openstack/keystone
Code Issues Proposed changes
Files
ed793ad5365e33e2fda54c3900c1ad9b2c93dc37
keystone/docs/source/old/backends.rst
Joe Heck 1908a2d7ba format tweaks and moving old docs
2012-01-29 13:47:29 -08:00

5.5 KiB
Raw Blame History

Backends

Keystone supports multiple types of data stores for things like users, tenants, and tokens, including SQL, LDAP, and memcache.

SQL

In the default backend configuration (SQL-only), Keystone depends on the following database tables.

users

id

Auto-incremented primary key.

name

Unqiue username used for authentication via passwordCredentials.

password

Password used for authentication via passwordCredentials.

Salted and hashed using passlib.

email

Email address (uniqueness is expected, but not enforced).

enabled

If false, the user is unable to authenticate and the user's tokens will fail validation.

tenant_id

Default tenant for the user.

tokens

id

The actual token provided after successful authentication (plaintext).

user_id

References the user who owns the token.

tenant_id

(optional) References the tenant the token is scoped to.

expires

Indicates the expiration date of the token, after which the token can no longer be validated successfully.

tenants

id

Auto-incremented primary key.

name

Unique string identifying the tenant.

desc

Description of the tenant.

enabled

If false, users are unable to scope to the tenant.

roles

id

Auto-incremented primary key.

name

Name of the role.

If the role is owned by a service, the role name must follow the convention:

serviceName:roleName
desc

Description of the role.

service_id

(optional) References the service that owns the role.

user_roles

Maps users to the roles that have been granted to them (optionally, within the scope of a tenant).

id

Auto-incremented primary key.

user_id

References the user the role is granted to.

role_id

References the granted role.

tenant_id

(optional) References a tenant upon which this grant is applies.

services

id

Auto-incremented primary key.

name

Unique name of the service.

type

Indicates the type of service (e.g. compute, object, identity, etc).

This can also be extended to support non-core services. Extended services follow the naming convention extension:type (e.g. dnsextension:dns).

desc

Describes the service.

owner_id

(optional) References the user who owns the service.

credentials

Currently only used for Amazon EC2 credential storage, this table is designed to support multiple types of credentials in the future.

id

Auto-incremented primary key.

user_id

References the user who owns the credential.

tenant_id

References the tenant upon which the credential is valid.

types

Indicates the type of credential (e.g. Password, APIKey, EC2).

key

Amazon EC2 access key.

secret

Amazon EC2 secret key.

endpoints

Tenant-specific endpoints map endpoint templates to specific tenants. The tenant_id which appears here replaces the %tenant_id% template variable in the specified endpoint template.

id

Auto-incremented primary key.

tenant_id

References the tenant this endpoint applies to.

endpoint_template_id

The endpoint template to appear in the user's service catalog.

endpoint_templates

A multi-purpose model for the service catalog which can be:

  • Provided to users of a specific tenants via endpoints, when is_global is false.
  • Provided to all users as-is, when is_global is true.
id

Auto-incremented primary key.

region

Identifies the geographic region the endpoint is physically located within.

service_id

TODO: References the service which owns the endpoints?

public_url

Appears in the service catalog1.

Represents an endpoint available on the public Internet.

admin_url

Appears in the service catalog2.

Users of this endpoint must have an Admin or ServiceAdmin role.

internal_url

Appears in the service catalog3.

Represents an endpoint on an internal, unmetered network.

enabled

If false, this endpoint template will not appear in the service catalog.

is_global

If true, this endpoint can not be mapped to tenant-specific endpoints, and %tenant_id% will not be substituted in endpoint URL's. Additionally, this endpoint will appear for all users.

version_id

Identifies the version of the API contract that endpoint supports.

version_list

A URL which lists versions supported by the endpoint.

version_info

A URL which provides detailed version info regarding the service.

  1. %tenant_id% may be replaced by actual tenant references, depending on the value of is_global and the existence of a corresponding endpoints record.↩︎

  2. %tenant_id% may be replaced by actual tenant references, depending on the value of is_global and the existence of a corresponding endpoints record.↩︎

  3. %tenant_id% may be replaced by actual tenant references, depending on the value of is_global and the existence of a corresponding endpoints record.↩︎