_uri setting is set to https://auth.example.com/
admin_token
This is the long-lived token issued to the service to authenticate itself when calling
Keystone. See :doc:`configuration` for more information on setting this up.
*Optional parameters are:*
delay_auth_decision
Whether the middleware should reject invalid or unauthenticated calls directly or not. If not,
it will send all calls down to the service to decide, but it will set the HTTP-X-IDENTITY-STATUS
header appropriately (set to'Confirmed' or 'Indeterminate' based on validation) and the
service can then decide if it wants to honor the call or not. This is useful if the service offers
some resources publicly, for example.
auth_timeout
The amount of time to wait before timing out a call to Keystone (in seconds)
memcache_hosts
This is used to point to a memcached server (in ip:port format). If supplied,
the middleware will cache tokens and data retrieved from Keystone in memcached
to minimize calls made to Keystone and optimize performance.
.. warning::
Tokens are cached for the duration of their validity. If they are revoked eariler in Keystone,
the service will not know and will continue to honor the token as it has them stored in memcached.
Also note that tokens and data stored in memcached are not encrypted. The memcached server must
be trusted and on a secure network.
*Parameters needed in a distributed topology.* In this configuration, the middleware is running
on a separate machine or cluster than the protected service (not common - see :doc:`middleware_architecture`
for details on different deployment topologies):
service_host
The IP address or DNS name of the location of the service (since it is remote
and not automatically down the WSGI chain)
service_port
The TCP/IP port of the remote service.
service_protocol
The protocol of the service ('http' or 'https')
service_pass
The basic auth password used to authenticate to the service (so the service
knows the call is coming from a server that has validated the token and not from
an untrusted source or spoofer)
service_timeout
The amount of time to wait for the service to respond before timing out.

