Update Identity service intro and concepts

Updates Identity service information in the Get Started with OpenStack chapter and moves Identity concepts information to the Identity Management chapter. Change-Id: Icdffc456a258cc16a2ced8743897f8c647b997b9 Closes-Bug: #1239308
2015-08-06 18:22:16 +10:00 · 2015-08-06 18:22:16 +10:00 · 107ddb1a65
commit 107ddb1a65
parent a5fb08c966
2 changed files with 134 additions and 115 deletions
--- a/doc/admin-guide-cloud/source/identity_concepts.rst
+++ b/doc/admin-guide-cloud/source/identity_concepts.rst
@ -2,55 +2,114 @@
 Identity concepts
 =================
-User management
+Authentication
-~~~~~~~~~~~~~~~
+    The process of confirming the identity of a user.
    OpenStack Identity confirms an incoming request
    by validating a set of credentials supplied by the
    user. These credentials are initially a user name and
    password, or a user name and API key. When user
    credentials are validated, OpenStack Identity issues an
    authentication token which the user provides in subsequent
    requests.
-The main components of Identity user management are:
+Credentials
    Data that confirms the user's identity. For
    example: user name and password, user name and API
    key, or an authentication token provided by the
    Identity service.
-* User
+Domain
-    Represents a human user. Has associated information such as
+    A domain is a collection of projects and users. It defines administrative
-    user name, password, and email. This example creates a user named
+    boundaries for the management of Identity entities. A domain may represent
-    ``alice``:
+    an individual, company, or operator-owned space. It is used for exposing
-
+    administrative activities directly to the system users. Users may be given
-    .. code::
+    a domain's administrator role. A domain administrator may create
       $ openstack user create --password-prompt --email alice@example.com alice
 * Project
    A tenant, group, or organization. When you make requests
    to OpenStack services, you must specify a project. For example, if
    you query the Compute service for a list of running instances, you
    get a list of all running instances in the project that you specified
    in your query. This example creates a project named ``acme``:
    .. code::
       $ openstack project create acme
 * Domain
    Defines administrative boundaries for the management of
    Identity entities. A domain may represent an individual, company, or
    operator-owned space. It is used for exposing administrative
    activities directly to the system users.
    A domain is a collection of projects and users. Users may be given a
    domain's administrator role. A domain administrator may create
    projects, users, and groups within a domain and assign roles to users
    and groups.
-    This example creates a domain named ``emea``:
+Endpoint
    A network-accessible address where you access a service,
    usually a URL address. If you are using an extension for
    templates, an endpoint template can be created, which
    represents the templates of all the consumable services
    that are available across the regions.
-    .. code::
+OpenStackClient
    A command-line interface for several OpenStack services
    including the Identity API. For example, users can run the
    :command:`openstack service create` and
    :command:`openstack endpoint create` commands
    to register services in their OpenStack
    installations.
 Project
    A container used to group or isolate resources.
    Projects also group or isolate identity objects.
    Depending on the service operator, a project may map
    to a customer, account, organization, or tenant.
 Role
    A personality with a defined set of user rights and
    privileges to perform a specific set of operations.
    In the Identity service, a token that is issued
    to a user includes the list of roles. Services that are
    being called by that user determine how they interpret the
    set of roles a user has and to which operations or
    resources each role grants access.
 Service
    An OpenStack service, such as Compute (nova),
    Object Storage (swift), or Image service (glance).
    It provides one or more endpoints in which
    users can access resources and perform operations.
 Token
    An alpha-numeric string of text used to access
    OpenStack APIs and resources. A token may be
    revoked at any time and is valid for a
    finite duration. While OpenStack Identity supports token-based
    authentication in this release, the intention is
    to support additional protocols in the future.
    Its main purpose is to be an integration service,
    and not aspire to be a full-fledged identity store
    and management solution.
 User
    Digital representation of a person, system, or
    service who uses OpenStack cloud services. The
    Identity service validates that incoming requests
    are made by the user who claims to be making the
    call. Users have a login and may be assigned
    tokens to access resources. Users can be directly
    assigned to a particular project and behave as if
    they are contained in that project.
