documentation driven development

This commit is contained in:
termie 2011-12-27 11:20:55 -08:00
parent b4eba62b21
commit 7541ed4995
1 changed files with 53 additions and 5 deletions

View File

@ -1,13 +1,59 @@
Keystone
========
Keystone is an OpenStack project that provides Identity, Token and Catalog
services for use specifically by projects in the OpenStack family.
Keystone is an OpenStack project that provides Identity, Token, Catalog and
Policy services for use specifically by projects in the OpenStack family.
Much of the design is precipitated from the expectation that the auth backends
for most deployments will actually be shims in front of existing user systems.
------------
The Services
------------
Keystone is organized as a group of services exposed on one or many endpoints.
Many of these services are used in a combined fashion by the frontend, for
example an authenticate call will validate user/tenant credentials with the
Identity service and, upon success, create and return a token with the Token
service.
Identity
--------
The Identity service provides auth credential validation and data about Users,
Tenants and Roles, as well as any associated metadata.
In the basic case all this data is managed by the service, allowing the service
to manage all the CRUD associated with the data.
In other cases, this data is pulled, by varying degrees, from an authoritative
backend service. An example of this would be when backending on LDAP. See
`LDAP Backend` below for more details.
Token
-----
The Token service validates and manages Tokens used for authenticating requests
once a user/tenant's credentials have already been verified.
Catalog
-------
The Catalog service provides an endpoint registry used for endpoint discovery.
Policy
------
The Policy service provides a rule-based authorization engine and the
associated rule management interface.
----------
Data Model
----------
@ -20,8 +66,10 @@ There are a few main data types:
* **User**: has account credentials, is associated with one or more tenants
* **Tenant**: unit of ownership in openstack, contains one or more users
* **Role**: a first-class piece of metadata associated with many user-tenant pairs.
* **Token**: identifying credential associated with a user or user and tenant
* **Extras**: bucket of key-values associated with a user-tenant pair, typically used to define roles.
* **Extras**: bucket of key-value metadata associated with a user-tenant pair.
* **Rule**: describes a set of requirements for performing an action.
While the general data model allows a many-to-many relationship between Users
and Tenants and a many-to-one relationship between Extras and User-Tenant pairs,