529
docs/source/middleware_architecture.rst Normal file
View File

@ -0,0 +1,529 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
=======================
Middleware Architecture
=======================
Abstract
========
The Keystone middleware architecture supports multiple authentication protocols
in a pluggable manner in OpenStack. By providing support for authentication via
pluggable authentication components, this architecture allows OpenStack
services to be integrated easily into existing deployment environments. It also
provides a path by which to implement support for emerging authentication
standards such as OAUTH.
Rationale and Goals
===================
Keystone is the Identity service for OpenStack. To support the easy integrating
of OpenStack with existing authentication and identity management systems,
Keystone supports talking to multiple backends like LDAP.
And to support different deployment needs, it can support multiple
authentication protocols via pluggable 'authentication components' implemented
as WSGI middleware.
In this document, we describe the responsibilities of the authentication
middleware. We describe how these interact with underlying OpenStack services
and how existing services can be modified to take advantage of pluggable
authentication. The goal is to allow OpenStack services to be integrated easily
into existing deployment environments and to provide a path by which to
implement support for emerging authentication standards such as OAUTH.
Specification Overview
======================
'Authentication' is the process of determining that users are who they say they
are. Typically, 'authentication protocols' such as HTTP Basic Auth, Digest
Access, public key, token, etc, are used to verify a user's identity. In this
document, we define an ''authentication component'' as a software module that
implements an authentication protocol for an OpenStack service.
At a high level, an authentication component is simply a reverse proxy that
intercepts HTTP calls from clients. Once it has verified a user's identity, the
authentication component extends the call with information about the current
user and forwards the request to the OpenStack service. Otherwise, if a user's
identity is not verified, the message is rejected before it gets to the
service. This is illustrated in :ref:`authComponent`.
.. _authComponent:
Authentication Component
------------------------
Figure 1. Authentication Component
.. image:: images/graphs_authComp.svg
:width: 100%
:height: 180
:alt: An Authentication Component
Authentication components may operate in 'delegated mode'. In this mode, the
decision reject an unauthenticated client is delegated to the OpenStack
service. Delegated mode is illustrated in :ref:`authComponentDelegated`.
Here, requests are forwarded to the OpenStack service with an identity status
message that indicates whether the client's identity has been confirmed or is
indeterminate. It is the OpenStack service that decides whether or not a reject
message should be sent to the client. Note that it is always the responsibility
of the Authentication Component to transmit reject messages to the client.
.. _authComponentDelegated:
Authentication Component (Delegated Mode)
-----------------------------------------
Figure 2. Authentication Component (Delegated Mode)
.. image:: images/graphs_authCompDelegate.svg
:width: 100%
:height: 180
:alt: An Authentication Component (Delegated Mode)
In this architecture, we define interactions between the authentication component
and the OpenStack service. Interactions between the client and the
authentication component are defined only for exceptional cases. For example,
we define the message that should be returned when the OpenStack service is
down. Other interactions, however, are defined by the underlying authentication
protocol and the OpenStack service and are considered out of scope.
.. _deployStrategies:
Deployment Strategies
=====================
An authentication component may be integrated directly into the service
implementation, or it may be deployed separately as an HTTP reverse proxy. This
is illustrated in :ref:`deployment`, showing both approaches to
authentication, labeled Option (a) and Option (b).
.. _deployment:
Authentication Component Deployments Options
--------------------------------------------
Figure 3. Authentication Component Deployments Options
.. image:: images/images_layouts.svg
:width: 100%
:height: 180
:alt: Authentication Component Deployments Options
In Option (a), the component is integrated into the service implementation. In
this case, communication between the authentication component and the service
can be efficiently implemented via a method call. In Option (b), the component
is deployed separately and communication between the service and the component
involves an HTTP request. In both cases, unauthenticated requests are filtered
before they reach the service.
Each approach offers some benefits. Option (a) offers low latency and ease of
initial implementation, making it possibly most appropriate as a starting point
for simple configurations. Option (b) offers several key advantages that may be
of particular value in complex and dynamic configurations. It offers the
ability to scale horizontally in cases where authentication is computationally
expensive, such as when verifying digital signatures. Option (b) also allows
authentication components to be written in different programming languages.
Finally, Option (b) allows multiple authentication components to be deployed in
front of the same service.
OpenStack services can support both embedded (Option (a)) and external (Option
(b)) deployment strategies. Individual authentication components should support
either strategy or they |may| support both strategies. In order to support
option (a), authentication components written in the Python programming
language should be written as WSGI middleware components (in accordance with
the Web Server Gateway Interface (WSGI) standard [PEP-333]_.
Additionally, services should support the ability to swap between different
embedded or external authentication components via configuration options.
Exchanging User Information
===========================
If a request is successfully authenticated, the authentication component must
extend the request by adding an ``X-Authorization`` header. The header |must|
be formatted as illustrated in :ref:`xAuthHeader`.
.. _xAuthHeader:
X-Authorization Header
----------------------
Example 1. X-Authorization Header::
X-Authorization: Proxy JoeUser
Here, `Proxy` denotes that the authentication occurred via a proxy (in this
case authentication component) and ''JoeUser'' is the name of the user who
issued the request.
.. note:
We considered using an ``Authorization`` header rather than an