 User management
 ~~~~~~~~~~~~~~~
 Identity user management examples:
 * Create a user named ``alice``:
  .. code-block:: console
     $ openstack user create --password-prompt --email alice@example.com alice
 * Create a project named ``acme``:
  .. code-block:: console
     $ openstack project create acme
 * Create a domain named ``emea``:
  .. code-block:: console
     $ openstack --os-identity-api-version=3 domain create emea
-* Role
+* Create a role named ``compute-user``:
    Captures the operations that a user can perform in a given
    tenant.
-    This example creates a role named ``compute-user``:
+  .. code-block:: console
    .. code::
     $ openstack role create compute-user
--- a/doc/common-rst/get_started_identity.rst
+++ b/doc/common-rst/get_started_identity.rst
@ -2,85 +2,45 @@
 OpenStack Identity
 ==================
-The OpenStack Identity service performs the following functions:
+The OpenStack :term:`Identity service <Identity>` provides a single point of
 integration for managing authentication, authorization, and service catalog
 services. Other OpenStack services use the Identity service as a common
 unified API. Additionally, services that provide information about users
 but that are not included in OpenStack (such as LDAP services) can be
 integrated into a pre-existing infrastructure.
- Tracking users and their permissions.
+In order to benefit from the Identity service, other OpenStack services need to
 collaborate with it. When an OpenStack service receives a request from a user,
 it checks with the Identity service whether the user is authorized to make the
 request.
- Providing a catalog of available services with their API endpoints.
+The Identity service contains these components:
 Server
    A centralized server provides authentication and authorization
    services using a RESTful interface.
 Drivers
    Drivers or a service back end are integrated to the centralized
    server, and are used for accessing identity information in
    repositories, external to OpenStack, and maybe already existing in
    the infrastructure where OpenStack is deployed (for example, SQL
    databases or LDAP servers).
 Modules
    Middleware modules run in the address space of the OpenStack
    component that is using the Identity service. These modules
    intercept service requests, extract user credentials, and send them
    to the centralized server for authorization. The integration between
    the middleware modules and OpenStack components uses the Python Web
    Server Gateway Interface.
 When installing OpenStack Identity service, you must register each
 service in your OpenStack installation. Identity service can then track
 which OpenStack services are installed, and where they are located on
 the network.
 To understand OpenStack Identity, you must understand the following
 concepts:
 User
  Digital representation of a person, system, or service who uses
  OpenStack cloud services. The Identity service validates that
  incoming requests are made by the user who claims to be making the
  call. Users have a login and may be assigned tokens to access
  resources. Users can be directly assigned to a particular tenant and
  behave as if they are contained in that tenant.
 Credentials
  Data that confirms the user's identity. For example: user name and
  password, user name and API key, or an authentication token provided
  by the Identity service.
 Authentication
  The process of confirming the identity of a user. OpenStack Identity
  confirms an incoming request by validating a set of credentials
  supplied by the user.
  These credentials are initially a user name and password, or a user
  name and API key. When user credentials are validated, OpenStack
  Identity issues an authentication token which the user provides in
  subsequent requests.
 Token
  An alpha-numeric string of text used to access OpenStack APIs and
  resources. A token may be revoked at any time and is valid for a
  finite duration.
  While OpenStack Identity supports token-based authentication in this
  release, the intention is to support additional protocols in the
  future. Its main purpose is to be an integration service, and not
  aspire to be a full-fledged identity store and management solution.
 Tenant
  A container used to group or isolate resources. Tenants also group
  or isolate identity objects. Depending on the service operator, a
  tenant may map to a customer, account, organization, or project.
 Service
  An OpenStack service, such as Compute (nova), Object Storage
  (swift), or Image service (glance). It provides one or more
  endpoints in which users can access resources and perform
  operations.
 Endpoint
  A network-accessible address where you access a service, usually a
  URL address. If you are using an extension for templates, an
  endpoint template can be created, which represents the templates of
  all the consumable services that are available across the regions.
 Role
  A personality with a defined set of user rights and privileges to
  perform a specific set of operations.
  In the Identity service, a token that is issued to a user includes
  the list of roles. Services that are being called by that user
  determine how they interpret the set of roles a user has and to
  which operations or resources each role grants access.
 Keystone Client
  A command line interface for the OpenStack Identity API. For
  example, users can run the ``keystone service-create`` and
  ``keystone endpoint-create`` commands to register services in their
  OpenStack installations.
 The following diagram shows the OpenStack Identity process flow:
 .. image:: figures/SCH_5002_V00_NUAC-Keystone.png
   :alt: OpenStack Identity process flow