``X-Authorization``, thereby following normal HTTP semantics. There are some
cases, however, where multiple ``Authorization`` headers need to be transmitted
in a single request. We want to assure ourselves that this will not break
common clients before we recommend the approach.
Authentication components |may| extend the request with additional
information. For example, an authentication system may add additional headers
or modify the target URI to pass authentication information to the back-end
service. Additionally, an authentication component |may| strip sensitive
information — a plain text password, for example — from the request. That said,
an authentication component |should| pass the majority of the request
unmodified.
Reverse Proxy Authentication
----------------------------
An OpenStack service |should| verify that it is receiving requests from a
trusted authentication component. This is particularly important in cases where
the authentication component and the OpenStack service are deployed separately.
In order to trust incoming requests, the OpenStack service should therefore
authenticate the authentication component. To avoid confusion, we call this
'reverse proxy authentication', since in this case the authentication
component is acting as an HTTP reverse proxy.
Any HTTP-based authentication scheme may be used for reverse proxy
authentication; however, all OpenStack services and all authentication
components |must| support HTTP Basic Authentication as defined in
[RFC-2617]_.
Whether or not reverse proxy authentication is required is strictly a
deployment concern. For example, an operations team may opt to utilize firewall
rules instead of an authentication protocol to verify the integrity of incoming
request. Because of this, both OpenStack services and authentication components
|must| also allow for unauthenticated communication.
In cases where reverse proxy authentication is used, the authorization
component may receive an HTTP 401 authentication error or an HTTP 403
authorization error. These errors indicate that the component does not have
access to the underlying OpenStack service. The authentication component
|must not| return these errors to the client application. Instead, the
component |must| return a 500 internal error. This is illustrated in
:ref:`proxyAuth` and :ref:`proxyAuthDelegated` below. The component
|should| format the errors in a manner that does not break the service
contract defined by the OpenStack service. :ref:`proxyAuthDelegated`
illustrates proxy authorization in delegated mode. Delegated mode is discussed
in detail in the next section.
.. _proxyAuth:
Reverse Proxy Authentication
----------------------------
Figure 4. Reverse Proxy Authentication
.. image:: images/graphs_proxyAuth.svg
:width: 100%
:height: 180
:alt: Reverse Proxy Authentication
.. _proxyAuthDelegated:
Reverse Proxy Authentication (Delegated Mode)
---------------------------------------------
Figure 5. Reverse Proxy Authentication (Delegated Mode)
.. image:: images/graphs_delegate_forbiden_proxy.svg
:width: 100%
:height: 180
:alt: Reverse Proxy Authentication (Delegated Mode)
Delegated Mode
==============
In some cases, the decision to reject an unauthenticated request should be
delegated to the OpenStack service. An unauthenticated request may be
appropriate in cases when anonymous access is allowed. In order to support
these cases, an authentication component may be placed in Delegated Mode. In
this mode, the component forwards requests to the OpenStack service when the
client's identity has been confirmed or is indeterminate — that is when
credentials are missing. The authentication component directly rejects requests
with invalid credentials. Authentication components |must| extend the
request by adding an `X-Identity-Status` header. The identity status header
|must| contain one of the following values:
Identity Status Values
----------------------
Confirmed
A `confirmed` value indicates that valid credentials were sent and identity
has been confirmed. The service can trust that the request has been sent on
behalf of the user specified in the `X-Authorization` header.
Indeterminate
An `indeterminate` value indicates that no credentials were sent and
identity has not been confirmed. In this case, the service will receive an
`X-Authorization` header with no user entry as illustrated in
:ref:`xauth-header-indeterminate`.
.. _xauth-header-indeterminate:
Indeterminate Identity Headers
------------------------------
Example 2. Indeterminate Identity Headers::
X-Identity-Status: Indeterminate
X-Authorization: Proxy
Services |may| reject a delegated request by issuing an HTTP 401
authentication error or an HTTP 403 authorization error. These responses
|must| contain an ``WWW-Authenticate`` header with a value of ``Delegated`` as
illustrated in :ref:`unauthHeaders`.
X-Identity-Status
Provides information on whether the request was authenticated or not.
X-Tenant
Provides the tenant ID (as it appears in the URL in Keystone). This is to support any legacy implementations before Keystone switched to an ID/Name schema for tenants.
X-Tenant-Id
The unique, immutable tenant Id
X-Tenant-Name
The unique, but mutable (it can change) tenant name.
X-User-Id
The user id of the user used to log in
X-User-Name
The username used to log in
X-User
The username used to log in. This is to support any legacy implementations before Keystone switched to an ID/Name schema for tenants.
X-Roles
The roles associated with that user
.. _unauthHeaders:
Delegated WWW-Authenticate Header
---------------------------------
::
WWW-Authenticate: Delegated
It is important to note that the actual reject message will likely be modified
by the authentication component in order to comply with the authentication
scheme it is implementing. This is illustrated in :ref:`delegateRejectBasic` and
:ref:`delegateRejectOAuth` below.
.. _delegateRejectBasic:
Delegated Reject Basic Auth
---------------------------
.. image:: images/graphs_delegate_reject_basic.svg
:width: 100%
:height: 180
:alt: Delegated Reject Basic Auth
.. _delegateRejectOAuth:
Delegated Reject OAuth
----------------------
.. image:: images/graphs_delegate_reject_oauth.svg
:width: 100%
:height: 180
:alt: Delegated Reject OAuth
The presence of the `WWW-Authenticate` header with a value of `Delegated`
distinguishes a client authentication/authorization failure from a component
failure. For example, compare :ref:`delegateForbidden` with :ref:`proxyAuthDelegated`. In
:ref:`delegateForbidden`, the client is not allowed to access the OpenStack service.
In :ref:`proxyAuthDelegated`, it is the authentication component itself which is
unauthorized.
.. _delegateForbidden:
Delegated Reject Forbidden
--------------------------
Figure 8. Delegated Reject Forbidden
.. image:: images/graphs_delegate_forbiden_basic.svg
:width: 100%
:height: 180
:alt: Delegated Reject Forbidden
Authentication components |must| support both delegated and undelegated
(standard) modes. Delegated mode |should| be configured via a configuration
option. Delegated mode |should| be disabled by default.
OpenStack services are not required to support delegated mode. If a service
does not support delegated mode, it |must| respond with a 501 not implemented
error and an `WWW-Authenticate` header with a value of `Delegated`. The
authentication component |must not| return the error to the client
application. Instead, the component |must| return a 500 internal error; this is
illustrated in :ref:`delegateUnimplemented`. The component |should|
format the error in a manner that does not break the service contract defined
by the OpenStack service. The component should also log the error such that it
that will inform operators of the misconfiguration.
.. _delegateUnimplemented:
Unimplemented Delegated Mode
----------------------------
.. image:: images/graphs_delegate_unimplemented.svg
:width: 100%
:height: 180
:alt: Unimplemented Delegated Mode
Handling Direct Client Connections
==================================
Requests from the authentication component to an OpenStack service |must|
contain an ``X-Authorization`` header. If the header is missing, and reverse
proxy authentication fails or is switched off, the OpenStack service |may|
assume that the request is coming directly from a client application. In this
case, the OpenStack service |must| redirect the request to the authentication
component by issuing an HTTP 305 User Proxy redirect. This is illustrated in
:ref:`redirect`. Note that the redirect response |must| include a ``Location`` header
specifying the authentication component's URL as shown in :ref:`redirect-response`.
.. _redirect:
Auth Component Redirect
-----------------------
.. image:: images/graphs_305.svg
:width: 100%
:height: 280
:alt: Auth Component Redirect
.. _redirect-response:
Auth Component Redirect Response
--------------------------------
::
HTTP/1.1 305 Use Proxy
Date: Thu, 28 Oct 2011 07:41:16 GMT
Location: http://sample.auth.openstack.com/path/to/resource
Using Multiple Authentication Components
========================================
There are some use cases when a service provider might want to consider using
multiple authentication components for different purposes. For instance, a
service provider may have one authentication scheme to authenticate the users
of the service and another one to authenticate the administrators or operations
personnel that maintain the service. For such scenarios, we propose using a
mapper as illustrated in :ref:`multiAuth`.
.. _multiAuth:
Multiple Authentication Components
----------------------------------
.. image:: images/graphs_mapper.svg
:width: 100%
:height: 320
:alt: Multiple Authentication Components
At a high level, a mapper is a simple reverse proxy that intercepts HTTP calls
from clients and routes the request to the appropriate authentication
component. A mapper can make the routing decisions based on a number of routing
rules that map a resource to a specific authentication component. For example,
a request URI may determine whether a call should be authenticated via one
authentication component or another.
Note that neither the authentication component nor the OpenStack service need
be aware of the mapper. Any external authentication component can be used
alongside others. Mappers may provide a means by which to offer support for
anonymous or guest access to a subset of service resources. A mapper may be
implemented via a traditional reverse proxy server such as Pound or Zeus.
The Default Component
=====================
Individual services |must| be distributed with a simple integrated
authentication component by default. Providing such a component lowers barriers
to the deployment of individual services. This is especially important to]
developers who may want to deploy OpenStack services on their own machines.
Also, since there is no direct dependency on an external authentication system,
OpenStack services can be deployed individually, without the need to stand up
and configure additional services. Finally, having a standard authentication
component that all services share promotes a separation of concerns. That is,
as a community we are explicitly stating that services should not develop their
own authentication mechanisms. Additional authentication components may be
developed, of course, but these components should not be intimately coupled to
any one particular service.
As discussed in :ref:`deployStrategies`, an authentication component may be
integrated directly into the service implementation (Option (a)), or it may be
deployed separately as an HTTP reverse proxy (Option (b)). The default
component should be implemented to support Option (a) and services should
maintain support for Option (b). One way to achieve this is to provide a
method that allows the disabling of the default authentication component via
configuration. This is illustrated in :ref:`both`. Here, requests are
sent directly to the OpenStack service when the default authentication
component is disabled.
We will discuss the design of the default component in an upcoming blueprint.
.. _both:
Disabled Embedded Component
---------------------------
.. image:: images/graphs_both.svg
:width: 100%
:height: 250
:alt: Disabled Embedded Component
Questions and Answers
=====================
#. Why do authentication components send reject messages? Why not have
OpenStack services reject requests themselves?
The content and format of an authentication failed message is determined by
the authentication scheme (or protocol). For the service to respond
appropriately, it would have to be aware of the authentication scheme in
which it participates; this defeats the purpose of pluggable authentication
components.
#. Why require support for deploying authentication components in separate
nodes?
The deployment strategy is very flexible. It allows for authentication
components to be horizontally scalable. It allows for components to be written
in different languages. Finally, it allows different authentication components
to be deployed simultaneously as described above.
References
==========
.. [PEP-333] pep0333 Phillip J Eby. 'Python Web Server Gateway Interface
v1.0.'' http://www.python.org/dev/peps/pep-0333/.
.. [RFC-2617] rfc2617 J Franks. P Hallam-Baker. J Hostetler. S Lawrence.
P Leach. A Luotonen. L Stewart. ''HTTP Authentication: Basic and Digest
Access Authentication.'' http://tools.ietf.org/html/rfc2617.
.. |must| replace:: must must
.. |should| replace:: should should
.. |may| replace:: may may
.. |must not| replace:: "must not" "must not"

126
docs/source/migration.rst Normal file
View File

@ -0,0 +1,126 @@
===================
Database Migrations
===================
Keystone uses SQLAlchemy Migrate (``sqlalchemy-migrate``) to manage
migrations.
Migrations are tracked using a metadata table (``migrate_version``), which
allows keystone to compare the state of your database to the state it
expects, and to move between versions.
.. WARNING::
Backup your database before applying migrations. Migrations may
attempt to modify both your schema and data, and could result in data
loss.
Always review the behavior of migrations in a staging environment
before applying them in production.
Getting Started
===============
Your initial approach to migrations should depend on whether you have an
empty database or a schema full of data.
Starting with an empty database
-------------------------------
If you have an empty database for keystone to work with, you can simply
run::
$ ./bin/keystone-manage database sync
This command will initialize your metadata table, and run through all the
schema & data migrations necessary to bring your database in sync with
keystone. That's it!
Starting with an existing database
----------------------------------
Place an existing database under version control to enable migration
support::
$ ./bin/keystone-manage database version_control
This command simply creates a ``migrate_version`` table, set at
``version_number`` 0, which indicates that no migrations have been applied.
If you are starting with an existing schema, you can jump to a specific
schema version without performing migrations using the ``database goto``
command. For example, if you're starting from a diablo-compatible
database, set your current database ``version_number`` to ``1`` using::
$ ./bin/keystone-manage database goto <version_number>
Determine your appropriate database ``version_number`` by referencing the
following table:
+------------+-------------+
| Release | ``version`` |
+============+=============+
| pre-diablo | (see below) |
+------------+-------------+
| diablo | 1 |
+------------+-------------+
| essex-m1 | 3 |
+------------+-------------+
| essex-m2 | 4 |
+------------+-------------+
From there, you can upgrade normally (see :ref:`upgrading`).
Starting with a pre-diablo database (cactus)
--------------------------------------------
You'll need to manually migrate your database to a diablo-compatible
schema, and continue forward from there (if desired) using migrations.
.. _upgrading:
Upgrading & Downgrading
=======================
.. note::
Attempting to start keystone with an outdated schema will cause
keystone to abort, to avoid corrupting your data.
Upgrade to the latest version automatically::
$ ./bin/keystone-manage database sync
Check your current schema version::
$ ./bin/keystone-manage database version
Jump to a specific version without performing migrations::
$ ./bin/keystone-manage database goto <version_number>
Upgrade to a specific version::
$ ./bin/keystone-manage database upgrade <version_number>
Downgrade to a specific version (will likely result in data loss!)::
$ ./bin/keystone-manage database downgrade <version_number>
Opting Out of Migrations
========================
If you don't want to use migrations (e.g. if you want to manage your
schema manually), keystone will complain in your logs on startup, but
won't actually stop you from doing so.
It's recommended that you use migrations to get up and running, but if
you want to manage migrations manually after that, simply drop the
``migrate_version`` table::
DROP TABLE migrate_version;
Useful Links
============
Principles to follow when developing migrations `OpenStack Deployability <http://wiki.openstack.org/OpenstackDeployability>`_

142
docs/source/nova-api-paste.rst Normal file
View File

@ -0,0 +1,142 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
nova-api-paste example
======================
::
#######
# EC2 #
#######
[composite:ec2]
use = egg:Paste#urlmap
/: ec2versions
/services/Cloud: ec2cloud
/services/Admin: ec2admin
/latest: ec2metadata
/2007-01-19: ec2metadata
/2007-03-01: ec2metadata
/2007-08-29: ec2metadata
/2007-10-10: ec2metadata
/2007-12-15: ec2metadata
/2008-02-01: ec2metadata
/2008-09-01: ec2metadata
/2009-04-04: ec2metadata
/1.0: ec2metadata
[pipeline:ec2cloud]
pipeline = logrequest totoken authtoken keystonecontext cloudrequest authorizer ec2executor
[pipeline:ec2admin]
pipeline = logrequest totoken authtoken keystonecontext adminrequest authorizer ec2executor
[pipeline:ec2metadata]
pipeline = logrequest ec2md
[pipeline:ec2versions]
pipeline = logrequest ec2ver
[filter:logrequest]
paste.filter_factory = nova.api.ec2:RequestLogging.factory
[filter:ec2lockout]
paste.filter_factory = nova.api.ec2:Lockout.factory
[filter:totoken]
paste.filter_factory = keystone.middleware.ec2_token:EC2Token.factory
[filter:ec2noauth]
paste.filter_factory = nova.api.ec2:NoAuth.factory
[filter:authenticate]
paste.filter_factory = nova.api.ec2:Authenticate.factory
[filter:cloudrequest]
controller = nova.api.ec2.cloud.CloudController
paste.filter_factory = nova.api.ec2:Requestify.factory
[filter:adminrequest]
controller = nova.api.ec2.admin.AdminController
paste.filter_factory = nova.api.ec2:Requestify.factory
[filter:authorizer]
paste.filter_factory = nova.api.ec2:Authorizer.factory
[app:ec2executor]
paste.app_factory = nova.api.ec2:Executor.factory
[app:ec2ver]
paste.app_factory = nova.api.ec2:Versions.factory
[app:ec2md]
paste.app_factory = nova.api.ec2.metadatarequesthandler:MetadataRequestHandler.factory
#############
# Openstack #
#############
[composite:osapi]
use = egg:Paste#urlmap
/: osversions
/v1.1: openstackapi
[pipeline:openstackapi]
pipeline = faultwrap authtoken keystonecontext ratelimit extensions osapiapp
[filter:faultwrap]
paste.filter_factory = nova.api.openstack:FaultWrapper.factory
[filter:auth]
paste.filter_factory = nova.api.openstack.auth:AuthMiddleware.factory
[filter:noauth]
paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory
[filter:ratelimit]
paste.filter_factory = nova.api.openstack.limits:RateLimitingMiddleware.factory
[filter:extensions]
paste.filter_factory = nova.api.openstack.extensions:ExtensionMiddleware.factory
[app:osapiapp]
paste.app_factory = nova.api.openstack:APIRouter.factory
[pipeline:osversions]
pipeline = faultwrap osversionapp
[app:osversionapp]
paste.app_factory = nova.api.openstack.versions:Versions.factory
##########
# Shared #
##########
[filter:keystonecontext]
paste.filter_factory = keystone.middleware.nova_keystone_context:NovaKeystoneContext.factory
[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 127.0.0.1
service_port = 5000
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_token = 999888777666
;Uncomment next line and check ip:port to use memcached to cache token requests
;memcache_hosts = 127.0.0.1:11211

36
docs/source/releases.rst Normal file
View File

@ -0,0 +1,36 @@
=============
Release notes
=============
E3 (January 26, 2012)
==========================================
* Contract compliance: version response and ATOM, 300 multiple choice
* Global endpoints returned for unscoped calls
* adminUrl only shown to admin clients
* Endpoints have unique ID
* Auth-N/Auth-Z for S3 API (OS-KSS3 extension)
* Default tenant scope optionally returned when authenticating
* Vary header returned for caching proxies
* Portable identifiers: modifiable, string identifiers in database backend
* Much improved keystone-manage command (see --help and docs)
* OS-KSVALIDATE extension to support not passing tokens in URL
* OS-KSEC2 and OS-KSS3 extensions respond on /tokens
* HP-IDM extension to filter roles to a given service ID
* Additional caching options in middleware (memcache and swift cache)
* Enhanced configuration management (in line with other OpenStack projects)
* Additional logging
* Enhanced tracer tool (-t or --trace-calls)
See comprehensive list here https://launchpad.net/keystone/+milestone/essex-3
E2 (December 15, 2011)
========================
* D5 compatibility middleware
* Database versioning
* Much more documentation: http://keystone.openstack.org
See https://launchpad.net/keystone/+milestone/essex-2

69
docs/source/serviceAPI_curl_examples.rst Normal file
View File

@ -0,0 +1,69 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
===============================
Service API Examples Using Curl
===============================
The service API is defined to be a subset of the Admin API and, by
default, runs on port 5000.
GET /
=====
This call is identical to that documented for the Admin API, except
that it uses port 5000, instead of port 35357, by default::
$ curl http://0.0.0.0:5000
or::
$ curl http://0.0.0.0:5000/v2.0/
See the `Admin API Examples Using Curl`_ for more info.
.. _`Admin API Examples Using Curl`: adminAPI_curl_examples.html
GET /extensions
===============
This call is identical to that documented for the Admin API.
POST /tokens
============
This call is identical to that documented for the Admin API.
GET /tenants
============
List all of the tenants your token can access::
$ curl -H "X-Auth-Token:887665443383838" http://localhost:5000/v2.0/tenants
Returns::
{
"tenants_links": [],
"tenants": [
{
"enabled": true,
"description": "None",
"name": "customer-x",
"id": "1"
}
]
}

92
docs/source/services.rst Normal file
View File

@ -0,0 +1,92 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
================
Services
================
.. toctree::
:maxdepth: 1
What are services?
==================
Keystone includes service registry and service catalog functionality which it
uses to respond to client authentication requests with information useful to
clients in locating the list of available services they can access.
The Service entity in Keystone represents an OpenStack service that is integrated
with Keystone. The Service entity is also used as a reference from roles, endpoints,
and endpoint templates.
Keystone also includes an authorization mechanism to allow a service to own
its own roles and endpoints and prevent other services from changing or
modifying them.
Who can create services?
========================
Any user with the Admin or Service Admin roles in Keystone may create services.
How are services created?
=========================
Services can be created using ``keystone-manage`` or through the REST API using
the OS-KSADM extension calls.
Using ``keystone-manage`` (see :doc:`man/keystone-manage` for details)::
$ keystone-manage add service compute nova 'This is a sample compute service'
Using the REST API (see `extensions dev guide <https://github.com/openstack/keystone/blob/master/keystone/content/admin/OS-KSADM-admin-devguide.pdf?raw=true>`_ for details)::
$ curl -H "Content-type: application/json" -X POST -d '{
"OS-KSADM:service": {
"name": "nova",
"type": "compute",
"description": "This is a sample compute service"
}
}' -H "X-Auth-Token: 999888777666" http://localhost:35357/v2.0/OS-KSADM/services/
How is service ownership determined?
====================================
Currently, the way to assign ownership to a service is to provide the owner's
user id in the keystone-manage add command::
$ keystone-manage add service nova compute 'This is a sample compute service' joeuser
This will assign ownership to the new service to joeuser.
When a service has an owner, then only that owner (or a global Admin) can create and manage
roles that start with that service name (ex: "nova:admin") and manage endpoints
and endpoint templates associated with that service.
Listing services
================
Using ``keystone-manage``, the list of services and their owners can be listed::
$ keystone-manage service list
id name type owner_id description
-------------------------------------------------------------------------------
1 compute nova joeuser This is a sample compute service
Using the REST API, call ``GET /v2.0/OS-KSADM/services``
.. note: The rest API does not yet support service ownership

118
docs/source/ssl.rst Normal file
View File

@ -0,0 +1,118 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
===========================
x.509 Client Authentication
===========================
Purpose
=======
Allows the Keystone middleware to authenticate itself with the Keystone server
via an x.509 client certificate. Both Service API and Admin API may be secured
with this feature.
Certificates
============
The following types of certificates are required. A set of certficates is provided
in the examples/ssl directory with the Keystone distribution for testing. Here
is the description of each of them and their purpose:
ca.pem
Certificate Authority chain to validate against.
keystone.pem
Public certificate for Keystone server.
middleware-key.pem
Public and private certificate for Keystone middleware.
cakey.pem
Private key for the CA.
keystonekey.pem
Private key for the Keystone server.
Note that you may choose whatever names you want for these certificates, or combine
the public/private keys in the same file if you wish. These certificates are just
provided as an example.
Configuration
=============
By default, the Keystone server does not use SSL. To enable SSL with client authentication,
modify the etc/keystone.conf file accordingly:
1. To enable SSL for Service API::
service_ssl = True
2. To enable SSL for Admin API::
admin_ssl = True
3. To enable SSL client authentication::
cert_required = True
4. Set the location of the Keystone certificate file (example)::
certfile = /etc/keystone/ca/certs/keystone.pem
5. Set the location of the Keystone private file (example)::
keyfile = /etc/keystone/ca/private/keystonekey.pem
6. Set the location of the CA chain::
ca_certs = /etc/keystone/ca/certs/ca.pem
Middleware
==========
Add the following to your middleware configuration to support x.509 client authentication.
If ``cert_required`` is set to ``False`` on the keystone server, the certfile and keyfile parameters
in steps 3) and 4) may be commented out.
1. Specify 'https' as the auth_protocol::
auth_protocol = https
2. Modify the protocol in 'auth_uri' to be 'https' as well, if the service API is configured
for SSL::
auth_uri = https://localhost:5000/
3. Set the location of the middleware certificate file (example)::
certfile = /etc/keystone/ca/certs/middleware-key.pem
4. Set the location of the Keystone private file (example)::
keyfile = /etc/keystone/ca/certs/middleware-key.pem
For an example, take a look at the ``echo.ini`` middleware configuration for the 'echo' example
service in the examples/echo directory.
Testing
=======
You can test out how it works by using the ``echo`` example service in the ``examples/echo`` directory
and the certficates included in the ``examples/ssl`` directory. Invoke the ``echo_client.py`` with
the path to the client certificate::
python echo_client.py -s <path to client certificate>

28
docs/source/usingkeystone.rst Normal file
View File

@ -0,0 +1,28 @@
..
Copyright 2011 OpenStack, LLC
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
==============
Using Keystone
==============
Curl examples
-------------
.. toctree::
:maxdepth: 1
adminAPI_curl_examples
serviceAPI_curl_examples